Hi there,
as first one substitution, as only 2 links are available for new user:
LINK == https://xx.yy.z-zz.net/
DOMAIN == xx.yy.z-zz.net/
-
What Grafana version and what operating system are you using?
-
v7.5.8 (0184ed92b5) as deployments in k3s within otc cloud
-
What are you trying to achieve?
use keycloak as SSO for grafana authentication -
Can you copy/paste the configuration(s) that you are having problems with?
grafana.ini: ( as configmap)
grafana.ini: >
[analytics]
check_for_updates = true
[auth]
disable_login_form = false
[auth.anonymous]
enabled = true
org_role = Viewer
[auth.basic]
enabled = false
[dashboards]
default_home_dashboard_path = /tmp/dashboards/rancher-default-home.json
[grafana_net]
url = grafanaDOTnet
[log]
mode = console file
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[security]
allow_embedding = true
cookie_secure = true
cookie_samesite = none
[users]
auto_assign_org_role = Viewer
[server]
root_url = **LINK**
domain = **DOMAIN**
[auth.generic_oauth]
enabled = true
tls_skip_verify_insecure = false
name = Keycloak
allow_sign_up = true
client_id = **DOMAIN**
client_secret = xxxxxxxxxxxxxxxxxxxxxx
scopes = roles
auth_url =
**LINK**/keycloak/realms/master/protocol/openid-connect/auth
token_url =
**LINK**/keycloak/realms/master/protocol/openid-connect/token
api_url =
**LINK**/keycloak/realms/master/protocol/openid-connect/userinfo
role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
in keyclock:
clientID: DOMAIN
Client Protocol: openid-connect
accestype: confidentialstandard flow: ON
directaccessgrantenabled: ONroot url: LINK
Valid Redirect URIs: LINK/login/generic_oauth
Base URL: /login/generic_oauthroles: admin
mappers: i tried Client and also Realm rolesusers: admin → role mappings: admin
so, i was able after editing grafana.ini to get button to keycloak, after click i am redirected to keycloak login page:
Request cookies:
|AUTH_SESSION_ID| a198f18f-baca-4f6a-89a8-6df71ff99f01
|AUTH_SESSION_ID_LEGACY| a198f18f-baca-4f6a-89a8-6df71ff99f01
|KC_RESTART| eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICResponse cookies:
KC_RESTART| eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6
, after type admin/password credential i stuck with:
Response cookies: → no values
also there are 2 items under headers names with errors:
error 302:
LINK/keycloak/realms/master/login-actions/authenticate?session_code=-6SnbUah3KOfW_3gmA_epkg_8VFjOxabkcNIAMD3a6I&execution=4d0592e9-cf80-45a3-99ec-369bfc3f2243&client_id=DOMAIN&tab_id=eI110lwrIeEresponse headers:
LINK/login/generic_oauth?state=ToGwkt81MA5mAuiji8Yn0LZXeblG-a1WIfUh8cLuNOA=&session_state=a198f18f-baca-4f6a-89a8-6df71ff99f01&code=234f3b7c-51ba-4444-9a81-c138b7234203.a198f18f-baca-4f6a-89a8-6df71ff99f01.a1314508-1498-4209-a44d-3a26edde4f10error 500:
LINK/login/generic_oauth?state=ToGwkt81MA5mAuiji8Yn0LZXeblG-a1WIfUh8cLuNOA=&session_state=a198f18f-baca-4f6a-89a8-6df71ff99f01&code=234f3b7c-51ba-4444-9a81-c138b7234203.a198f18f-baca-4f6a-89a8-6df71ff99f01.a1314508-1498-4209-a44d-3a26edde4f10respons headers:
oauth_state=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=None
in tab cookies no value for resposne again…
Request cookies:
redirect_to %2F%3ForgId%3D1
oauth_state d937bc3f4644ad1fc487a235593f9356ebc0021459c4…Response cookies:
oauth_state nothing
UI shows: login.OAuthLogin(NewTransportWithCode)
after refresh page
UI shows: login.OAuthLogin(missing saved state)
and in headers stays only error 500 wit no cookie again
Request cookies:
redirect_to %2F%3ForgId%3D1Response cookies:
oauth_state nothing
i tried several changes within grafana.ini abut still nothing …
would you have any advice please?
Thanks a lot
one more thing:
when i put in address bar :
api_url = LINK:/keycloak/realms/master/protocol/openid-connect/userinfo
i got:
{"error":"invalid_request","error_description":"Token not provided"}
maybe update keycloak would help?
https://www.keycloak.org/2022/09/keycloak-1902-released