So I’m trying to set up an SSO between our Grafana-server and our Azure AD but I’m not getting anywhere.
I started by following the guide here: Azure AD OAuth2 authentication | Grafana Labs which is really straight forward but I’m still presented with an error afterwards. The error I receive when trying to login with SSO is the following in the GUI: login.OAuthLogin(NewTransportWithCode)
If I check the logs I get this:
t=2021-03-30T21:08:50+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error=“invalid character ‘<’ looking for beginning of value”
t=2021-03-30T21:08:50+0000 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/azuread status=500 remote_addr=192.168.176.1 time_ms=102 size=1744 referer=https://login.microsoftonline.com/
My scouring of the internets have told me that the invalid character error comes from the fact that an HTML-page is returned instead of JSON. But the question is why?
I followed the above mentioned guide and my Docker-config looks like this:
- GF_AUTH_AZUREAD_NAME=Azure AD
- GF_AUTH_AZUREAD_ENABLED=true
- GF_AUTH_AZUREAD_ALLOW_SIGN_UP=true
- GF_AUTH_AZUREAD_CLIENT_ID=<application id>
- GF_AUTH_AZUREAD_CLIENT_SECRET=<client secret>
- GF_AUTH_AZUREAD_SCOPES=openid email profile
- GF_AUTH_AZUREAD_AUTH_URL=https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/authorize
- GF_AUTH_AZUREAD_TOKEn_URL=https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
- GF_AUTH_AZUREAD_ALLOWED_DOMAINS=
- GF_AUTH_AZUREAD_ALLOWED_GROUPS=
As far as I can tell this is how it should be according to the documentation. What am I doing wrong or what can I do to try and get more meaningfull information for troubleshooting?
Please do a standard troubleshooting: increase log level and check logs again.
Sorry, was a bit tired yesterday and missed stating that I’ve tried increasing the log level to debug but I don’t get any more information.
Theese messages are all I get regardless of log level (that are related to this problem):
t=2021-03-31T06:27:43+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=192.168.208.1 time_ms=0 size=29 referer=
t=2021-03-31T06:27:43+0000 lvl=info msg=“OAuth auto login enabled. Redirecting to /login/azuread”
t=2021-03-31T06:27:43+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login status=307 remote_addr=192.168.208.1 time_ms=8 size=50 referer=
t=2021-03-31T06:27:43+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/azuread status=302 remote_addr=192.168.208.1 time_ms=0 size=365 referer=
t=2021-03-31T06:27:44+0000 lvl=info msg=“state check” logger=oauth queryState=a65a430d3d9601ddc276760391907013e1608f757763c09b86ff6cefd9aae1d1 cookieState=a65a430d3d9601ddc276760391907013e1608f757763c09b86ff6cefd9aae1d1
t=2021-03-31T06:27:44+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error=“invalid character ‘<’ looking for beginning of value”
t=2021-03-31T06:27:44+0000 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/azuread status=500 remote_addr=192.168.208.1 time_ms=121 size=1744 referer=https://login.microsoftonline.com/
Use browser console and check whole login process - request/responses (some idps returns also error in the URL) - html may indicates a problem and error is returned in the html page.
Did you really use lowercase n in the env variable?
Pat yourself on the back! The tragic truth is that there was indeed a lowercase n that had snuck into the variable name. Change it to all uppercase and everything works. (Note to self: you aren’t supersmart at 11.00 pm)
Thank you for your help in spotting this silly mistake.
