I have an web application where I will login to my application using the login credentials. Once logged in, a link will be displayed on my application web page. On click of that link I should be able redirect to Grafana and login to the Grafana automatically using my web application credentials.
How can I achieive the above scenario?
(i.e redirecting to the grafana page and automatically login without displaying the grafana login page.)
Awaiting for the response, Thank you.
The common way to do this is to use a proxy like nginx/apache in front of Grafana and the auth proxy feature:
https://grafana.com/docs/auth/auth-proxy/#auth-proxy-authentication
The authentication would be disabled in Grafana and handled by your proxy instead, once the user has successfully logged in then you would set a username HTTP Header and redirect to Grafana.
Example: https://github.com/grafana/grafana/issues/3752#issuecomment-485976560
There is also an api: https://grafana.com/docs/http_api/auth/
There are also options for oauth authentication (Google, GitHub etc.) if you are using that in your application.
Thank you for the information Sir.
By using any of the methods mentioned above(like Auth-Proxy, O-Auth, HTTP-API) and for automatic login to work, should I pre-create users in Grafana also?
The auto_sign_up property defaults to true. From the docs:
# Set to `true` to enable auto sign up of users who do not exist in Grafana DB. Defaults to `true`.
auto_sign_up = true
Also should mention: https://github.com/grafana/grafana-kiosk though I think that is not exactly what you are looking for in this case.
Yes Sir, I am looking at the automatic login feature to Grafana directly from my web application.
I am trying to implement the automatic login feature as per your suggestion above. Thank you for sharing the information Sir.
I used the instructions provided in the following link(for Auth-Proxy) and made the configuration as follows:
setup in grafana.ini config file for Auth-Proxy and server is as follows:
[auth.proxy]
;enabled = true
;header_name = X-WEBAUTH-USER
;header_property = username
;auto_sign_up = true
;ldap_sync_ttl = 60
#;whitelist = 192.168.1.1, 192.168.2.1
#;headers = Email:X-User-Email, Name:X-User-Name
;whitelist =
;headers =
[server]
#Protocol (http, https, socket)
;protocol = http
#The ip address to bind to, empty will bind to all interfaces
;http_addr = IP-ADDRESS-HERE
#The http port to use
;http_port = 3000
#The public facing domain name used to access grafana from a browser
;domain = IP-ADDRESS-HERE
#Redirect to correct domain if host header does not match domain
#Prevents DNS rebinding attacks
;enforce_domain = false
#The full public facing url you use in browser, used for redirects and emails
#If you use reverse proxy and sub path specify full url (with sub path)
;root_url = http://grafana.staged-by-discourse.com
…
…
Restarted the Grafana server.
Created the grafana_htpasswd file in /etc/httpd directory.
setup in Apache httpd.conf file is as follows:
<VirtualHost *:80>
ServerAdmin webmaster@authproxy
ServerName authproxy
ErrorLog “logs/authproxy-error_log”
CustomLog “logs/authproxy-access_log” common
<Proxy *>
AuthType Basic
AuthName GrafanaAuthProxy
AuthBasicProvider file
AuthUserFile /etc/httpd/grafana_htpasswd
Require valid-user
RewriteEngine On
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>
RequestHeader unset Authorization
ProxyRequests Off
ProxyPass / http://<IP-ADDRESS-HERE>:3000/
ProxyPassReverse / http://<IP-ADDRESS-HERE>:3000/
Now when I tried to execute the following command in the shell prompt:
curl -H “X-WEBAUTH-USER: admin” http://IP-ADDRESS-HERE:3000/api/users
I got the output as follows even though I have made a setup of auth-proxy with apache:
{“message”:“Unauthorized”}
Please let me know how I can proceed further to make it work properly. So that I can set a username HTTP header for the request from my web application and try it out there by redirecting the request to Grafana for automatic login.
Thank you.
A semicolon at the start of a line in an ini file means that it is commented out so your whole auth proxy section is commented out.
Hi Danielee,
Can we do this ifream with NGINX.
i am using the NGIN.fonfg
set $username “guna”;
proxy_pass https://community.grafana.com/;
proxy_set_header X-WEBAUTH-USER test-user;
proxy_set_header Authorization “”;
proxy_set_header X-WEBAUTH-USER $username;
coustom .ini
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
Hi Sir,
With Nginx Auth proxy how to add the View or Edit access to the user?
I have a Django app where users can sign in with google OAuth.
I want to provide a button upon clicking that, the same authenticated user should be able to access Grafana.
I am able to do standalone google sso login to Grafana from the Grafana login page but I do not want the login page to be visible to the user who is already signed into my Django app.
@daniellee Can you please help? / Point me to the documentation that will help.
PS: I tried setting up an apache proxy but the issue with that is I need to provide the user upfront using htpasswd file. I do not want this restriction as new users can sign up for my Django app.
Using an Haproxy kubernetes ingress:
Using Grafana in an iframe here. How exactly would one authenticate a user using the HTTP API? Say I know their credentials.