Pomerium Auth0/GitHub IdP Grafana JWT does not work

ram · January 5, 2022, 7:03am

Running the latest version of Pomerium and Grafana (Community stack), Auth0 or GitHub are tested IdP. Grafana is setup to use JWT.

What happened?

Post authentication on the IdP portal, redirection to grafana is not working as expected. Below error is thrown,

{
“message”: “invalid API key”
}

What did you expect to happen?

Post auth it should redirect to Grafana Page

What’s your environment like?

Pomerium version (retrieve with pomerium --version): latest (helm installer)
Server Operating System/Architecture/Cloud: Ubuntu 20.04, K3s, traefik ingress

What’s your config.yaml?

routes:
    - from: https://grafana.qehnelo.xyz
      to: http://main-grafana.prometheus
      policy:
        - allow:
            or:
              - domain:
                  is: gmail.com
      tls_skip_verify: true 

ingress:
  annotations:
    kubernetes.io/ingress.class: "traefik"
    cert-manager.io/cluster-issuer: letsencrypt-stg
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    #    ingress.pomerium.io/pass_identity_headers: "true"
  secretName: le-wc-qehnelo.xyz

What did you see in the logs?

message": "invalid API key"

Additional context

Tried both the Git and auth0 IdP and looks same. tried different version and problem seems same

denis · January 5, 2022, 8:02pm

invalid API key is not Pomerium error message.

Also, I notice you’re using forward-auth configuration with Ingress managed by Traefik.
Pomerium provides a first class Ingress controller Ingress Controller | Pomerium

Topic		Replies	Views
Assertion Headers Through Traefik Support	1	333	November 1, 2021
Upstream connect error with Pomerium Ingress Controller Support k8s	2	365	December 21, 2021
404s adding a new route to existing working Pomerium install Support	16	358	March 30, 2022
Pomerium is not working Support	1	426	March 13, 2023
Connecting OICD server Support idp , k8s	3	42	August 12, 2024