Accessing Chronograf API's after OAUTH is enabled


How can i access the Chronograf API’s after one has enabled Github OAUTH.
What headers need to passed in order to access the API’s.


Hi all,
I am trying without any luck to use the Chronograf api: https://chronograf-url/docs querying the application already working in production with authentication based to keycloak and punctual users and organizations (defined from the Chronograf interface)

Using curl I am able to retrieve the user token from keycloak running a query as below

curl --insecure \
-d "client_id=chronograf-client" \
-d "client_secret=e3f3604c-9dd7-42d4-813f-cfbd6bd84867" \
-d "username=***" \
-d "password=***" \
-d "grant_type=***" \

The token looks valid after a check in

Once I got the token I am trying to retrieve the dashboard list related to a certain organization, using the command:

curl -vvvv --insecure -H 'Authorization: Bearer <token>'  -X GET https://chronograf-utl/v1/dashboards/v1/dashboards

But I received from Chronograf logs:

Mar 14 09:00:29 red-chronograf chronograf: time="2019-03-14T09:00:29+01:00" level=error msg="Invalid principal" component="token_auth" method=GET remote_addr="" url=/chronograf/v1/dashboards
Mar 14 09:00:29 red-chronograf chronograf: time="2019-03-14T09:00:29+01:00" level=info msg="Response: Forbidden" component=server method=GET remote_addr="" response_time="179.442µs" status=403

All Chronograf apis works instead if used directly from the browser, using the cookie of an already authenticate user.

I am trying to find any documentation online, but this topic is totally missing. For this reason I am not sure if I am making a mistake, if more headers need to be specified in my chronograf/v1/dashboards request to define in input the used organization or if the Authorization: Bearer is supported.

Hopefully this is the right channel to find some info, I did not open a bug in the proper github page, because It is not clear it is a real bug.

Could please someone help on this?