I have now a keycloak that seem’s to works.
I have some synchronized user from a ldap
I have declared a realm and a client
but when trying to link with grafana it does not works…

When click on the grafana button “sign in with OAuth” I arrive on a keycloak error page telling :

MyRealm

We are sorry…

Invalid parameter: redirect_uri
« Back to Application

I suspect an url either on grafana or keycloak that is wrong…
Grafana side conf :

[auth.generic_oauth]
enabled = true
icon = signin
empty_scopes = false
allowed_domains = mydomain.net
tls_skip_verify_insecure = false
tls_client_cert = pathOfFile
tls_client_key = pathOfFile
tls_client_ca = pathOfFile
use_pkce = true
name = OAuth
allow_sign_up = true
client_id = grafana
client_secret = secretFromKeycloakClient
auth_url = https://auth.mydomain.net/realms/myRealm/protocol/openid-connect/auth
token_url = https://auth.mydomain.net/realms/myRealm/protocol/openid-connect/token
api_url = https://auth.mydomain.net/realms/myRealm/protocol/openid-connect/userinfo

on keycloak client side I have the following url :

Root URL https://grafana.myDomain.net
“star” Valid Redirect URIs https://grafana.myDomain.net/"star
Base URL https://grafana.myDomain.net/
Admin URL https://grafana.myDomain.net/
Web Origins https://grafana.myDomain.net

Any idea of the problem?

PS : No log found thaht can help…

as describe in some other post I have check the url
It seems the “redirect_uri=http%3A%2F%2Flocalhost%”
Ans of course il will not works…
Why did keycloak did not use the “Valid Redirect URIs” specified in the client?

Grafana generates redirect_uri parameter. Keycloak just verifies it based on client configuration. So Grafana config is a problem.

You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.

I bet you didn’t set root_url (to https://grafana.myDomain.net/).

Many thanks
Indeed I did not specify the root-url in graphana.
My grafana was behind a Pfsense with a HAproxy that was not configure with SSL (from pfsense to graphana)…

So I have to had in the grafana side the folowing grafana.ini modification :

[server]
protocol = https
http_port = 3000
domain = myDomain.net
root_url = https://grafana.myDomain.net
cert_file = pathOfFile.crt
cert_key = pathOfFile.crt

[auth.generic_oauth]
enabled = true
icon = signin
empty_scopes = false
allowed_domains = myDomain.net
tls_skip_verify_insecure = false
tls_client_cert = pathOfFile.crt
tls_client_key = pathOfFile.key
tls_client_ca = pathOfFileCA.crt
use_pkce = true
name = OAuth
allow_sign_up = true
client_id = grafana
client_secret = secretFromKeycloakClient
auth_url = https://auth.myDomain.net/realms/schugart/protocol/openid-connect/auth
token_url = https://auth.myDomain.net/realms/schugart/protocol/openid-connect/token
api_url = https://auth.myDomain.net/realms/schugart/protocol/openid-connect/userinfo
scopes = openid

Now when click on the grafana button “sign in with OAuth” I arrive on identification keycloak page.
Entering my credential and seem’s to work on keycloak side.
Returning to grafana page but then I get an error

Grafana / Server Error

In the log it seem’s related to the CA missing ?

lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error=“Post "https://auth.myDomain.net/realms/myRealms/protocol/openid-connect/token\”: x509: certificate signed by unknown authority"

maybe it is because I did not specifiy the path on [server] conf…
I have to check how to do that…

=> But it is clearly not a keycloak error

a “way” to works is to activate in grafana.ini :

tls_skip_verify_insecure = true

=> but I have to found a better way

@ewok2 I got the same error.
Can you please mention what steps you have taken to overcome this error.

Thanks
Manushi Mehta

I did not find another way than let teh below conf in grafana side…

If I remove this line I get in the log file an error :

level=error msg=“Failed to retrieve oauth access token” provider=oauth_generic_oauth userId=8 error="oauth2: "invalid_grant" "Token is not active"