Hi,
I’m using oauth to do single sign in to grafana but single sign out doesn’t seem to work…
Is this implemented ?? or am I misconfiguring something ?
Thanx !
what do you mean single signout? does sign out not work? or do you want to be able to sign out from all devices from one login?
I’m combining multiple gui’s of which grafana is one, I’m using keycloak to do user authorization and authentication.
Sign out works from the grafana UI but I would like to sign out using keycloak.
I present the graphs from a site where I embed the graphs in an iframe.
As I only show the graph (not the menu, so not the logout button) it would be nice if grafana fully intergrated with keycloak.
So in short, I want to sign out of all “things” (cms, grafana, provisioning-server, vpn-server) with one button on the cms frontend and with the session timout in keycloak.
Hi Peter,
I’m also facing the same issue with keycloak. Were you able to resolve it? If so can you please share the approach.
Hi Aruna,
No, I didn’t resolve it yet…
As our users don’t share computers it’s also not a very big problem… so users just stay logged in till timeout.
Is single sign out implemented?
@jangaraj How this feature can be implemented, Is there any documentation for this?
Check your defaults.ini:
# URL to redirect the user to after sign out
signout_redirect_url =
Try to use your OAuth logout endpoint there. Another ref: https://github.com/grafana/grafana/issues/9847
@jangaraj How can I trigger signout_redirect_url from my application. I want grafana to be logged out When I logout of My application.
Sorry, this is a forum about Grafana and not about your application, so I can’t help you.
@jangaraj Is there any option to logout the user from the application by using API?
clearing cookie is not helping me to logout
Did anyone find a solution for this problem? I know keycloak has backchannel logouts which is something that grafana has to implement somehow to support this use case?
Any work around on this problem solution? I am still looking for solution.
I hesitate to revive an old thread, but recently also came across this exact issue and wanted to share at least one potential solution.
To recap, the specific situation is that a user signs in with SSO (e.g. Keycloak), and Grafana picks up the SSO token and issues its own grafana_session cookie that it then uses internally. If the user is signed out of SSO (but not specifically by using Grafana’s own “log out” button) the grafana_session cookie remains in place, though, so the user effectively remains signed into Grafana. This is especially problematic if Alice signs in, uses Grafana, then signs out of SSO, and Bob signs in. If Bob navigates to the Grafana instance he will still be signed in with Alice’s grafana_session, which is not great.
In principle removing the grafana_session cookie is sufficient to sign out the user. This cannot be done in pure JS since it’s an HttpOnly cookie, but there’s a better way that’s almost as simple.
The specific approach will depend on how your actual application is structured, but let’s assume that the user clicks “log out” somewhere in your application, and you are able to run some JS in the front end at that point. You can run the following:
const response = await fetch('<grafana_root_url>/logout', {
method: 'GET',
credentials: 'include',
redirect: 'manual'
});
To also ensure that the user is logged out of Grafana and the response will instruct the browser to clear the cookie. Optionally check the response code - should be 302, since after clearing its own session, Grafana will try to redirect the browser to the SSO logout flow. Presumably you don’t need or want that (because the user is in the SSO logout flow already), therefore we’ve set redirect: 'manual' to ensure the browser does not automatically follow the redirect.
1 Like