SSO Grafana & Keycloak problem redirect

Hi all,

I’m trying to setup the SSO of grafana with keycloak.
When I click on the button “Sign in with OAuth” in the login page grafanna, it me redirect well to the Keycloak login page.

So far so good, but when I enter the credentials in the keycloak login, it keeps waiting and the redirection to grafana does not take place. Nothing happens.

My grafana.ini settings is as follows:
[auth.generic_oauth]
enabled = true
name = OAuth
allow_sign_up = true
client_id = grafana
client_secret = my_client_secret
scopes = email profile roles web-origins
;email_attribute_name = email:primary
;email_attribute_path =
auth_url = https://my_url/auth/realms/my_keycloak_realm/protocol/openid-connect/auth
token_url = https://my_url/auth/realms/my_keycloak_realm/protocol/openid-connect/token
api_url = https://my_url/auth/realms/my_keycloak_realm/protocol/openid-connect/userinfo
;allowed_domains =
;team_ids =
;allowed_organizations =
;role_attribute_path =
;tls_skip_verify_insecure = true
;tls_client_cert =
;tls_client_key =
;tls_client_ca =

Can someone tell me what I am configuring wrong so that it does not redirect me from keycloak to grafana?

Thank you in advance!

you can check this configuration item in grafana.ini and set it to your exact grafana IP address, default value is 127.0.0.1, I don’t know is this root reason, I know keycloak would use this value redirect to grafana after login.

The public facing domain name used to access grafana from a browser

domain = 127.0.0.1

Hi zhouchi,

Yes, I checked this part of the file and the configuration is as follows:

[server]
0. Protocol (http, https, h2, socket)
protocol = https

1.The ip address to bind to, empty will bind to all interfaces
http_addr = my_ip_graffana

2.The http port to use
http_port = my_port_grafana

3.The public facing domain name used to access grafana from a browser
;domain = localhost

4.Redirect to correct domain if host header does not match domain
Prevents DNS rebinding attacks
;enforce_domain = false

  1. The full public facing url you use in browser, used for redirects and emails
    If you use reverse proxy and sub path specify full url (with sub path)
    ;root_url = %(protocol)s://%(domain)s:%(http_port)s/
    root_url = https://my_ip_grafana/

but nothing happens, it always stays on the keycloak login page and never redirects to grafana.

Thank you!

I don’t use http_addr,http_port and root_url, the following is my part in grafana.ini, it can work.

[server]

Protocol (http, https, h2, socket)

protocol = https

The ip address to bind to, empty will bind to all interfaces

;http_addr =

The http port to use

;http_port = 3000

The public facing domain name used to access grafana from a browser

domain = 192.168.1.10

Redirect to correct domain if host header does not match domain

Prevents DNS rebinding attacks

;enforce_domain = false

The full public facing url you use in browser, used for redirects and emails

If you use reverse proxy and sub path specify full url (with sub path)

;root_url = https://localhost:3000/grafana/

could you share the keycloak configuration? in case the problem can come from there since the grafana.ini file is not different from yours.

Thank you in advance!