Add authentication for data source plugins

Hello everyone, I want to add a dynamic proxy route to my plugin with Grafana proxy. However, I couldn’t be successful at it. Can you help me with this issue? I’m quite new to Grafana. I don’t know where I’m making a mistake. Can you help me? There is an explanation on this page, but somehow I’m getting an error. link

Thanks for your help. My code works without a proxy. But I want to add authentication for data source plugins using a proxy. The GitHub repository is also attached.github
my plugin.json

2025-01-14 21_40_19-plugin.json - wea-gr-datasource - React - Visual Studio Code701×259 4.58 KB

I’m sorry for writing so late, but I haven’t been able to find a solution. I apologize for any inconvenience.

Could you please help me with this issue? I still haven’t been able to fix this error. Thank you very much in advance!

Hi @maxmarkusprogram

In the future I recommend you to post in the Plugin Development forum when you have a question regarding plugin development. That way it’ll get the attention from the people that can answer your questions.

The problem in your code is that you are not calling the path you are defining in your plugin.json, you are merely calling the proxy url. that’s not enough.

This is what you currently have:

getBackendSrv().fetch({
    // simply calling the data proxy url without
    // specifying which path
    url `${this.baseUrl}?${urlParams}`
});

you need to specify the path you want to call. From your plugin json I can see you named your route forecast so you should modify your code like this:

getBackendSrv().fetch({
    //notice I added `/forecast` 
    url `${this.baseUrl}/forecast?${urlParams}`
});

This will actually call the API you want.

Please don’t be confused thinking this will call /forecast in your API url (i.e. https://api.openweathermap.org/data/2.5/forecast), that’s not the case. that first path will match with your plugin.json defined route.

To understand this better, imagine that you defined 3 different routes in your plugin json: forecast (the one you have now), health and metrics

if you call baseUrl without specifyin the path, how would the data proxy know which of those three to call?.

You might be wondering what if you want different paths of the same url? let’s say you want to call https://api.openweathermap.org/data/2.5/metrics.

in that case all you have to do is add /metrics after the path name (in this example /forecast)

so you could write:

getBackendSrv().fetch({
    // this will call the URL defined in the `forecasts` path
    // and append `/metrics` to it
    // this will call https://api.openweathermap.org/data/2.5/metrics
    url `${this.baseUrl}/forecast/metrics?${urlParams}`
});

Additionally you should avoid hardcoding the url in the plugin.json, it is very likely the user will want to change it, so you can use a variable in the url field to populate it with something the user put in their configuration:

  "routes": [
    {
      "path": "forecast",
      "url": "{{ .JsonData.apiUrl }}",
      "urlParams": [
        {
          "name": "pass",
          "content": "{{ .SecureJsonData.password }}"
        }
      ]
    }
  ]

Thank you very much. I will provide my feedback shortly to ensure everything is on track.

Bad gateway means grafana can’t reach the server.

What are you setting in your data source configuration as your apiUrl?

Double check you are using the correct key for this field in your configuration too.

Also, I am not entirely sure about the security aspect of SecureJsonData. Since my Grafana data source plugin does not have a backend, is SecureJsonData still necessary? Could you please clarify this?

Using SecureJsonData to store secrets has nothing to do with having a backend or not. It is necessary to store secrets (api keys, etc…).

Thank you for your clarification. However, I am still uncertain about the security of SecureJsonData.

Even though I am using the proxy URL, I can still see the API key in the console. I am not fully confident that SecureJsonData is storing my credentials securely. To illustrate this issue, I have attached a screenshot showing the API key being visible in the console.

From my understanding, the API key should not be exposed in the console. Could you please confirm whether this is expected behavior or if there is a misconfiguration on my side?

Best regards,

2025-01-30 15_15_43-Legacy-Windows Medienwiedergabe1791×803 81.3 KB

2025-01-30 09_43_22-Entwicklerwerkzeuge - - Data sources - Connections - Grafana - http___grafana.ma954×816 13.8 KB

@maxmarkusprogram you will only see it when you click the save button after changing the key (e.g. the first time you set the key). The key needs to be sent to the grafana backend to store it encrypted. It is the only moment the API key will be visible like that.

The screenshot you are sharing is from pressing that save button.

Please be very careful, you are sharing images with your apiKey in a public forum. I advice you to re-generate your service API key and never share images or logs that contain secrets like you did.

Thank you for your advice and recommendations—I really appreciate it! You’re absolutely right, and I will make sure to be more careful in the future when sharing screenshots or logs in public forums.

Just to clarify, this is a free API key, so there’s no security risk in this case. However, I understand the importance of keeping API keys private and will still take the necessary precautions moving forward.

Thanks again for your helpful guidance!