JWT authentication

    • JSON Web Key Set (JWKS) in a local file
    • JWKS provided by the configured JWKS endpoint

    To use JWT authentication:

    1. Enable JWT in the .
    2. Specify the header name that contains a token.

    To identify the user, some of the claims needs to be selected as a login info. You could specify a claim that contains either a username or an email of the Grafana user.

    1. # [auth.jwt]
    2. # ...
    3. # Specify a claim to use as an email to sign in.
    4. email_claim = sub

    JSON web token integrity needs to be verified so cryptographic signature is used for this purpose. So we expect that every token must be signed with some known cryptographic key.

    You have a variety of options on how to specify where the keys are located.

    Key set in the same format as in JWKS endpoint but located on disk.

    1. jwk_set_file = /path/to/jwks.json

    PEM-encoded key file in PKIX, PKCS #1, PKCS #8 or SEC 1 format.

    You might also want to validate that other claims are really what you expect them to be.

    1. # This can be seen as a required "subset" of a JWT Claims Set.
    2. expect_claims = {"iss": "https://your-token-issuer", "your-custom-claim": "foo"}