Automatic login to grafana from web application

I have an web application where I will login to my application using the login credentials. Once logged in, a link will be displayed on my application web page. On click of that link I should be able redirect to Grafana and login to the Grafana automatically using my web application credentials.
How can I achieive the above scenario?
(i.e redirecting to the grafana page and automatically login without displaying the grafana login page.)

Awaiting for the response, Thank you.


Thank you for the information Sir.

By using any of the methods mentioned above(like Auth-Proxy, O-Auth, HTTP-API) and for automatic login to work, should I pre-create users in Grafana also?

The auto_sign_up property defaults to true. From the docs:

# Set to `true` to enable auto sign up of users who do not exist in Grafana DB. Defaults to `true`.
auto_sign_up = true

Also should mention: though I think that is not exactly what you are looking for in this case.

Yes Sir, I am looking at the automatic login feature to Grafana directly from my web application.
I am trying to implement the automatic login feature as per your suggestion above. Thank you for sharing the information Sir.

I used the instructions provided in the following link(for Auth-Proxy) and made the configuration as follows:

  1. setup in grafana.ini config file for Auth-Proxy and server is as follows:
    ;enabled = true
    ;header_name = X-WEBAUTH-USER
    ;header_property = username
    ;auto_sign_up = true
    ;ldap_sync_ttl = 60
    #;whitelist =,
    #;headers = Email:X-User-Email, Name:X-User-Name
    ;whitelist =
    ;headers =

    #Protocol (http, https, socket)
    ;protocol = http

    #The ip address to bind to, empty will bind to all interfaces
    ;http_addr = IP-ADDRESS-HERE

    #The http port to use
    ;http_port = 3000

    #The public facing domain name used to access grafana from a browser
    ;domain = IP-ADDRESS-HERE

    #Redirect to correct domain if host header does not match domain
    #Prevents DNS rebinding attacks
    ;enforce_domain = false

    #The full public facing url you use in browser, used for redirects and emails
    #If you use reverse proxy and sub path specify full url (with sub path)
    ;root_url = http://localhost:3000

  2. Restarted the Grafana server.

  3. Created the grafana_htpasswd file in /etc/httpd directory.

  4. setup in Apache httpd.conf file is as follows:
    <VirtualHost *:80>
    ServerAdmin webmaster@authproxy
    ServerName authproxy
    ErrorLog “logs/authproxy-error_log”
    CustomLog “logs/authproxy-access_log” common

     <Proxy *>
             AuthType Basic
             AuthName GrafanaAuthProxy
             AuthBasicProvider file
             AuthUserFile /etc/httpd/grafana_htpasswd
             Require valid-user
             RewriteEngine On
             RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
             RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
     RequestHeader unset Authorization
     ProxyRequests Off
     ProxyPass / http://<IP-ADDRESS-HERE>:3000/
     ProxyPassReverse / http://<IP-ADDRESS-HERE>:3000/
  1. Restarted the Apache server.

Now when I tried to execute the following command in the shell prompt:
curl -H “X-WEBAUTH-USER: admin” http://IP-ADDRESS-HERE:3000/api/users

I got the output as follows even though I have made a setup of auth-proxy with apache:

Please let me know how I can proceed further to make it work properly. So that I can set a username HTTP header for the request from my web application and try it out there by redirecting the request to Grafana for automatic login.

Thank you.

A semicolon at the start of a line in an ini file means that it is commented out so your whole auth proxy section is commented out.

Hi Danielee,

Can we do this ifream with NGINX.
i am using the NGIN.fonfg
set $username “guna”;
proxy_pass https://localhost:3000/;
proxy_set_header X-WEBAUTH-USER test-user;
proxy_set_header Authorization “”;
proxy_set_header X-WEBAUTH-USER $username;

coustom .ini
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true

Hi Sir,
With Nginx Auth proxy how to add the View or Edit access to the user?

I have a Django app where users can sign in with google OAuth.
I want to provide a button upon clicking that, the same authenticated user should be able to access Grafana.

I am able to do standalone google sso login to Grafana from the Grafana login page but I do not want the login page to be visible to the user who is already signed into my Django app.

@daniellee Can you please help? / Point me to the documentation that will help.

PS: I tried setting up an apache proxy but the issue with that is I need to provide the user upfront using htpasswd file. I do not want this restriction as new users can sign up for my Django app.