Grafana authentication with Cloudflare Access

Grafana natively supports JWT authentication, and if you put it behind Cloudflare Access, then you authenticate into Grafana with your AD user.

With Cloudflare Tunnel, you don’t even need to expose Grafana to the wide Internet - you can bind it to localhost and point the tunnel to http://localhost:3000

Example of the config you need to put into grafana.ini to get it working (thanks to Michal Hruby):

#################################### Auth JWT ##########################
[auth.jwt]
enabled = true
auto_sign_up = true
disable_signout_menu = true
username_claim = email
email_claim = email
expect_claims = {"aud":"cloudflareaudhereexampleabcdefj"}
header_name = Cf-Access-Jwt-Assertion
jwk_set_url = https://[your-domain].cloudflareaccess.com/cdn-cgi/access/certs

Links:

• https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/validating-json/
• https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/jwt/