Data Source Plugin — Login with OAuth2 authorization_code grant type

I am trying to develop a data source plugin for an HTTP API which uses the OAuth2 Authorization Code flow (“Do you want to give Grafana access to…” in a popup).

However I cannot seem to find documentation on how to do this. All examples seem to be aimed toward ‘type an api key or password’, but not ‘open a new window and authorize the user’. Are there examples or docs available?

I’m currently trying to understand this better myself in order to improve the documentation. I’ve yet to see a plugin that uses the authorization_code grant, so I can’t say whether it’s supported or not.

You best bet is to check out Enable token authentication.

Any properties in tokenAuth.params are serialized into form data and sent to the token URL, so you could try something like this:

"routes": [
  {
    "path": "example",
    "url": "https://api.example.com",
    "tokenAuth": {
      "url": "https://login.example.com/oauth2/token",
      "params": {
        "grant_type": "authorization_code",
        "code": "not sure how to send this",
        "client_id": "{{ .JsonData.clientId }}",
        "client_secret": "{{ .SecureJsonData.clientSecret }}",
        "redirect_url": "https://example.com/grafana",
      }
    }
  }
]

One challenge here is how to send the code. Since the request is made server-side by the proxy, I’m not sure about the best way to store the previously received code.

Let me know how it goes! I’ll try to get more eyes on this as well.

Edit: Actually, when writing it out loud, I guess since the flow is made server-side by the proxy, I’m guessing it would make it impossible to authenticate using authorization_code which requires a browser.