Jwt authentication not working or showing in log

Grafana Authentication
1

Even though I’ve turned on debug logs, I’m not seeing any error, info or debug messages about what is wrong with my auth.jwt configuration. And when trying to load the url (either directly in the browser, through an iframe or via curl), all I get is a 302 to the login page. Other posts have shown error messages in the log or json responses with ‘invalid jwt’ error messages. Is there something special I need to do to enable these messages so that I can debug?

  • What Grafana version and what operating system are you using?

I am using docker (compose):


services:
  grafana:
    image: grafana/grafana
    ports:
      - 3000:3000
    volumes:
      - ./grafana.ini:/etc/grafana/grafana.ini
      - mydata:/var/lib/grafana
      - ~/dev/keys:/etc/grafana/keys
volumes:
  mydata:

grafana-1 | logger=settings t=2023-04-09T17:14:50.890135366Z level=info msg="Starting Grafana" version=9.4.7 commit=4add91f03d branch=HEAD compiled=2023-03-16T23:56:52Z

  • What are you trying to achieve?
    I would like to embed grafana dashboards in another application without requiring a user to log in to grafana first.

  • How are you trying to achieve it?
    I’ve enabled auth.jwt with the following settings (everything else is left as the default, full ini file included below)

[log]
level = debug

[security]
allow_embedding = true

[auth.jwt]
enabled = true
enable_login_token = true
url_login = true
header_name = X-Forwarded-Access-Token
username_claim = username
key_file = /etc/grafana/keys/rsa_pub.pem
expect_claims = {}
auto_sign_up = true
  • What happened?

When trying to access in the browser http://grafana.staged-by-discourse.com/d/aDdiwfYVz/mybasicdash?orgId=0&kiosk&auth_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNjgxMTMyNjkzLCJpYXQiOjE2ODEwNjA2OTMsImp0aSI6ImU5OTc2MjI3N2U2NjRlMjA4NTA2MjUyMGMyZTgyNDcyIiwidXNlcm5hbWUiOiJhbmRyZXdAbWlyc2t5dGVjaC5jb20ifQ.s93pF6XOsEZGA8uYZ8p3_ZemnNkGQCBcxu9Pnhbc4enkLqdhrSnmcl68rHzr7HCDUScyVdDbWb293iGvgnRmxSN4hFztm9USCGPWpmRaRtuFp1VVsjI6PN78sBVTqY0CjuVy1MaFiwuW7op9OiXoDoRtTgLZlx5igS72LJRHSDt-n0mZS_52VoRGkq4k9RTU2DR42FSrS7IigR3MT1nz_TlQ1TTa4BOXsHUsd__j3LeKEtSpfaKzCuYMXe0JPYZHGH2Z16dzc40_p5XC4ZzMHee8nqZTnH8uRUTrTn8J1O5vvYAS_ot4dGUMOU3TlgD4NUhLOUK9IunZfhjTNIiouA

From within an iframe, I get the same result.

The log message shows:
grafana-1 | logger=context userId=0 orgId=0 uname= t=2023-04-09T17:18:10.407958393Z level=info msg="Request Completed" method=GET path=/d/aDdiwfYVz/mybasicdash status=302 remote_addr=172.19.0.1 time_ms=11 duration=11.173144ms size=29 referer= handler=/d/:uid/:slug

and the browser gets the response:

HTTP/1.1 302 Found
Cache-Control: no-store
Content-Type: text/html; charset=utf-8
Location: /login
Set-Cookie: redirect_to=%2Fd%2FaDdiwfYVz%2Fmybasicdash%3ForgId%3D0%26kiosk%26auth_token%3DeyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNjgxMTMyODYwLCJpYXQiOjE2ODEwNjA4NjAsImp0aSI6ImZjNTJmMDM2NzQwODQ3NDdiYTQyZmIwZjMxZWYzNmEwIiwidXNlcm5hbWUiOiJhbmRyZXdAbWlyc2t5dGVjaC5jb20ifQ.Zj_nJbas_KBtR1Wl0me1zPmB0QPebOQwbIA_bLGk7UKkbKz9lzEld5G_jrIBV2Z91PllpGqTPPhXgzg5KUPreJSyumnc2DDddUugvYJveQzCrlJXgNBAhXL4SKTD0e2HMR4_vH9hjX60ZM1VFOb1NeG5fQkunIdEaosbFGZsKyTofNVrRa-YbgdT1hTXHTbVkBQ-B7az2yPfB3c_3-XSwnpgiBy-adXdppbDAiaVtwFJCo0fDxduM64zTqLHyX42vPZb-JFe4TiqkGDUq6HPwXSt0KEAmrj84MOo9jroUNvsaQdjd5A6TyxP1JuysjxXIErfc-h-UUcmt_SAiq40Dg; Path=/; HttpOnly; SameSite=Lax
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Date: Sun, 09 Apr 2023 17:21:56 GMT
Content-Length: 29

the decoded jwt:

{'token_type': 'access', 'exp': 1681132693, 'iat': 1681060693, 'jti': 'e99762277e664e2085062520c2e82472', 'username': 'andrew@redacted.com'}
  • What did you expect to happen?

I was expecting to receive a 200 response and have the dashboard requested displayed. And I was expecting to see debug with a “Parsing JSON Web Token” message. Or I was expecting to see JWT error messages in the log.

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
grafana-1   | logger=context userId=0 orgId=0 uname= t=2023-04-09T17:27:39.68145325Z level=info msg="Request Completed" method=GET path=/d/aDdiwfYVz/mybasicdash status=302 remote_addr=172.19.0.1 time_ms=12 duration=12.336072ms size=29 referer= handler=/d/:uid/:slug
grafana-1   | logger=infra.kvstore.sql t=2023-04-09T17:27:39.735457095Z level=debug msg="kvstore value not found" orgId=0 namespace=serviceaccounts key=hideApiKeys
grafana-1   | logger=ngalert.scheduler t=2023-04-09T17:27:40.012768444Z level=debug msg="Alert rules fetched" rulesCount=0 foldersCount=0 updatedRules=0
  • Did you follow any online instructions? If so, what is the URL?

I followed the instructions here: Configure JWT Authentication | Grafana documentation and What's new in Grafana v9.1 | Grafana documentation

2

I have also tried using the jwt token in the header using nginx by adding to docker compose:

  nginx:
    image: nginx
    ports:
      - 9090:9090
    volumes:
      - ./mysite.conf:/etc/nginx/conf.d/mysite.conf

with the nginx configuration of

server {
    listen       9090;
    listen  [::]:9090;
    server_name  grafana.local;

    location / {
        proxy_set_header X-Forwarded-Access-Token "${arg_mytoken}";
        proxy_pass   http://grafana:3000;
    }

}

with this line in /etc/hosts

127.0.0.1   grafana.local
3

Did you ever get this to work? I’m stuck with something very similar