Search code examples
oauthoauth-2.0openidopenid-connectgrafana

Grafana using OIDC

I've followed Grafana docs and I'm not sure how to configure the Grafana with OpenID connect. https://grafana.com/docs/grafana/latest/auth/generic-oauth/

We already configured several applications with OpenID connect which works OK.

What I need is to configure the OpenID connect to Grafana.

What we have:

  1. ClientID
  2. Client Secret
  3. expose Grafana publicly

In addition, we exposed our Grafana publicly and should configure "/redirect" to it.

Our issuer servers configs support the following:

"issuer" : "https://accounts.fds.com"

"authorization_endpoint": "https://accounts.fds.com/oauth2/authorize"

"token_endpoint":"https://accounts.fds.com/oauth2/token"

"response_types_supported":["code","id_token","token"]

"scope_supported": ["openid"]

From the doc This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the prefix path of /login/generic_oauth" So we provided this also, my question is what should I do further, what is mandatory ?

Should I create some application or this is just configuration task?

We are using Grafana 7.1 .

I've configured it like following:

grafana:
  enabled: true
  namespaceOverride: ""
  grafana.ini:
    server:
      root_url: http://a725be449-30559695.eu-central-1.elb.amazonaws.com/
    auth.generic_oauth:
      enabled: true
      client_id: foo_clientid
      client_secret: foo_secert
      scopes: "openid"
      auth_url: https://accounts.fds.com/oauth2/authorize
      token_url: https://accounts.fds.com/oauth2/token
#     api_url: https://${domain}/userinfo. //Not sure what this
      allow_sign_up: true

In the 'root_url' field I've put the the link to our grafana which redirects to to /login

Not sure what is the API_URL???, what should I provide there?
When deploying the app I see new button with sigh in with oAuth when I click I got error: "OpenID provider cannot process the request because the configuration is incorrect. Please contact your system administrator." any idea ?

In addition if I want to configure redirect url which property should I use?

update

I was able to see the redirect working but I got this error, any idea ?

enter image description here

Solution

  • Your used OIDC client should have configured this redirect URL:

    http://a725be449-30559695.eu-central-1.elb.amazonaws.com/login/generic_oauth

    That will be requested redirect URL by Grafana based on your grafana.ini configuration.

    I hope you know that https protocol is required for OIDC.