Search code examples
oauth-2.0openidgrafanaopenamforgerock

Grafana Integration with Identity Provider using openid connect and generic oauth

I am trying to integrate forgerock openAM (Identity Provider) with grafana using generic oauth. I have mentioned the endpoints and all in the configuration.

It redirects to the openAM server and asks for login credentials, but after clicking on the allow button, it's showing a server side error.

grafana.log below:

t=2017-12-31T12:26:52+0530 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=192.168.1.153 time_ms=0 size=338 referer=http://grafana.oneeight.com:3000/login
t=2017-12-31T12:27:26+0530 lvl=eror msg="login.OAuthLogin(get info from generic_oauth)" logger=context userId=0 orgId=0 uname= error="Error getting user info: {\"error_description\":\"The access token provided is expired, revoked, malformed, or invalid for other reasons.\",\"error\":\"invalid_token\"}"
t=2017-12-31T12:27:26+0530 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=192.168.1.153 time_ms=92 size=1147 referer="http://openam13.oneeight.com:8080/openam/oauth2/authorize?realm=Operators&access_type=online&client_id=operator_id&redirect_uri=http%3A%2F%2Fgrafana.oneeight.com%3A3000%2Flogin%2Fgeneric_oauth&response_type=code&scope=uid+openid+profile&state=OpiuNzehHEqm0hq93ogfKoSG1%2FMJXtcrhPgDz22Glc0%3D"
t=2017-12-31T12:27:26+0530 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/public/css/fonts.min.css status=404 remote_addr=192.168.1.153 time_ms=1 size=11374 referer="http://grafana.oneeight.com:3000/login/generic_oauth?code=ae93d8c7-3349-4618-88d3-c7f31645e6ff&scope=uid%20openid%20profile&state=OpiuNzehHEqm0hq93ogfKoSG1%2FMJXtcrhPgDz22Glc0%3D"
t=2017-12-31T12:27:26+0530 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/public/build/grafana.dark.min.css status=404 remote_addr=192.168.1.153 time_ms=2 size=11374 referer="http://grafana.oneeight.com:3000/login/generic_oauth?code=ae93d8c7-3349-4618-88d3-c7f31645e6ff&scope=uid%20openid%20profile&state=OpiuNzehHEqm0hq93ogfKoSG1%2FMJXtcrhPgDz22Glc0%3D"

Can anyone please help to figure out the solution?

Here is set of logs from OpenAM when grafana tries to access user details 

b8efbd7-768a-4038-af7f-cd2de423d285-12480","2018-01-02T06:09:25.965Z","AM-ACCESS-OUTCOME","eb8efbd7-768a-4038-af7f-cd2de423d285-12478","id=vipin,ou=user,o=operators,ou=services,dc=oneeight,dc=com","[""444b699c238b89d301""]","192.168.1.77","8080","192.168.1.153","51058",,,,"false","GET","http://openam13.oneeight.com:8080/openam/oauth2/authorize","{""realm"":[""Operators""],""access_type"":[""online""],""client_id"":[""operator_id""],""response_type"":[""code""],""scope"":[""uid%20openid%20profile""],""state"":[""qbHM3cXul897yzIMeK5rQD4TZicEzw5N22F%2FrS3E8ls%3D""]}","{""accept"":[""text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8""],""host"":[""openam13.oneeight.com:8080""],""referer"":[""http://openam13.oneeight.com:8080/openam/XUI/""],""upgrade-insecure-requests"":[""1""],""user-agent"":[""Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36""]}","{""JSESSIONID"":""9C5CF9FDE026ECFF31BD51935CC8E45D"",""amlbcookie"":""01"",""i18next"":""en-US""}",,"SUCCESSFUL",,,"10","MILLISECONDS","OAuth","/Operators"
"eb8efbd7-768a-4038-af7f-cd2de423d285-12483","2018-01-02T06:09:32.981Z","AM-ACCESS-OUTCOME","eb8efbd7-768a-4038-af7f-cd2de423d285-12481","id=vipin,ou=user,o=operators,ou=services,dc=oneeight,dc=com","[""444b699c238b89d301""]","192.168.1.77","8080","192.168.1.153","51058",,,,"false","POST","http://openam13.oneeight.com:8080/openam/oauth2/authorize","{""realm"":[""Operators""],""access_type"":[""online""],""client_id"":[""operator_id""],""response_type"":[""code""],""scope"":[""uid%20openid%20profile""],""state"":[""qbHM3cXul897yzIMeK5rQD4TZicEzw5N22F%2FrS3E8ls%3D""]}","{""accept"":[""text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8""],""host"":[""openam13.oneeight.com:8080""],""origin"":[""http://openam13.oneeight.com:8080""],""referer"":[""http://openam13.oneeight.com:8080/openam/oauth2/authorize?realm=Operators&access_type=online&client_id=operator_id&redirect_uri=http%3A%2F%2Fgrafana.oneeight.com%3A3000%2Flogin%2Fgeneric_oauth&response_type=code&scope=uid%20openid%20profile&state=qbHM3cXul897yzIMeK5rQD4TZicEzw5N22F%2FrS3E8ls%3D""],""upgrade-insecure-requests"":[""1""],""user-agent"":[""Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36""]}","{""JSESSIONID"":""9C5CF9FDE026ECFF31BD51935CC8E45D"",""amlbcookie"":""01"",""i18next"":""en""}",,"SUCCESSFUL",,,"34","MILLISECONDS","OAuth","/Operators"
"eb8efbd7-768a-4038-af7f-cd2de423d285-12496","2018-01-02T06:09:33.221Z","AM-ACCESS-OUTCOME","eb8efbd7-768a-4038-af7f-cd2de423d285-12484","id=vipin,ou=user,o=operators,ou=services,dc=oneeight,dc=com","[""d02fa012-ddff-40a1-ba83-3de3de2e18d6"",""69b85d3a-7ee8-4f01-a259-0ae26bfec634""]","192.168.1.77","8080","192.168.1.148","57122",,,,"false","POST","http://openam13.oneeight.com:8080/openam/oauth2/access_token","{""realm"":[""Operators""]}","{""host"":[""openam13.oneeight.com:8080""],""user-agent"":[""Go-http-client/1.1""]}","{}",,"SUCCESSFUL",,"{""scope"":""uid openid profile"",""token_type"":""Bearer""}","216","MILLISECONDS","OAuth","/Operators"
Solution

  • The key part of that error is Error getting user info: {\"error_description\":\"The access token provided is expired, revoked, malformed, or invalid for other reasons.\",\"error\":\"invalid_token\"}. That indicates that grafana isn't able to get the user info from OpenAM because it's refusing the token.

    The first thing I'd recommend would be to check the OpenAM logs and see whether it gives you any more information about why it rejected the token. The other thing you may want to verify is that you have your scopes set up correctly in the grafana configuration, and that your api_url setting is correct.

    Looking at the documentation, it seems like the configuration should be 

    scopes = openid email profile
auth_url = https://openam.example.com:8443/openam/oauth2/authorize
token_url = https://openam.example.com:8443/openam/oauth2/access_token
api_url = https://openam.example.com:8443/openam/oauth2/userinfo

    Where https://openam.example.com:8443 is the address of your OpenAM server.