How to scrape Prometheus secured with OAuth2-proxy and Keycloak

simonszu

4/25/24, 7:35 AM

I have 2 prometheuses, both are with forward-auth via the oauth2-proxy, which have the same client credentials in a single keycloak. I would like one prometheus to federate the other one. This is my config snippet for authentication in prometheus.yml

    oauth2:
      client_id: "oauth-proxy"
      client_secret: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
      token_url: "https://keycloak.mydomain.tld/realms/master/protocol/openid-connect/token"

I am not even sure if they should use the oauth-proxy client ID, or a distinct one, but i guess that doesn't really matter.

As you can maybe see i am using the new quarkus-based keycloak, which has a slightly different UI as the old wildfly-based keycloak.

At first, i got an error that the keycloak client isn't allowed to use service account tokens. I fixed that by enabling the "Service accounts roles" setting in the client. Now apparently the scraping prometheus is able to get the token from keycloak, but the target still shows as "401 unauthorized". What am i missing here?

321

0 + 0

oauth

prometheus

keycloak

oauth2-proxy

openid-connect

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to scrape Prometheus secured with OAuth2-proxy and Keycloak

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.