CODEWITHSUNDEEP
single-sign-onkeycloakgrafana
Eli Halych
Eli Halych

Reputation: 635

Grafana OAuth with Keycloak

I am using helm charts. During the deploy process, I override values as below:

auth.generic_oauth:  # for SSO
      groups_attribute_path: contains(groups[*], 'GrafanaAdmins') && 'Admin' || 'Viewer'
      enabled: true
      name: Keycloak
      allow_sign_up: false
      client_id: grafana
      client_secret: CLIENT_SECRET
      scopes: openid,email,profile,groups
      team_ids:
      allowed_organizations:
      auth_url: AUTH_URL
      token_url: TOKEN_URL
      api_url: API_URL
      tls_skip_verify_insecure: true

In the Keycloke, I create a client, a client scope, a group mapper in the client scope, a group and assign GrafanaAdmins group to a user.

What I want to achieve is to be able to login to Grafana with a user defined in Keycloak that is also assigned the GrafanaAdmins group.

What I have is this error:

t=2021-12-27T13:32:18+0000 lvl=warn msg="Not allowing oauth_generic_oauth login, user not found in internal user database and allow signup = false"
t=2021-12-27T13:32:18+0000 lvl=eror msg="invalid username or password" logger=context userId=0 orgId=0 uname=

I don't want to sign up new users nor I want to use additional database. It should use Keycloak.

Grafana documentation is not very descriptive and it is hard to get around it.

Upvotes: 0

Views: 4053

Answers (1)

Jan Garaj
Jan Garaj

Reputation: 28676

You have a few problems:

  1. Grafana documentation is clear:

Groups mapping: Available in Grafana Enterprise v8.1 and later versions.

You are using Grafana 7.1.5 and I guess also free OSS Grafana (not a paid enterprise version, where license is required), so group mapping (config groups_attribute_path) is not possible in your case.

  1. You are mixing also Grafana role mapping (role_attribute_path) with Grafana group mapping (groups_attribute_path) Please note role != group. So I guess you wanted:
role_attribute_path: contains(groups[*], 'GrafanaAdmins') && 'Admin' || 'Viewer'

instead of:

groups_attribute_path: contains(groups[*], 'GrafanaAdmins') && 'Admin' || 'Viewer'
  1. Grafana creates internal users, based on the OIDC response, so you want to sign up new users in auth.generic_oauth section:
allow_sign_up: true
  1. I bet your scopes config has wrong syntax and it should be:
scopes: openid email profile groups

Generally, you are using groups in the Keycloak to map roles in the Grafana. It is possible, but better logic will be to use roles in the Keycloak to map roles in the Grafana. Keycloak/Grafana have concept roles/groups and it is up to you how will you use them for your users. I would start with basic roles concept first.

Upvotes: 1

Related Questions