Problems setting up SSO with Keycloak

intruz · April 13, 2020, 4:06pm

I’m strugglig setting up generic OAuth login with Keycloak.

After clicking on Sign in with OAuth button, I land on Keycloak login screen, and after giving username and password, I get redirected back to grafana, but with a server error message:

login.OAuthLogin(NewTransportWithCode)

In grafana logs I found:

t=2020-04-13T15:44:46+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=10.2.2.100 time_ms=0 size=319 referer=https://grafana.local/login
t=2020-04-13T15:44:59+0000 lvl=info msg="state check" logger=oauth queryState=fb3e8c188015af24e639a2175612132d00560b7c93caaf7e33fb86b21b9ccdec cookieState=fb3e8c188015af24e639a2175612132d00560b7c93caaf7e33fb86b21b9ccdec
t=2020-04-13T15:44:59+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error="oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_client\",\"error_description\":\"Parameter client_assertion_type is missing\"}"
t=2020-04-13T15:44:59+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=10.2.2.100 time_ms=86 size=1743 referer="https://sso.mypublicdomain.com/realms/REALM/login-actions/authenticate?execution=810b04a5-6399-40ff-bf8c-81b163cb3774&client_id=grafana&tab_id=hE_zVm648ZA"

I haven’t found anything useful on the topic of missing client_assertion_type error. I’m out of ideas how to fix this problem.

My grafana configuration looks like this:

instance_name = grafana.local

[server]
root_url = https://grafana.local

[security]
admin_user = admin
admin_password = PASSWORD

[auth.generic_oauth]
enabled = true
client_id = grafana
client_secret = CLIENT_SECRET_FROM_KEYCLOAK
email_attribute_name = email:primary
scopes = openid profile email
auth_url = https://sso.mypublicdomain.com/auth/realms/REALM/protocol/openid-connect/auth
token_url = https://sso.mypublicdomain.com/auth/realms/REALM/protocol/openid-connect/token
api_url = https://sso.mypublicdomain.com/auth/realms/REALM/protocol/openid-connect/userinfo
allow_sign_up = false

Not sure it’s relevant for this case, but both keycloak and grafana are behind a proxy that handle TLS termination.

jangaraj · April 13, 2020, 6:50pm

It looks like you have configured Signed JWT or Signed JWT with Client Secret for client authentication in the Keycloak. Use simple Client Id and Secret:

intruz · April 14, 2020, 1:36am

Thanks. That was the problem. It works now.

jchandra4991 · July 9, 2020, 5:08am

Hi @jangaraj and @intruz,

While setting up the keycloak with Grafana, I am facing issues, could you please help me on this.

I have configured both grafana as well as keycloak.

While accessing grafana, Grafana URL is redirecting to keycloak and after entering the credentials keycloak is authenticating, however after authenticating it is not redirecting to grafana, it stays up in the keycloak page itself.

setup in keycloak: