Authentication for datasource plugin using Oauth2.0 implicit grant flow

hardikjain · September 26, 2018, 11:23am

Hi,

I am developing a datasource plugin for grafana to get data from Azure DevOps Services (Visual Studio Team Services) using it’s REST API. First step to start making requests is authenticate access to the API using Azure Active Directory. What grafana provides for this is routes which uses OAuth2.0 Client Credential Grant Flow. Unfortunately, that is not supported by the API. The API does not allow service to service oauth i.e. a confidential client making a silent request to receive a token response. Basically a server cannot access the API without user interaction. A browser redirect is needed to go to authorization endpoint where user logs in and then only token would be received at the callback url registered on AAD ( this is Implicit grant flow). Once the login in done, token can be acquired silently until a log in is needed again. This is effectively handled by ADAL (Azure Active Directory Authentication Library) which works in Native Applications (Browser Pop-up) and Web Applications (Browser redirects) but I can’t figure out how I can use the Grafana backend server to do this for me.

If I figure out a way to let my plugin make a browser redirect and come back to http://grafana.staged-by-discourse.com/.../# and extract the hash, I would have the token with me!

jangaraj · September 26, 2018, 1:03pm

Implicit flow is used for client apps - so you have to play in the Grafana frontend. You can create html text panel with link to Azure IDP:

<a href="https://login.windows.net/common/oauth2/authorize?client_id=<client>&redirect_uri=<current-browser-url>&response_type=id_token%20token&scope=<scope>&nonce=<nonce>&state=<nonce>">
  Authenticate my Azure datasource
</a>

But that sounds like a silly solution to me from the Grafana user perspective. You will have a lot of problems to solve: different redirects URIs, token refresh, …

hardikjain · September 27, 2018, 4:37am

Yes this wouldn’t help me. It would complicate the problem even more. I was thinking of using the simple json datasource rather to query in data and implementing a web application with the API needed for simple json on it’s backend and having a front end for it for authentication. Would that work for me? I just have to get the data in no matter which way. It’s crucial.

jangaraj · September 27, 2018, 6:23am

To be honest you really don’t need to redirect a user to Azure for auth. You can do it in the backend, but you need to play with request cookies and URL params, …

hardikjain · September 27, 2018, 6:44am

Does the grafana plugins sdk let you access URL params? (I am sorry for being naïve in this context) Otherwise, how do you access the URL in the plugin code?