An error occurred within the plugin oauth_generic_oauth "No refresh token available"

Grafana Authentication
1

  • What Grafana version and what operating system are you using?
    11.1.0

  • What are you trying to achieve?
    Use Grafana with Loki Stack on Openshift

  • How are you trying to achieve it?
    By applying yaml file with the following config:

    [auth.generic_oauth]
    name = OpenShift
    icon = signin
    enabled = true
    client_id = system:serviceaccount:openshift-logging:grafana
    client_secret = ${OAUTH_CLIENT_SECRET}
    scopes = user:info user:check-access user:list-projects role:logging-grafana-alertmanager-access:openshift-logging
    empty_scopes = false
    auth_url = “oauth-openshift.apps.${CLUSTER_ROUTES_BASE}/oauth/authorize”
    token_url = “oauth-openshift.apps.${CLUSTER_ROUTES_BASE}/oauth/token”
    api_url = “kubernetes.default.svc/apis/user.openshift.io/v1/users/~”
    email_attribute_path = metadata.name
    allow_sign_up = true
    allow_assign_grafana_admin = true
    role_attribute_path = contains(groups[], ‘system:cluster-admins’) && ‘GrafanaAdmin’ || contains(groups[], ‘cluster-admin’) && ‘GrafanaAdmin’ || contains(groups[*], ‘dedicated-admin’) && ‘GrafanaAdmin’ || ‘Viewer’
    tls_client_cert = /etc/tls/private/tls.crt
    tls_client_key = /etc/tls/private/tls.key
    tls_client_ca = /run/secrets/kubernetes.io/serviceaccount/ca.crt
    use_pkce = true
    oauth_allow_insecure_email_lookup = true
    tls_skip_verify_insecure = true
    use_refresh_token = true

  • What happened?
    after a couple of hours when accessing a dashboard I get an An error occurred within the plugin.

Looking at the pod logs I see the following:

msg=“No refresh token available” authmodule=oauth_generic_oauth

I tried adding use_refresh_token = true but it is still failing. It is resolved by signingout from Grafana and logging it out

  • What did you expect to happen?
    I expected to refresh the token.

  • Can you copy/paste the configuration(s) that you are having problems with?
    see above

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

  • Did you follow any online instructions? If so, what is the URL?
    I initially followed Loki operator’s steps from Connect Grafana to an in-cluster LokiStack - Loki Operator but it doesn work with latest version of Grafana

2

That’s not Grafana issue. Your internal OAuth server doesn’t generate refresh token, so you have to login when access token is expired. (so it makes sense to disable refresh token on the Grafana side in this case).
Ask your Openshift support how to enable refresh tokens.