I’m strugglig setting up generic OAuth login with Keycloak.
After clicking on Sign in with OAuth button, I land on Keycloak login screen, and after giving username and password, I get redirected back to grafana, but with a server error message:
login.OAuthLogin(NewTransportWithCode)
In grafana logs I found:
t=2020-04-13T15:44:46+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=10.2.2.100 time_ms=0 size=319 referer=https://grafana.local/login
t=2020-04-13T15:44:59+0000 lvl=info msg="state check" logger=oauth queryState=fb3e8c188015af24e639a2175612132d00560b7c93caaf7e33fb86b21b9ccdec cookieState=fb3e8c188015af24e639a2175612132d00560b7c93caaf7e33fb86b21b9ccdec
t=2020-04-13T15:44:59+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error="oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_client\",\"error_description\":\"Parameter client_assertion_type is missing\"}"
t=2020-04-13T15:44:59+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=10.2.2.100 time_ms=86 size=1743 referer="https://sso.mypublicdomain.com/realms/REALM/login-actions/authenticate?execution=810b04a5-6399-40ff-bf8c-81b163cb3774&client_id=grafana&tab_id=hE_zVm648ZA"
I haven’t found anything useful on the topic of missing client_assertion_type
error. I’m out of ideas how to fix this problem.
My grafana configuration looks like this:
instance_name = grafana.local
[server]
root_url = https://grafana.local
[security]
admin_user = admin
admin_password = PASSWORD
[auth.generic_oauth]
enabled = true
client_id = grafana
client_secret = CLIENT_SECRET_FROM_KEYCLOAK
email_attribute_name = email:primary
scopes = openid profile email
auth_url = https://sso.mypublicdomain.com/auth/realms/REALM/protocol/openid-connect/auth
token_url = https://sso.mypublicdomain.com/auth/realms/REALM/protocol/openid-connect/token
api_url = https://sso.mypublicdomain.com/auth/realms/REALM/protocol/openid-connect/userinfo
allow_sign_up = false
Not sure it’s relevant for this case, but both keycloak and grafana are behind a proxy that handle TLS termination.