I'm trying to have GitHub OAuth integration for Grafana and I am following this document:
https://grafana.com/docs/grafana/latest/auth/github/
Accordingly, I've configured my values.yaml file with similar configuration as shown below:
## grafana Authentication can be enabled with the following values on grafana.ini
server:
# The full public facing url you use in browser, used for redirects and emails
root_url: https://grafana.example.space
# https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana
auth.github:
enabled: true
allow_sign_up: true
scopes: user:email,read:org
auth_url: https://github.com/login/oauth/authorize
token_url: https://github.com/login/oauth/access_token
api_url: https://api.github.com/user
team_ids: 259420
allowed_organizations: Orgs
client_id: 123456
client_secret: 123456
My Github OAuth app URLs are configured as shown below:
Homepage URL:
https://grafana.example.space
Authorization callback URL:
https://grafana.example.space/login/github
But, while I try to login using the Github authentication, I can see an error as below:
t=2022-01-02T12:33:03+0000 lvl=eror msg="Failed to look up user based on cookie" logger=context error="user token not found"
t=2022-01-02T12:33:03+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/live/ws status=401 remote_addr=49.206.14.15 time_ms=0 size=32 referer=
Can someone please help me as to where am I missing out here?
Related
I'm trying to integrate keycloak with Grafana dashboards but when I'm trying to login on grafana via keycloak I'm receiving invalid redirect URL.
keycloack grafana settings
I've added the bellow config on grafana.ini
[auth.generic_oauth]
enabled = true
scopes = openid email profile
name = Keycloak
tls_skip_verify_insecure = true
allow_sign_up = true
client_id = grafana
client_secret = ba342011-3705-483c-8e04-7f95be561cd5
auth_url = http://192.168.101.223:8080/auth/realms/grafana/protocol/openid-connect/auth
token_url = http://192.168.101.223:8080/auth/realms/grafana/protocol/openid-connect/token
api_url = http://192.168.101.223:8080/auth/realms/grafana/protocol/openid-connect/userinfo
url_redirect invalid
Everytime when I am trying to login, this is redirecting to localhost:3000, but I didn't set up this on the keycloak.
I found many cases on the google but no luck for my side.
2021-11-02 12:43:06,838 WARN [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=grafana, clientId=grafana, userId=null, ipAddress=172.18.212.8, error=invalid_redirect_uri, redirect_uri=http://localhost:3000/login/generic_oauth
I want to mention that the Grafana and Keycloak are installed on the same server..
You have missed the doc https://grafana.com/docs/grafana/latest/auth/generic-oauth/:
You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.
You didn't set root URL so incorrect redirect URL is generated http://localhost:3000/login/generic_oauth instead of domain/IP:port, which you have used in the browser. Fix that and it should be fine.
I'm trying to integrate Grafana with Keycloak but I'm receiving the following errors when I'm setup the "Scopes = openid profile email" on grafana.ini :
t=2021-11-03T05:51:22-0400 lvl=eror msg="**Error getting email address**" logger=oauth.generic_oauth url=http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/userinfo/emails error="{\"error\":\"RESTEASY003210: C**ould not find resource for full path: http://101.221:8080/auth/realms/grafana/protocol/openid-connect/userinfo/emails**\"}"
t=2021-11-03T05:51:22-0400 lvl=eror msg="login.OAuthLogin(get info from generic_oauth)" logger=context userId=0 orgId=0 uname= error="Error getting email address: {\"error\":\"RESTEASY003210: Could not find resource for full path: http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/userinfo/emails\"}"
Definitely, is not getting any email addreess when I'm trying to call the "http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/userinfo/emails" - Page not found.
My grafana.ini config looks like below:
[auth.generic_oauth]
enabled = true
allow_sign_up = true
team_ids =
allowed_organizations =
name = Keycloak
scopes = openid profile email
client_id = grafana
client_secret = ba342011-3705-483c-8e04-7f95be561cd5
auth_url = http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/auth
token_url = http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/token
api_url = http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/userinfo
I found the solution:
Step 1. Create an user on keycloak , for example : grafana and set an password and also you can add you email address or whatever email address you want :
keycloak user
I have an issue with login via AAD authentication.
I have iframe where is panel and the iframe is inside a web page with a user authenticated against AAD.
When the iframe opens it redirects me to the login page:
(it is supposed that we are authenticated but ...)
And if I press Sign in with Microsft, I get the error:
In grafana's logs I see:
t=2021-07-06T15:06:36+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/azuread status=302 remote_addr=**XX.XX.181.X** time_ms=0 size=400 referer=https://**mydomain**.westeurope.cloudapp.azure.com:3000/login
t=2021-07-06T15:06:39+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/azuread status=500 remote_addr=**XX.XX.181.X** time_ms=0 size=1743 referer=https://login.microsoftonline.com/
But I don't know which is the problem ... any idea?
You may have a problem with same site cookie config. Try GF_SECURITY_COOKIE_SAMESITE=none (but I don't guarantee that's a solution, because you didn't provide https://stackoverflow.com/help/minimal-reproducible-example, your browser console may give you ideas what's blocked and why)
Generally: Grafana in the iframe is (will be) a problem, because browsers limit (or will limit in near future) this kind of access - see recent 2021 Chrome’s SameSite cookie update. Safari is also very strict in this limitation. So you may solve it, but some browser may still have this problem or may have this problem soon.
services:
grafana:
image: grafana/grafana:latest
pid :
ports:
- 3000:3000
volumes:
- C:\Users\suraj.kalloli\grafana\keycloak.ini:/etc/grafana/grafana.ini
keycloak:
image: quay.io/keycloak/keycloak:latest
command:
- start-dev
- --import-realm
ports:
- "8080:8080"
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
volumes:
- ./keycloak-config/:/opt/keycloak/data/import/
[auth.generic_oauth]
name = OAuth login
icon = signin
enabled = true
scopes = openid
client_id = grafanatest
client_secret = 90z3ONKTTDSB9scsIevXebC2Ek6O6Ue8
use_pkce = false
allow_sign_up = true
auth_url = http://host.docker.internal:8080/realms/master/protocol/openid-connect/auth
token_url = http://host.docker.internal:8080/realms/master/protocol/openid-connect/token
api_url = http://host.docker.internal:8080/realms/master/protocol/openid-connect/userinfo
login_attribute_path = preferred_username
role_attribute_path: "contains(realm_access.roles[*], 'Admin') && 'Admin' || contains(realm_access.roles[*], 'Editor') && 'Editor' || 'Editor'"
role_attribute_strict = true
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[plugins]
allow_loading_unsigned_plugins = camptocamp-prometheus-alertmanager-datasource
#log level
[log.file]
level = debug
-Add valid mapper to the client and make email verify ON for the user with respect to email,if you given scope as openid email or openid,
-Mention Firstname and lastname to the user in keycloak so grafana can take the assigned names.
-First snippet is docker compose file
-Second one keycloak.ini file
I tried in incognito as wellbut same issue exists.
Currently I have added in server-deployment.yaml
args: - server - --auth-mode - sso
And in values.yaml
sso:
# #SSO configuration when SSO is specified as a server auth mode.
# #All the values are requied. SSO is activated by adding --auth-mode=sso
# #to the server command line.
#
# #The root URL of the OIDC identity provider.
issuer: http://<keycloak_ip>/auth/realms/demo
# #Name of a secret and a key in it to retrieve the app OIDC client ID from.
clientId:
name: argo
key: client-id
# #Name of a secret and a key in it to retrieve the app OIDC client secret from.
clientSecret:
name: "argo-server-sso"
key: client-secret
# # The OIDC redirect URL. Should be in the form /oauth2/callback.
redirectUrl: http:///argo/oauth2/callback
And in keycloak ui , I have created client and client credentials.
kubectl create secret generic "argo-server-sso" --from-literal=client-secret=9a9c60ba-647d-480c-b6fa-82c19caad26a
kubectl create secret generic "argo" --from-literal=client-id=argo
After hitting the argo server url,manually I need to click on login option but after that keycloak page appears and then again a popup will come "Failed to login:Unauthorized"
Server logs:
kubectl logs argo-server-5c7f8c5cbb-9fcqk
time="2021-01-20T12:06:26.876Z" level=info authModes="[sso]" baseHRef=/ managedNamespace= namespace=default secure=false
time="2021-01-20T12:06:26.877Z" level=warning msg="You are running in insecure mode. Learn how to enable transport layer security: https://argoproj.github.io/argo/tls/"
time="2021-01-20T12:06:26.877Z" level=info msg="config map" name=argo-workflow-controller-configmap
time="2021-01-20T12:06:28.318Z" level=info msg="SSO configuration" clientId="{{argo} client-id }" issuer="http://10.xx.xx.xx:xxxx/auth/realms/demo" redirectUrl="http://xx/argo/oauth2/callback"
time="2021-01-20T12:06:28.318Z" level=info msg="SSO enabled"
time="2021-01-20T12:06:28.322Z" level=info msg="Starting Argo Server" instanceID= version=v2.12.2
time="2021-01-20T12:06:28.322Z" level=info msg="Creating event controller" operationQueueSize=16 workerCount=4
time="2021-01-20T12:06:28.323Z" level=info msg="Argo Server started successfully on http://localhost:2746"
time="2021-01-20T12:07:21.990Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = token not valid for running mode" grpc.code=Unauthenticated grpc.method=GetVersion grpc.service=info.InfoService grpc.start_time="2021-01-20T12:07:21Z" grpc.time_ms=0.379 span.kind=server system=grpc
time="2021-01-20T12:07:22.009Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = token not valid for running mode" grpc.code=Unauthenticated grpc.method=ListWorkflowTemplates grpc.service=workflowtemplate.WorkflowTemplateService grpc.start_time="2021-01-20T12:07:22Z" grpc.time_ms=0.075 span.kind=server system=grpc
I integrated ArgoCD with Keycloak successfully.
You have 1 clear/visible issue: Yaml indentation is wrong
make sure you keep the right indentation as per default values in helm chart :
https://github.com/argoproj/argo-helm/blob/1aea2c41798972ff0077108f926bb9095f3f9deb/charts/argo/values.yaml#L255-L283
Accordingly, your values should be:
( assuming your argo is serving with hostname workflows.company.com )
server:
extraArgs:
- --auth-mode=sso
sso:
issuer: http://<keycloak_ip>/auth/realms/demo
clientId:
name: argo
key: client-id
clientSecret:
name: "argo-server-sso"
key: client-secret
redirectUrl: https://workflows.company.com/argo/oauth2/callback
From keycloak side now, & under your client, make sure you fill-in the Valid Redirect URL as per your ingress hostname :
I want to use oauth2 with facebook in mu web application with spring boot and this is configuration for this purpose:
spring:
security:
oauth2:
client:
registration:
google:
clientId: clientIdValue
clientSecret: clientSecretValue
redirectUri: "https://www.example.com/oauth2/callback/{registrationId}"
scope:
- email
- profile
facebook:
clientId: clientIdValue
clientSecret: clientSecretValue
redirectUri: "https://www.example.com/oauth2/callback/{registrationId}"
scope:
- email
- public_profile
provider:
facebook:
authorizationUri: https://www.facebook.com/v3.0/dialog/oauth
tokenUri: https://graph.facebook.com/v3.0/oauth/access_token
userInfoUri: https://graph.facebook.com/v3.0/me?fields=id,first_name,middle_name,last_name,name,email,verified,is_verified,picture.width(250).height(250)
server:
port: 443
ssl:
key-store-type: PKCS12
key-store: classpath:keystore/sslkeystore.p12
key-store-password: passwordValue
key-alias: tomcat
enabled-protocols:
- TLSv1
- TLSv1.1
- TLSv1.2
Google authentication works fine, but in the facebook i get this error after redirect to my site:
An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for \"https://graph.facebook.com/v3.0/oauth/access_token\": Remote host closed connection during handshake; nested exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during
Try to remove this:
provider:
facebook:
authorizationUri: https://www.facebook.com/v3.0/dialog/oauth
tokenUri: https://graph.facebook.com/v3.0/oauth/access_token
userInfoUri: https://graph.facebook.com/v3.0/me?fields=id,first_name,middle_name,last_name,name,email,verified,is_verified,picture.width(250).height(250)
It's help to me
Replace the value for userInfoUri with the following: https://graph.facebook.com/v3.0/me?fields=id,email,first_name,middle_name,last_name,name,verified,picture.width(250).height(250)