Automatic login to grafana from web application

I have an web application where I will login to my application using the login credentials. Once logged in, a link will be displayed on my application web page. On click of that link I should be able redirect to Grafana and login to the Grafana automatically using my web application credentials.
How can I achieive the above scenario?
(i.e redirecting to the grafana page and automatically login without displaying the grafana login page.)

Awaiting for the response, Thank you.

2 Likes

Thank you for the information Sir.

By using any of the methods mentioned above(like Auth-Proxy, O-Auth, HTTP-API) and for automatic login to work, should I pre-create users in Grafana also?

The auto_sign_up property defaults to true. From the docs:

# Set to `true` to enable auto sign up of users who do not exist in Grafana DB. Defaults to `true`.
auto_sign_up = true

Also should mention: https://github.com/grafana/grafana-kiosk though I think that is not exactly what you are looking for in this case.

Yes Sir, I am looking at the automatic login feature to Grafana directly from my web application.
I am trying to implement the automatic login feature as per your suggestion above. Thank you for sharing the information Sir.

I used the instructions provided in the following link(for Auth-Proxy) and made the configuration as follows:

  1. setup in grafana.ini config file for Auth-Proxy and server is as follows:
    [auth.proxy]
    ;enabled = true
    ;header_name = X-WEBAUTH-USER
    ;header_property = username
    ;auto_sign_up = true
    ;ldap_sync_ttl = 60
    #;whitelist = 192.168.1.1, 192.168.2.1
    #;headers = Email:X-User-Email, Name:X-User-Name
    ;whitelist =
    ;headers =

    [server]
    #Protocol (http, https, socket)
    ;protocol = http

    #The ip address to bind to, empty will bind to all interfaces
    ;http_addr = IP-ADDRESS-HERE

    #The http port to use
    ;http_port = 3000

    #The public facing domain name used to access grafana from a browser
    ;domain = IP-ADDRESS-HERE

    #Redirect to correct domain if host header does not match domain
    #Prevents DNS rebinding attacks
    ;enforce_domain = false

    #The full public facing url you use in browser, used for redirects and emails
    #If you use reverse proxy and sub path specify full url (with sub path)
    ;root_url = http://localhost:3000

  2. Restarted the Grafana server.

  3. Created the grafana_htpasswd file in /etc/httpd directory.

  4. setup in Apache httpd.conf file is as follows:
    <VirtualHost *:80>
    ServerAdmin webmaster@authproxy
    ServerName authproxy
    ErrorLog “logs/authproxy-error_log”
    CustomLog “logs/authproxy-access_log” common

     <Proxy *>
             AuthType Basic
             AuthName GrafanaAuthProxy
             AuthBasicProvider file
             AuthUserFile /etc/httpd/grafana_htpasswd
             Require valid-user
    
             RewriteEngine On
             RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
             RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
     </Proxy>
    
     RequestHeader unset Authorization
    
     ProxyRequests Off
     ProxyPass / http://<IP-ADDRESS-HERE>:3000/
     ProxyPassReverse / http://<IP-ADDRESS-HERE>:3000/
    
  1. Restarted the Apache server.

Now when I tried to execute the following command in the shell prompt:
curl -H “X-WEBAUTH-USER: admin” http://IP-ADDRESS-HERE:3000/api/users

I got the output as follows even though I have made a setup of auth-proxy with apache:
{“message”:“Unauthorized”}

Please let me know how I can proceed further to make it work properly. So that I can set a username HTTP header for the request from my web application and try it out there by redirecting the request to Grafana for automatic login.

Thank you.

A semicolon at the start of a line in an ini file means that it is commented out so your whole auth proxy section is commented out.

Hi Danielee,

Can we do this ifream with NGINX.
i am using the NGIN.fonfg
set $username “guna”;
proxy_pass https://localhost:3000/;
proxy_set_header X-WEBAUTH-USER test-user;
proxy_set_header Authorization “”;
proxy_set_header X-WEBAUTH-USER $username;

coustom .ini
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true

Hi Sir,
With Nginx Auth proxy how to add the View or Edit access to the user?