1

i am new to grafana and i want to use a JWT authentication as described in grafana docs : https://grafana.com/docs/grafana/latest/auth/jwt/ how can i use generally the JWK to authenticate with external Identity provider ? specifically, which jwts endpoint i have to use, is it my main base url for my provider? and then the provided http auth header?

my grafana.ini configuration file :

[auth.jwt]
enabled = true
header_name = X-JWT-HEADER
cache_ttl = 60m
jwk_set_url = https://$AUTH-PROVIDER-URL/
username_claim = user
email_claim = email

after restarting the grafana server i see no changes for my grafana login page and i can still login only with the admin user. should this works with such configuration or I have missed something?

Tommy
  • 13
  • 1
  • 3
  • I guess you want full OIDC https://grafana.com/docs/grafana/latest/auth/generic-oauth/, not just JWT, where you have to place JWT into header. – Jan Garaj Jun 29 '21 at 21:23
  • Hi, did you resolve this problem? Could you update your final solution? Many thanks. – Ying.Zhao Jul 15 '21 at 10:14

2 Answers2

0

@Ying.Zhao

the authentication with JWT didn't work due to missing some claim properties in the json web endpoint (JWKs url).. alternatively you can use the "auth generic" or proxy-auth for your OAuth Login.

[auth.proxy]
enabled = true
# HTTP Header name that will contain the username or email
header_name = X_HEADER_NAME
header_property = username
Tommy
  • 13
  • 1
  • 3
0

Note that the auth.jwt is currently broken by design: https://github.com/grafana/grafana/issues/8198

Even if you get everything else right it requires you to have prepopulated all accounts in grafana. It should provide similar functionality to auto-sign-up provided in auth.proxy The whole argument for auth.jwt is to provide something similar to, but safer to auth.proxy: https://cloud.google.com/iap/docs/identity-howto

Christopher Suarez
  • 150
  • 2
  • 8