solution for the logout issue in grafana OAuth using keycloak2 min read

Prabhin Prabharkaran Administrator
DevOps Engineer

He is a Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!

follow me

hi all, this document deals with the solution for the logout issue in grafana OAuth using keycloak.
Grafana is one of the best analytics and visualizer tool which can be customized based on requirements. Grafana supports various data sources such as MySQL, cloud watch, influx dB, etc.

This tutorial shows how to fix the logout issue in grafana OAuth using keycloak.
When grafana is authenticated with OAuth using keycloak when the application logouts user are redirected to the login screen. But if the user clicks on the login with OAuth user is gets logged in without entering a password.
This is due to the user session is not logout from the keycloak.

If you don’t know how to setup grafana OAuth using keycloak. check this link.

Fix
add the below configuration in the apache grafana virtual host file.

 

  RewriteEngine on
  RewriteRule ^/logout - [C]
  RewriteRule . "https://sso.techrunnr.com/auth/realms/devops/protocol/openid-connect/logout?redirect_uri=https\%3A\%2F\%2Fgrafana.techrunnr.com\%2Flogin" [NE,R=302,CO=grafana_sess:INVALID:;]
  RewriteRule ^/login$ /login/generic_oauth [L,R=302]

Final apache configuration with reverse proxy using apache as given below.

 

<VirtualHost *:443>
ServerName grafana.techrunnr.com     
    SSLEngine On
     SSLCertificateFile /etc/httpd/conf.d/ssl/letsencrypt.cer
     SSLCertificateKeyFile /etc/httpd/conf.d/ssl/letsencrypt.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/letsencrypt.cer
SSLCertificateChainFile /etc/httpd/conf.d/ssl/letsencryptfinal.cer

  RewriteEngine on
  RewriteRule ^/logout - [C]
  RewriteRule . "https://sso.techrunnnr.com/auth/realms/devops/protocol/openid-connect/logout?redirect_uri=https\%3A\%2F\%2Fgrafana.techrunnnr.com\%2Flogin" [NE,R=302,CO=grafana_sess:INVALID:;]
  RewriteRule ^/login$ /login/generic_oauth [L,R=302]

               
ProxyPass "/"  "http://localhost:3000/"
        ProxyPassReverse "/"  "http://localhost:3000/"
   ErrorLog /var/log/httpd/grafana-sso.stg.example.cloud-error.log
        CustomLog /var/log/httpd/grafana-sso.stg.example.cloud-access.log combined
        LogLevel error
</VirtualHost>

This configuration change in apache logouts user from keycloak.

© 2020, Techrunnr. All rights reserved.

#1
#2
#3
Questions Answered
Articles Written
Overall Points

Related posts

Leave a Reply