mirror of
https://github.com/grafana/grafana.git
synced 2024-11-30 12:44:10 -06:00
b79b53cbdb
* JWT: Add JWT Auth devenv * Auth: JWT allow retrieving login token Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * JWT: Add JWT Auth Proxy devenv * JWT: Add instructions to readme * JWT: Add JWT users * JWT: Remove oauth users * revert session changes, unnecessary Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> |
||
|---|---|---|
| .. | ||
| cloak.sql | ||
| docker-build-keycloak-m1-image.sh | ||
| docker-compose.yaml | ||
| jwks.json | ||
| readme.md | ||
OAUTH BLOCK
Devenv setup oauth
To launch the block, use the oauth source. Ex:
make devenv sources="oauth"
Here is the conf you need to add to your configuration file (conf/custom.ini):
[auth]
signout_redirect_url = http://localhost:8087/auth/realms/grafana/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Flogin
[auth.generic_oauth]
enabled = true
name = Keycloak-OAuth
allow_sign_up = true
client_id = grafana-oauth
client_secret = d17b9ea9-bcb1-43d2-b132-d339e55872a8
empty_scopes = true
email_attribute_path = email
login_attribute_path = login
name_attribute_path = name
auth_url = http://localhost:8087/auth/realms/grafana/protocol/openid-connect/auth
token_url = http://localhost:8087/auth/realms/grafana/protocol/openid-connect/token
api_url = http://localhost:8087/auth/realms/grafana/protocol/openid-connect/userinfo
role_attribute_path = contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
Devenv setup jwt auth
To launch the block, use the oauth source. Ex:
make devenv sources="oauth"
Here is the conf you need to add to your configuration file (conf/custom.ini):
[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
username_claim = login
email_claim = email
jwk_set_file = devenv/docker/blocks/oauth/jwks.json
cache_ttl = 60m
expected_claims = {"iss": "http://localhost:8087/auth/realms/grafana", "azp": "grafana-oauth"}
auto_sign_up = true
You can obtain a jwt token by using the following command for oauth-admin:
curl --request POST \
--url http://localhost:8087/auth/realms/grafana/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data client_id=grafana-oauth \
--data grant_type=password \
--data client_secret=d17b9ea9-bcb1-43d2-b132-d339e55872a8 \
--data scope=openid \
--data username=oauth-admin \
--data password=grafana
Grafana call example:
curl --request GET \
--url http://127.0.0.1:3000/api/folders \
--header 'Accept: application/json' \
--header 'X-JWT-Assertion: eyJ......'
Alternative devenv setup jwk_set_url
Run a reverse proxy pointing to the jwk_set_url (only an https-uri can be used as jwk_set_url).
Ex (using localtunnel):
npx localtunnel --port 8087
And using the following conf:
[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
username_claim = login
email_claim = email
jwk_set_url = <YOUR REVERSE PROXY URL>/auth/realms/grafana/protocol/openid-connect/certs
cache_ttl = 60m
expected_claims = {"iss": "http://localhost:8087/auth/realms/grafana", "azp": "grafana-oauth"}
auto_sign_up = true
Backing up keycloak DB
In case you want to make changes to the devenv setup, you can dump keycloack's DB:
cd devenv;
docker-compose exec -T oauthkeycloakdb bash -c "pg_dump -U keycloak keycloak" > docker/blocks/oauth/cloak.sql
Connecting to keycloack:
- keycloak admin: http://localhost:8087
- keycloak admin login: admin:admin
- grafana oauth viewer login: oauth-viewer:grafana
- grafana oauth editor login: oauth-editor:grafana
- grafana oauth admin login: oauth-admin:grafana
Troubleshooting
Mac M1 Users
The new arm64 architecture does not build for the latest docker image of keycloack. Refer to https://github.com/docker/for-mac/issues/5310 for the issue to see if it resolved.
Until then you need to build the docker image locally and then run devenv.
- Remove any lingering keycloack image
$ docker rmi $(docker images | grep 'keycloack')
- Build keycloack image locally
$ ./docker-build-keycloack-m1-image.sh
- Start from beginning of this readme