Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for authenticated iframe (with JWT) #326

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

epinter
Copy link
Contributor

@epinter epinter commented Sep 30, 2023

The image renderer from Grafana is very slow and cpu heavy. Iframe is not an option for most cases because it needs anonymous access to Grafana. This commit adds JWT support to secure the Grafana access when using iframe.
When a graph is loaded in Icinga web interface, the signed JWT token is sent to Grafana in the request, if JWT is validated graph is displayed, if anything goes wrong with the token validation, Grafana will refuse the access.

The library Firebase PHP-JWT is used to create the token. For now, the library is included in the vendor directory.

The JWT token uses RSA keys, these keys are generated automatically in /etc when the user saves the configuration with jwt enabled.

@epinter
Copy link
Contributor Author

epinter commented Sep 30, 2023

PHP is far from my preferred language, I don't use it a long time, so feel free to change the code if you see something wrong. I didn't use IDE, so I don't know if there's some code warning or deprecation. Tested with PHP 8.1, with Icinga DB.

JWT is very useful, it is easy to configure on Grafana, and well documented.

@epinter epinter force-pushed the feature-iframe-jwtauth branch 3 times, most recently from 996e36b to 1863828 Compare September 30, 2023 17:33
The image renderer from Grafana is very slow and cpu heavy. Iframe is
not an option for most cases because it needs anonymous access to
Grafana. This commit adds JWT support to secure the Grafana access
when using iframe.
When a graph is loaded in Icinga web interface, the signed JWT token is
sent to Grafana in the request, if JWT is validated graph is displayed,
if anything goes wrong with the token validation, Grafana will refuse the
access.

The library Firebase PHP-JWT is used to create the token. For now, the
library is included in the vendor directory.

The JWT token uses RSA keys, these keys are generated automatically in
/etc when the user saves the configuration with jwt enabled.
@epinter
Copy link
Contributor Author

epinter commented Nov 6, 2023

Forgot to mention, the JWT auth support was introduced in Grafana 8.0.0-beta1

@jbonor
Copy link

jbonor commented Jan 8, 2024

This works fine for me. Is it going to be merged?

'class' => 'autosubmit',
)
);
if ($formData['grafana_jwtEnable']) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thorws an error in my setup, better:
if (isset($formData['grafana_jwtEnable']) && $formData['grafana_jwtEnable']) {
?
except this it works perfectly!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants