ewok2
April 15, 2022, 12:13pm
1
I have now a keycloak that seem’s to works.
I have some synchronized user from a ldap
I have declared a realm and a client
but when trying to link with grafana it does not works…
When click on the grafana button “sign in with OAuth” I arrive on a keycloak error page telling :
MyRealm
We are sorry…
Invalid parameter: redirect_uri
« Back to Application
I suspect an url either on grafana or keycloak that is wrong…
Grafana side conf :
[auth.generic_oauth]
enabled = true
icon = signin
empty_scopes = false
allowed_domains = mydomain.net
tls_skip_verify_insecure = false
tls_client_cert = pathOfFile
tls_client_key = pathOfFile
tls_client_ca = pathOfFile
use_pkce = true
name = OAuth
allow_sign_up = true
client_id = grafana
client_secret = secretFromKeycloakClient
auth_url = https://auth.mydomain.net/realms/myRealm/protocol/openid-connect/auth
token_url = https://auth.mydomain.net/realms/myRealm/protocol/openid-connect/token
api_url = https://auth.mydomain.net/realms/myRealm/protocol/openid-connect/userinfo
on keycloak client side I have the following url :
Root URL https://grafana.myDomain.net
“star” Valid Redirect URIs https://grafana.myDomain.net/ "star
Base URL https://grafana.myDomain.net/
Admin URL https://grafana.myDomain.net/
Web Origins https://grafana.myDomain.net
Any idea of the problem?
PS : No log found thaht can help…
ewok2
April 15, 2022, 1:26pm
2
as describe in some other post I have check the url
It seems the “redirect_uri=http%3A%2F%2Flocalhost%”
Ans of course il will not works…
Why did keycloak did not use the “Valid Redirect URIs” specified in the client?
Grafana generates redirect_uri
parameter. Keycloak just verifies it based on client configuration. So Grafana config is a problem.
You may have to set the root_url
option of [server]
for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.
I bet you didn’t set root_url
(to https://grafana.myDomain.net/
).
ewok2
April 15, 2022, 10:00pm
4
Many thanks
Indeed I did not specify the root-url in graphana.
My grafana was behind a Pfsense with a HAproxy that was not configure with SSL (from pfsense to graphana)…
So I have to had in the grafana side the folowing grafana.ini modification :
[server]
protocol = https
http_port = 3000
domain = myDomain.net
root_url = https://grafana.myDomain.net
cert_file = pathOfFile.crt
cert_key = pathOfFile.crt
[auth.generic_oauth]
enabled = true
icon = signin
empty_scopes = false
allowed_domains = myDomain.net
tls_skip_verify_insecure = false
tls_client_cert = pathOfFile.crt
tls_client_key = pathOfFile.key
tls_client_ca = pathOfFileCA.crt
use_pkce = true
name = OAuth
allow_sign_up = true
client_id = grafana
client_secret = secretFromKeycloakClient
auth_url = https://auth.myDomain.net/realms/schugart/protocol/openid-connect/auth
token_url = https://auth.myDomain.net/realms/schugart/protocol/openid-connect/token
api_url = https://auth.myDomain.net/realms/schugart/protocol/openid-connect/userinfo
scopes = openid
Now when click on the grafana button “sign in with OAuth” I arrive on identification keycloak page.
Entering my credential and seem’s to work on keycloak side.
Returning to grafana page but then I get an error
Grafana / Server Error
In the log it seem’s related to the CA missing ?
lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error=“Post "https://auth.myDomain.net/realms/myRealms/protocol/openid-connect/token\ ”: x509: certificate signed by unknown authority"
maybe it is because I did not specifiy the path on [server] conf…
I have to check how to do that…
=> But it is clearly not a keycloak error
ewok2
April 15, 2022, 10:14pm
5
a “way” to works is to activate in grafana.ini :
tls_skip_verify_insecure = true
=> but I have to found a better way
@ewok2 I got the same error.
Can you please mention what steps you have taken to overcome this error.
Thanks
Manushi Mehta
ewok2
April 8, 2024, 12:59pm
7
I did not find another way than let teh below conf in grafana side…
If I remove this line I get in the log file an error :
level=error msg=“Failed to retrieve oauth access token” provider=oauth_generic_oauth userId=8 error="oauth2: "invalid_grant" "Token is not active"