SSO Grafana & Keycloak problem redirect

sergiomoritacorral · April 15, 2021, 3:49pm

Hi all,

I’m trying to setup the SSO of grafana with keycloak.
When I click on the button “Sign in with OAuth” in the login page grafanna, it me redirect well to the Keycloak login page.

So far so good, but when I enter the credentials in the keycloak login, it keeps waiting and the redirection to grafana does not take place. Nothing happens.

My grafana.ini settings is as follows:
[auth.generic_oauth]
enabled = true
name = OAuth
allow_sign_up = true
client_id = grafana
client_secret = my_client_secret
scopes = email profile roles web-origins
;email_attribute_name = email:primary
;email_attribute_path =
auth_url = https://my_url/auth/realms/my_keycloak_realm/protocol/openid-connect/auth
token_url = https://my_url/auth/realms/my_keycloak_realm/protocol/openid-connect/token
api_url = https://my_url/auth/realms/my_keycloak_realm/protocol/openid-connect/userinfo
;allowed_domains =
;team_ids =
;allowed_organizations =
;role_attribute_path =
;tls_skip_verify_insecure = true
;tls_client_cert =
;tls_client_key =
;tls_client_ca =

Can someone tell me what I am configuring wrong so that it does not redirect me from keycloak to grafana?

Thank you in advance!

zhouchi · April 16, 2021, 7:02am

you can check this configuration item in grafana.ini and set it to your exact grafana IP address, default value is 127.0.0.1, I don’t know is this root reason, I know keycloak would use this value redirect to grafana after login.

The public facing domain name used to access grafana from a browser

domain = 127.0.0.1

sergiomoritacorral · April 16, 2021, 10:23am

Hi zhouchi,

Yes, I checked this part of the file and the configuration is as follows:

[server]
0. Protocol (http, https, h2, socket)
protocol = https

1.The ip address to bind to, empty will bind to all interfaces
http_addr = my_ip_graffana

2.The http port to use
http_port = my_port_grafana

3.The public facing domain name used to access grafana from a browser
;domain = localhost

4.Redirect to correct domain if host header does not match domain
Prevents DNS rebinding attacks
;enforce_domain = false

The full public facing url you use in browser, used for redirects and emails
If you use reverse proxy and sub path specify full url (with sub path)
;root_url = %(protocol)s://%(domain)s:%(http_port)s/
root_url = https://my_ip_grafana/

but nothing happens, it always stays on the keycloak login page and never redirects to grafana.

Thank you!

zhouchi · April 16, 2021, 11:01am

I don’t use http_addr,http_port and root_url, the following is my part in grafana.ini, it can work.

[server]

Protocol (http, https, h2, socket)

protocol = https

The ip address to bind to, empty will bind to all interfaces

;http_addr =

The http port to use

;http_port = 3000

The public facing domain name used to access grafana from a browser

domain = 192.168.1.10

Redirect to correct domain if host header does not match domain

Prevents DNS rebinding attacks

;enforce_domain = false

The full public facing url you use in browser, used for redirects and emails

If you use reverse proxy and sub path specify full url (with sub path)

;root_url = https://community.grafana.com/grafana/

sergiomoritacorral · April 16, 2021, 11:22am

could you share the keycloak configuration? in case the problem can come from there since the grafana.ini file is not different from yours.

Thank you in advance!

system · April 15, 2022, 3:50pm

This topic was automatically closed after 365 days. New replies are no longer allowed.