Grafana with Google IAP (broken after 9.2)

I am following this tutorial to set up grafana with google’s identity aware proxy in the front. basically this is the configuration setting for authentication:

  auth.jwt:
    enabled: true
    header_name: "X-Goog-Iap-Jwt-Assertion"
    username_claim: "email"
    email_claim: "email"
    jwk_set_url: "https://www.gstatic.com/iap/verify/public_key-jwk"
    expect_claims: '{"iss": "https://cloud.google.com/iap"}'
  auth.proxy:
    enabled: true
    header_name: "X-Goog-Authenticated-User-Email"
    header_property: "email"
    auto_sign_up: true

Grafana 9.1 works, but 9.2 breaks and i get a 401 response:

{
"message": "User not found",
"traceID": "xxxxx"
}

Logs:

logger=auth.jwt t=2022-11-15T12:34:55.890692482Z level=debug msg="Validating JSON Web Token claims"
logger=context traceID=xxxxx t=2022-11-15T12:34:55.893164432Z level=debug msg="Failed to find user using JWT claims" email_claim=user@example.com username_claim=user@example.com
logger=context traceID=xxxxx t=2022-11-15T12:34:55.893193138Z level=error msg="User not found" error="invalid username or password" traceID=xxxxx

Not sure what broke between the two versions. If someone has an idea what needs to be changed, that would be much appreciated.

Stumbled upon the same issue. Are you certain it is an issue with the version?

@zall yes, version 9.1.8 works for me.

Any fix for this. Noticed the same.
Doesn’t work in 9.3.2 either.

I ran into this problem as well and found that there’s a new option needed:

[auth.jwt]
  auto_sign_up: true

After adding this, my dashboard was working again.

auth.proxy

I was curious as to why the tutorial was doing both auth.proxy and auth.jwt. They seem redundant, and my guess is you’d only use the proxy header method if you were unable or uninterested in using JWT.

I changed my config to get rid of all auth.proxy config. As a result, it caused new user records to be created the next time they logged-in. Looking in the user_auth table, the new users have auth_module=jwt.

To avoid new user records being created, I found doing this data migration fixed it for me. The first query strips the namespace from the login and email e.g. accounts.google.com:user@example.com becomes user@example.com.
Then, get rid of the no-longer-used auth records.

-- strip the "accounts.google.com:" prefix
update "user" set
  login = split_part(login, ':', 2),
  email = split_part(login, ':', 2)
where login like 'accounts.google.com:%'
  and email like 'accounts.google.com:%';

-- remove obsolete auth records.
-- new records will be created with `auth_module=jwt` and a different `auth_id`,
-- but will be matched up to existing `user` records.
delete from user_auth where auth_module = 'authproxy';

Theory

My theory is that prior to 9.1, the proxy method was tried before JWT, and now JWT is tried first and without auth_sign_up = true, it fails.

Thanks for taking the time to post a solution. Hopefully this PR will get merged soon to remove the redundancy.