grafana/devenv/docker/blocks/jwt_proxy
Jo c2d3c90bc8
Auth: Implement Token URL JWT Auth (#52662)
* Auth: check of auth_token in url and resolve user if present

* check if auth_token is passed in url

* Auth: Pass auth_token for request if present in path

* no need to decode token in index

* temp

* use loadURLToken and set authorization header

* cache token in memory and strip it from url

* Use loadURLToken

* Keep token in url

* strip sensitive query strings from url used by context logger

* adapt login by url to jwt token

* add jwt iframe devenv

* add jwt iframe devenv instructions

* add access note

* add test for cleaning request

* ensure jwt token is not carried into handlers

* do not reshuffle queries, might be important

* add correct db dump location

* prefer set token instead of cached token

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-07-27 16:10:47 +02:00
..
cloak.sql Auth: Implement Token URL JWT Auth (#52662) 2022-07-27 16:10:47 +02:00
docker-build-keycloak-m1-image.sh JWT: Add JWT proxy setup devenv (#51731) 2022-07-07 10:28:04 -04:00
docker-compose.yaml JWT: Add JWT proxy setup devenv (#51731) 2022-07-07 10:28:04 -04:00
jwks.json JWT: Add JWT proxy setup devenv (#51731) 2022-07-07 10:28:04 -04:00
readme.md Auth: Implement Token URL JWT Auth (#52662) 2022-07-27 16:10:47 +02:00

OAUTH BLOCK

Devenv setup jwt auth

To launch the block, use the oauth source. Ex:

make devenv sources="jwt_proxy"

Here is the conf you need to add to your configuration file (conf/custom.ini):

[auth]
signout_redirect_url = http://127.0.0.1:8088/oauth2/sign_out

[auth.jwt]
enabled = true
enable_login_token = true
header_name = X-Forwarded-Access-Token
username_claim = login
email_claim = email
jwk_set_file = devenv/docker/blocks/oauth/jwks.json
cache_ttl = 60m
expected_claims = {"iss": "http://localhost:8087/auth/realms/grafana", "azp": "grafana-oauth"}
auto_sign_up = true

Access Grafana through:

http://127.0.0.1:8088

Devenv setup jwt auth iframe embedding

  • Add previous configuration and next snippet to grafana.ini
[security]
allow_embedding = true

Note: You may need to grant the JWT user in grafana access to the datasources and the dashboard

Backing up keycloak DB

In case you want to make changes to the devenv setup, you can dump keycloack's DB:

cd devenv;
docker-compose exec -T oauthkeycloakdb bash -c "pg_dump -U keycloak keycloak" > docker/blocks/jwt_proxy/cloak.sql

Connecting to keycloack:

  • keycloak admin: http://localhost:8087
  • keycloak admin login: admin:admin
  • grafana jwt viewer login: jwt-viewer:grafana
  • grafana jwt editor login: jwt-editor:grafana
  • grafana jwt admin login: jwt-admin:grafana

Troubleshooting

Mac M1 Users

The new arm64 architecture does not build for the latest docker image of keycloack. Refer to https://github.com/docker/for-mac/issues/5310 for the issue to see if it resolved. Until then you need to build the docker image locally and then run devenv.

  1. Remove any lingering keycloack image
$ docker rmi $(docker images | grep 'keycloack')
  1. Build keycloack image locally
$ ./docker-build-keycloack-m1-image.sh
  1. Start from beginning of this readme