Authentication Grafana via JWT

Question

i am new to grafana and i want to use a JWT authentication as described in grafana docs : https://grafana.com/docs/grafana/latest/auth/jwt/ how can i use generally the JWK to authenticate with external Identity provider ? specifically, which jwts endpoint i have to use, is it my main base url for my provider? and then the provided http auth header?

my grafana.ini configuration file :

[auth.jwt]
enabled = true
header_name = X-JWT-HEADER
cache_ttl = 60m
jwk_set_url = https://$AUTH-PROVIDER-URL/
username_claim = user
email_claim = email

after restarting the grafana server i see no changes for my grafana login page and i can still login only with the admin user. should this works with such configuration or I have missed something?

Answer 1

Note that the auth.jwt is currently broken by design: https://github.com/grafana/grafana/issues/8198

Even if you get everything else right it requires you to have prepopulated all accounts in grafana. It should provide similar functionality to auto-sign-up provided in auth.proxy The whole argument for auth.jwt is to provide something similar to, but safer to auth.proxy: https://cloud.google.com/iap/docs/identity-howto

Answer 2

@Ying.Zhao

the authentication with JWT didn't work due to missing some claim properties in the json web endpoint (JWKs url).. alternatively you can use the "auth generic" or proxy-auth for your OAuth Login.

[auth.proxy]
enabled = true
# HTTP Header name that will contain the username or email
header_name = X_HEADER_NAME
header_property = username