c2d3c90bc8
* Auth: check of auth_token in url and resolve user if present * check if auth_token is passed in url * Auth: Pass auth_token for request if present in path * no need to decode token in index * temp * use loadURLToken and set authorization header * cache token in memory and strip it from url * Use loadURLToken * Keep token in url * strip sensitive query strings from url used by context logger * adapt login by url to jwt token * add jwt iframe devenv * add jwt iframe devenv instructions * add access note * add test for cleaning request * ensure jwt token is not carried into handlers * do not reshuffle queries, might be important * add correct db dump location * prefer set token instead of cached token Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> |
||
---|---|---|
.. | ||
cloak.sql | ||
docker-build-keycloak-m1-image.sh | ||
docker-compose.yaml | ||
jwks.json | ||
readme.md |
OAUTH BLOCK
Devenv setup jwt auth
To launch the block, use the oauth source. Ex:
make devenv sources="jwt_proxy"
Here is the conf you need to add to your configuration file (conf/custom.ini):
[auth]
signout_redirect_url = http://127.0.0.1:8088/oauth2/sign_out
[auth.jwt]
enabled = true
enable_login_token = true
header_name = X-Forwarded-Access-Token
username_claim = login
email_claim = email
jwk_set_file = devenv/docker/blocks/oauth/jwks.json
cache_ttl = 60m
expected_claims = {"iss": "http://localhost:8087/auth/realms/grafana", "azp": "grafana-oauth"}
auto_sign_up = true
Access Grafana through:
http://127.0.0.1:8088
Devenv setup jwt auth iframe embedding
- Add previous configuration and next snippet to grafana.ini
[security]
allow_embedding = true
-
Create dashboard and copy UID
-
Clone https://github.com/grafana/grafana-iframe-oauth-sample
-
Change the dashboard URL in
grafana-iframe-oauth-sample/src/pages/restricted.tsx
to use the dashboard you created (keep URL query values) -
Start sample app from the
grafana-iframe-oauth-sample
folder with:yarn start
-
Navigate to http://localhost:4200 and press restricted area
Note: You may need to grant the JWT user in grafana access to the datasources and the dashboard
Backing up keycloak DB
In case you want to make changes to the devenv setup, you can dump keycloack's DB:
cd devenv;
docker-compose exec -T oauthkeycloakdb bash -c "pg_dump -U keycloak keycloak" > docker/blocks/jwt_proxy/cloak.sql
Connecting to keycloack:
- keycloak admin: http://localhost:8087
- keycloak admin login: admin:admin
- grafana jwt viewer login: jwt-viewer:grafana
- grafana jwt editor login: jwt-editor:grafana
- grafana jwt admin login: jwt-admin:grafana
Troubleshooting
Mac M1 Users
The new arm64 architecture does not build for the latest docker image of keycloack. Refer to https://github.com/docker/for-mac/issues/5310 for the issue to see if it resolved.
Until then you need to build the docker image locally and then run devenv
.
- Remove any lingering keycloack image
$ docker rmi $(docker images | grep 'keycloack')
- Build keycloack image locally
$ ./docker-build-keycloack-m1-image.sh
- Start from beginning of this readme