Replies: 6 comments 10 replies
-
@usmangt care to chip in? |
Beta Was this translation helpful? Give feedback.
-
@grafana/grafana-authnz-team can you please take a look on this one |
Beta Was this translation helpful? Give feedback.
-
Hey @ulken , it was designed with Authentication in the proxy in mind (example: https://github.com/grafana/grafana-iframe-oauth-sample). We can take a look at this scenario, I can see how it could potentially not work (API access was not considered). Could you share a redacted version of your |
Beta Was this translation helpful? Give feedback.
-
I would go step further and use SSO OIDC https://github.com/jangaraj/grafana-iframe#i-want-to-have-grafana-in-my-app-as-an-iframe-and-i-would-like-to-have-seamless-login-experience |
Beta Was this translation helpful? Give feedback.
-
@Jguer thank you for looking into this.
Hum, OK. Maybe I'm missing something, but that wasn't entirely obvious reading the docs. I guess my eyes got stuck on this:
That's exactly our use case.
That would be great. Requested config: [auth.jwt]
enabled = true
url_login = true
skip_org_role_sync = true
header_name = X-Forwarded-Access-Token
username_claim = email
email_claim = email
key_file = /etc/grafana/jwk.public.pem
cache_ttl = 60m
auto_sign_up = true Let me know if you need any other parts. |
Beta Was this translation helpful? Give feedback.
-
OK, guys, I'm gonna have to eat my humble pie and hit the road to Canossa... 🤦 tldr; all is good and PEBKAC. Not only was the reverse proxy unnecessary, it was the culprit. Removing the header forwarding, I took a step back and inspected outgoing requests. And boom 🤯 , even though the query parameter wasn't present, the header was. Since the query parameter was empty, the reverse proxy ended up clearing the header... Sincere apologies for taking up your time and thank you very much for your support along the way! |
Beta Was this translation helpful? Give feedback.
-
Figured I'd start with a discussion around this, since I'm not entirely sure if it's a bug or working as intended. If the latter, I'm curious what the intended use cases are.
I'm using JWT authentication for embedding a iframe of a Grafana dashboard into our app.
The authentication is done client side, using MSAL against AAD B2C. The access token is passed as a query parameter to the iframe
src
URL. Then a reverse proxy intercepts the request and converts into a HTTP header.Everything works great for the dashboard and all publicly available resources, but as soon as a call is done towards API endpoints, the authentication fails. The reason is obvious as no relevant query parameter/header is included in the call. Maybe naively, I expected such calls to be authenticated as the dashboard as a whole is authenticated. I.e. all "nested"/subsequent calls would be authenticated as well.
Right now, I've worked around the issue by installing a service worker which decorates all API calls with the necessary query parameter, but it feels kinda hackish.
So, is this intended behavior or am I missing something? Are you supposed to do the authentication in the proxy? Then I fail to see the value of URL login.
Beta Was this translation helpful? Give feedback.
All reactions