Auth.generic_oauth "No id_token found"

stratusss · July 11, 2019, 7:13pm

I have and Openshift 3.11 cluster that I am trying to use for generic auth.

I have the following grafana.ini

[auth.generic_oauth]
enabled = true
client_id = grafana-oauth
client_secret = usere6Je7NiDfK4O0Rw5Vk3A7TK1PwkNaasbIV1H0EUCjExDEk4DBgElS
scopes= user:info
auth_url=https://master311.example.com:8443/oauth/authorize
token_url=https://master311.example.com:8443/oauth/token
api_url= 
allowed_domains=
allow_sign_up = true
tls_skip_verify_insecure = true

[log]
level=debug

[server]
root_url=http://grafana.example.com:3000

I get redirected to the OpenShift login page and login with the user. However I see this error:

login.OAuthLogin(get info from generic_oauth)

When examining the logs I see this

t=2019-07-11T18:57:24+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=192.168.99.198 time_ms=0 size=29 referer=
t=2019-07-11T18:57:26+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=192.168.99.198 time_ms=0 size=308 referer=http://grafana.example.com:3000/login
t=2019-07-11T18:57:33+0000 lvl=dbug msg="Scheduling update" logger=alerting.scheduler ruleCount=0
t=2019-07-11T18:57:35+0000 lvl=info msg="state check" logger=oauth queryState=55d712fe326c2e88df6dc54b58b8d5193ef5008b80c693f762964a99b5fa6ec8 cookieState=55d712fe326c2e88df6dc54b58b8d5193ef5008b80c693f762964a99b5fa6ec8
t=2019-07-11T18:57:35+0000 lvl=dbug msg="OAuthLogin Got token" logger=oauth token="&{AccessToken:yz3p7kDEIz3dUWGSwG8CFtA44QJ1EJqSDBem4ejF1f0 TokenType:Bearer RefreshToken: Expiry:2019-07-12 18:57:35.992365119 +0000 UTC m=+86423.174791448 raw:map[access_token:yz3p7kDEIz3dUWGSwG8CFtA44QJ1EJqSDBem4ejF1f0 expires_in:86400 scope:user:info token_type:Bearer]}"
t=2019-07-11T18:57:35+0000 lvl=dbug msg="No id_token found" logger=oauth.generic_oauth token="&{AccessToken:yz3p7kDEIz3dUWGSwG8CFtA44QJ1EJqSDBem4ejF1f0 TokenType:Bearer RefreshToken: Expiry:2019-07-12 18:57:35.992365119 +0000 UTC m=+86423.174791448 raw:map[access_token:yz3p7kDEIz3dUWGSwG8CFtA44QJ1EJqSDBem4ejF1f0 expires_in:86400 scope:user:info token_type:Bearer]}"
t=2019-07-11T18:57:35+0000 lvl=eror msg="login.OAuthLogin(get info from generic_oauth)" logger=context userId=0 orgId=0 uname= error="Error getting user info: Get : unsupported protocol scheme \"\""
t=2019-07-11T18:57:35+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=192.168.99.198 time_ms=38 size=1750 referer=
t=2019-07-11T18:57:43+0000 lvl=dbug msg="Scheduling update" logger=alerting.scheduler ruleCount=0

I am not sure how to further troubleshoot this issue. It seems quite clear from the github code here that it is indeed a token issue

For completeness sake, below is a list of the well-known endpoints for Openshift

Any help would be appreciated it

jangaraj · July 11, 2019, 7:59pm

Security first:

don’t post client secret
don’t post valid access token

No id token is just debug message, it isn’t error. Error is next line: you didn’t configure api_url, so Grafana can’t get user info from your IdP.

stratusss · July 11, 2019, 9:30pm

Thanks for the quick reply!

I mangled the actual tokens and such with find/replace before posting. Also this instance is not publically accessible anyways.

The Openshift cluster has this endpoint under /oapi/v1/users

I can curl this endpoint like so:

curl -k -H "Authorization: Bearer $TOKEN" -H 'Accept: application/json' https://master311.example.com:8443/oapi/v1/users/

It gives the following results

{
  "kind": "UserList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/oapi/v1/users/",
    "resourceVersion": "32376138"
  },
  "items": [
    {
      "metadata": {
        "name": "user1",
        "selfLink": "/oapi/v1/users/bob",
        "uid": "d2076d2a-9904-11e9-b064-52540097c136",
        "resourceVersion": "29899597",
        "creationTimestamp": "2019-06-27T17:55:59Z"
      },
      "identities": [
        "htpasswd_auth:user1"
      ],
      "groups": null
    },
    {
      "metadata": {
        "name": "user2",
        "selfLink": "/oapi/v1/users/stratus",
        "uid": "9468f490-0d25-11e9-99cb-52540097c136",
        "resourceVersion": "7906",
        "creationTimestamp": "2018-12-31T17:57:46Z"
      },
      "identities": [
        "htpasswd_auth:user2"
      ],
      "groups": null
    }
  ]
}

Does this json have enough information for Grafana? I am getting a 403 “User is forbidden” error in the logs now. The user’s token was used in the curl above so the user can list this endpoint.

What else should I look at?

jangaraj · July 11, 2019, 9:52pm

That is not a userinfo endpoint. Open discovery url (example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) and search userinfo_endpoint. That url configure in Grafana api_url config.

stratusss · July 11, 2019, 10:53pm

Thanks for the pointers. With that info I found this issue on github for OpenShift and GitLab. If I understand the linked comment correctly, this is not possible because.

If my understanding is correct please feel free to close this ticket and thanks for your help!

jangaraj · July 11, 2019, 11:21pm

Use standard OIDC IdP (e.g. Keycloak) and integrate it with Openstack and Grafana.