基于 Keycloak 集成 Grafana oidc 认证

1. Deploy on Docker

• Recommand for testing

docker run -d \
--name=keycloak \
-p 8080:8080 \
-e PROXY_ADDRESS_FORWARDING=true \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin \ quay.io/keycloak/keycloak:17.0.0 \
start-dev --hostname-strict-https=true

• 注: 新版本(17.x)对nginx代理https外部请求时，默认配置可能导致加载 keycloak.js 使用http链接，导致UI渲染失败。需同时增加PROXY_ADDRESS_FORWARDING=true和--hostname-strict-https=true才可生效，参考: #10817

2. Deploy on Kubernetes

• https://www.keycloak.org/getting-started/getting-started-operator-kubernetes

3. Deploy Grafana on Docker

• Recommand for testing

mkdir -p /mnt/disk1/grafana; chmod -R 777 /mnt/disk1/grafana
docker run -tid \
--name=grafana1 \
--network host \
--restart=always \
-p 3000:3000 \
-v /mnt/disk1/grafana:/var/lib/grafana \
docker.io/grafana/grafana:8.2.2

4. Configuring Keycloak and Grafana

• refer to: cloud.tencent.com/developer/article/1878489

• keycloak

TODO

• grafana

sudo vim /proc/`d inspect grafana1 -f '{{.State.Pid}}'`/root/etc/grafana/grafana.ini

...
enabled = true         
name = OAuth           
client_id = grafana    
client_secret = 1lmrUgeYWRsbABJU3rm3WJmE14v3vRRG
id_token_attribute_name = id_token
# https://grafana.com/docs/grafana/latest/auth/generic-oauth/#login
login_attribute_path = 
role_attribute_path = contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'
allow_sign_up = true   
scopes = openid profile email
empty_scopes = false   
#role_attribute_path = 'True'&&'Admin'
#email_attribute_name = email
teams_url = https://www.baidu.com
#auth_url = http://wl4g.debug:18080/iam-web/oidc/v1/authorize
#token_url = http://wl4g.debug:18080/iam-web/oidc/v1/token
#api_url = http://wl4g.debug:18080/iam-web/oidc/v1/userinfo
...