Search code examples
iframeoauthkeycloakgrafana

Signout from Grafana Iframe - Keycloak

I have an Angular App with a Keycloak authentication system (keycloak-angular)

I have a Grafana server which allow authentication with OAuth Keycloak

I have a Keycloak Server with a realm called master, and two cliendID , one for my angularApp, and one for my grafana server.

In my angular App, I display some iframes coming from my Grafana Server, and with my actual configuration, my Iframes are directly authenticated with OAuth (there is no login screen).

I have a logout button in my angular App to process a Keycloak logout, which redirects me to the keycloak login screen.

My problem is that Iframe sessions are saved when I perform a keycloak logout, and if after that I login with a different user, my grafana iframe will still be authenticated with the previous user.

If I logout inside the grafana app, or the grafana iframe, or go to http://grafana-server:3000/logout , I will get logged out to Grafana, and the grafana iframe session will switch to the new one (the user which is logged in my angular app).

I want the grafana iframe to perform a sign out when I logout from my Angular App, so the next user logged in will not have the session of the previous user.

Grafana OAuth Section :

[auth.generic_oauth]
name = OAuth
enabled = true
allow_sign_up = true
client_id = grafana
client_secret = my-secret
scopes = openid email profile
email_attribute_name = email:primary
email_attribute_path = 
login_attribute_path =
name_attribute_path =
role_attribute_path =
id_token_attribute_name =
auth_url = http://keycloak-server/auth/realms/master/protocol/openid-connect/auth
token_url = http://keycloak-server/auth/realms/master/protocol/openid-connect/token
api_url = http://keycloak-server/auth/realms/master/protocol/openid-connect/userinfo
allowed_domains =
team_ids =
allowed_organizations =
tls_skip_verify_insecure = false
tls_client_cert =
tls_client_key =
tls_client_ca =
auto_sign_up = true

enter image description here Here is a screenshot from the keycloak conf for the grafana client.

The backchannel logout url seems to be the solution but I can't find how to use it properly.

I tried to set this url as "/logout" ; "http://grafana-server:3000/logout" ... I have no idea how to make it work.

Solution

  • OIDC logout has redirect_uri parameter, where user is redirected after logout, so use it to logout from Grafana as well. Desired flow:

    1. Angular logout redirects browser to OIDC logout https://keycloak-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=<grafana logout url> (of course grafana logout url is URL parameter so it must be URL encoded)

    2. Keycloak after succesfull OIDC logout redirects browser to <grafana logout url> ("your" http://grafana-server:3000/logout), because it was instrumented to do that with redirect_uri parameter

    3. Grafana executes logout (Grafana user session in the browser will be destroyed) and browser will be redirected to Grafana login page (that can be of course customizes with signout_redirect_url config)