Why This Matters
Grafana ships with excellent OAuth support, yet many setups struggle due to mismatched redirect URLs and reverse-proxy setups. When combined with Keycloak, the result is a clean, standards-based SSO solution that avoids vendor lock-in.
The One Setting Everyone Misses
If Grafana runs behind a load balancer, OAuth will fail unless you explicitly set:
GF_SERVER_ROOT_URLWithout it, Grafana generates redirect URIs based on its internal service name, which Keycloak correctly rejects.
Minimal Working Setup
- Keycloak client with Authorization Code flow
- One redirect URI:
/login/generic_oauth - Grafana root URL explicitly defined
- Group-based role mapping via OIDC claims
That’s it.
Admin Roles via Keycloak
Grafana intentionally blocks OAuth users from becoming admins unless explicitly allowed. This is a security feature, not a bug.
Enable it consciously:
GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=trueThen map Keycloak groups to roles.
Final Thoughts
Compared to secret-based systems or policy-heavy tools, this integration is refreshingly simple and robust. With proper URL handling and token claims, Grafana + Keycloak becomes a low-maintenance SSO solution that just works.
If you already run Keycloak, there’s little reason not to enable it.
Wanna see more details about the setup? Head to my wiki.
Found this helpful? You can support me.
Author Profile
