Configuring Grafana for SSO with Azure B2C but getting no access_token

  • What Grafana version and what operating system are you using?
    Grafana version: v9.0.4 (c25601297)
    OS: Linux (ubuntu 20.04)

  • What are you trying to achieve?
    I am trying to authenticate sign ins through Azure B2C by configuring Grafana’s [auth.generic_oauth].

  • How are you trying to achieve it?
    By configuring [auth.generic_oauth] in grafana.ini

  • What happened?
    I am receiving the following error:
    image
    After reviewing the logs, the problem appears to be I am not receiving the access_token from Azure B2C

  • What did you expect to happen?
    To complete the sign-in successfully.

  • Can you copy/paste the configuration(s) that you are having problems with?

[auth.generic_oauth]
name = AzureAD
icon = signin
enabled = true
client_id = <redacted>
client_secret = <redacted>
scopes = https://graph.microsoft.com/openid https://graph.microsoft.com/offline_access
auth_url = https://<redacted>/nupaSystem.onmicrosoft.com/<redacted>/oauth2/v2.0/authorize
token_url = https://<redacted>/nupaSystem.onmicrosoft.com/<redacted>/oauth2/v2.0/token
email_attribute_path = emails[0]
allow_sign_up = true
;tls_skip_verify_insecure = true

[server]
# Protocol (http, https, h2, socket)
domain = <redacted domain>:<redacted port number>
root_url = https://<redacted domain>:<redacted port number>
protocol = https

Its worth noting that I am using a self signed certificate for HTTPS, maybe this could be the source of the problem, since my grafana [server] configs and redirect URI in Azure configs use a fully qualified domain name.

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    grafana log shows the following error:
    level=error msg=login.OAuthLogin(NewTransportWithCode) error=“oauth2: server response missing access_token”
    logger=context traceID=00000000000000000000000000000000 userId=0 orgId=1 uname= t=2022-09-29T15:51:55.294116834Z

I have debug enabled for the log level, but I don’t see any relevant logs to point me to the source of the problem.

I appreciate any feedback, thanks!

Try to increase log level and check logs. There should be a response from token endpoint. Maybe some error message is in the token endpoint response.

1 Like

Hi there,

Thanks for your response. My log is currently configured for debug, but I don’t see any specific messages or errors about the token or the token endpoint.

[log]
mode = console file
level = debug

Hi there,

I was able to solve this problem with some help from Azure support. The problem was Azure B2C was not generating an access token because none of my scopes required one. The solution was to add the client_id of my B2C app registration for Grafana in the scopes on the grafana.ini configuration file. Azure support also recommended to use the names of the scopes instead of their graph links because B2C does not recognize them (at least that’s what they said):

[auth.generic_oauth]
name = AzureAD
icon = signin
enabled = true
client_id = <redacted>
client_secret = <redacted>
scopes = openid email profile xxxxxxx-xxxxx-xxxxxx(client_id)
auth_url = https://<redacted>/nupaSystem.onmicrosoft.com/<redacted>/oauth2/v2.0/authorize
token_url = https://<redacted>/nupaSystem.onmicrosoft.com/<redacted>/oauth2/v2.0/token
email_attribute_path = emails[0]
allow_sign_up = true
;tls_skip_verify_insecure = true
1 Like