I have a very delicate matter. As a member of ID4me foundation I would like to integrate this Single-Sign-On approach (based on OIDC, slightly different) as additional authentication method within grafana.
As far as I know the following approaches could be feasible to achieve this goal in grafana.
Implement an additional authentication mode for grafana based on the pre-existing “generic_oauth” method
Use existing “auth-proxy” mode of grafana (can be used to integrate any third party login mechanism)
Now I have the following questions:
Is there any other opportunity than the mentioned approaches above?
Regarding approach 1: Would it be possible to implement such an additional authentication extension via plugins? (without any code changes inside the grafana software main frame)
“generic_oauth” is actually OIDC (and not just OAuth), so it should be working with any IDP, which supports OIDC protocol. What is the problem with that?
No problem with that. The things is that ID4me enhances standard OIDC by using DNS entries (TXT records). That means in order to identify the IDP (issuer url) of a corresponding user login (= “identifier” within ID4me context) I have to do a DNS lookup before I can continue with the usual OIDC workflow.
Hence, in terms of ID4me protocol I have to implement a DNS lookup pre-step before using the “generic_oauth” OIDC workflow implemention of Grafana. A far as I checked, such an additional “pre-hookup-call” could not be implemented by providing a dedicated grafana plugin because all authentication stuff is part of the grafana core engine, right?
If yes, this would mean I have to implement this behavior as a new grafana feature that hopefully would become part of upcoming grafana releases, right?
I found this coding section in the grafana sources. Here I have to implement my “ID4me” enhanced workflow based on the pre-existing “generic_oauth” code.
That’s some kind of discovery. But current Grafana is not using any OIDC discovery. User has to “hardcode” all urls in the config. I would start the same. Use current generic oauth configure all urls manually and MVP is done. You will prove that your IDP can work with Grafana and we can celebrate.
Next step can be improvements - e. g. OIDC discovery via DNS TXT record. You may try backend plugins. But as user I would prefer pure Grafana setup, instead of 3rd party plugin, which may not be maintained in the future. The better option will be talk to Grafana team directly and create PR for that.
Ok understood. Thanks for reply. But if you do “hardcoding” of issuer URLs you bypass the idea of ID4me completely.
Further questions:
Is there any deep guide (code examples) how to write “backend-plugins” for grafana. The only thing I found was howto write “Panel, Datasource or App” plugins. None of them seemed feasible to me to provide such a discovery function.
Where to talk to grafana team directly? I thought the guys are part of this community.
Yes, Grafana team is here. But it’s quite naive that grafana team checks and responses to every post here. It is the same naive idea as that user will search forum first and may find answer before asking. See Grafana Plugin Development Office Hours can be good post/contact for you.
BTW: I don’t like the idea of new auth provider. The better will be PR to improve current generic oauth - add oidc discovery via discovery url and/or dns txt record.
Thanks. I will try backend-plugin as a first scretch (just in order to proceed, sprint ends soon). However, for the future Go code remains Go code and it should be easy to push my backend RPC plugin implementation into a stable PR (copy-and -paste/waste;))
I will try to provide this backend plugin discovery implementation as OS solution on a dedicated repo, as soon as possible.
Later on we can start to put this as stable PR solution