IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Auth: support JWT Authentication (#29995)

Browse Source
This commit is contained in:
Vladimir Kochnev
2021-03-31 15:40:44 +00:00
committed by GitHub
parent 1446d094b8
commit 39a3b0d0b0
22 changed files with 1444 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/sources/administration/configuration.md
View File

@@ -799,6 +799,12 @@ Use the [List Metrics API](https://docs.aws.amazon.com/AmazonCloudWatch/latest/A
<hr />
## [auth.jwt]
Refer to [JWT authentication]({{< relref "../auth/jwt.md" >}}) for more information.
<hr />
## [smtp]
Email server settings.

2
docs/sources/auth/grafana.md
View File

@@ -103,7 +103,7 @@ oauth_auto_login = true
### Hide sign-out menu
Set the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy.
Set the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy or JWT authentication.
```bash
[auth]

92
docs/sources/auth/jwt.md Normal file
View File

@@ -0,0 +1,92 @@
+++
title = "JWT Authentication"
description = "Grafana JWT Authentication"
keywords = ["grafana", "configuration", "documentation", "jwt", "jwk"]
weight = 250
+++
# JWT authentication
You can configure Grafana to accept a JWT token provided in the HTTP header. The token is verified using any of the following:
- PEM-encoded key file
- JSON Web Key Set (JWKS) in a local file
- JWKS provided by the configured JWKS endpoint
## Enable JWT
To use JWT authentication:
1. Enable JWT in the [main config file]({{< relref "../administration/configuration.md" >}}).
1. Specify the header name that contains a token.
```ini
[auth.jwt]
# By default, auth.jwt is disabled.
enabled = true
# HTTP header to look into to get a JWT token.
header_name = X-JWT-Assertion
```
## Configure login claim
To identify the user, some of the claims needs to be selected as a login info. You could specify a claim that contains either a username or an email of the Grafana user.
Typically, the subject claim called `"sub"` would be used as a login but it might also be set to some application specific claim.
```ini
# [auth.jwt]
# ...
# Specify a claim to use as a username to sign in.
username_claim = sub
# Specify a claim to use as an email to sign in.
email_claim = sub
```
## Signature verification
JSON web token integrity needs to be verified so cryptographic signature is used for this purpose. So we expect that every token must be signed with some known cryptographic key.
You have a variety of options on how to specify where the keys are located.
### Verify token using a JSON Web Key Set loaded from https endpoint
For more information on JWKS endpoints, refer to [Auth0 docs](https://auth0.com/docs/tokens/json-web-tokens/json-web-key-sets).
```ini
# [auth.jwt]
# ...
jwk_set_url = https://your-auth-provider.example.com/.well-known/jwks.json
# Cache TTL for data loaded from http endpoint.
cache_ttl = 60m
```
### Verify token using a JSON Web Key Set loaded from JSON file
Key set in the same format as in JWKS endpoint but located on disk.
```ini
jwk_set_file = /path/to/jwks.json
```
### Verify token using a single key loaded from PEM-encoded file
PEM-encoded key file in PKIX, PKCS #1, PKCS #8 or SEC 1 format.
```ini
key_file = /path/to/key.pem
```
## Validate claims
By default, only `"exp"`, `"nbf"` and `"iat"` claims are validated.
You might also want to validate that other claims are really what you expect them to be.
```ini
# This can be seen as a required "subset" of a JWT Claims Set.
expect_claims = {"iss": "https://your-token-issuer", "your-custom-claim": "foo"}
```

3
docs/sources/auth/overview.md
View File

@@ -18,6 +18,7 @@ Provider | Support | Role mapping | Team sync<br> *(Enterprise only)* | Active s
[GitHub OAuth]({{< relref "github.md" >}}) | v2.0+ | - | v6.3+ | -
[GitLab OAuth]({{< relref "gitlab.md" >}}) | v5.3+ | - | v6.4+ | -
[Google OAuth]({{< relref "google.md" >}}) | v2.0+ | - | - | -
[JWT]({{< relref "jwt.md" >}}) | v8.0+ | - | - | -
[LDAP]({{< relref "ldap.md" >}}) | v2.1+ | v2.1+ | v5.3+ | v6.3+
[Okta OAuth]({{< relref "okta.md" >}}) | v7.0+ | v7.0+ | v7.0+ | -
[SAML]({{< relref "../enterprise/saml.md" >}}) (Enterprise only) | v6.3+ | v7.0+ | v7.0+ | -
@@ -122,7 +123,7 @@ oauth_auto_login = true
### Hide sign-out menu
Set the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy.
Set the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy or JWT authentication.
```bash
[auth]