Error with Grafana v8.1.1 with Azure AD OAuth2 Setup

Hi All,

I am using Grafana v8.1.1 not enterprise version. I followed Azure AD OAuth2 authentication link and set up as mentioned - Configure Azure AD OAuth2 authentication | Grafana documentation

I am able to login into Grafana with Microsoft credentials but after that getting attached error -

GrafanaAzureAD authentication error913×325 14.1 KB

• login.OAuthLogin(missing saved state) after I logged into

In Grafana error logs I am getting -
2021-09-02T18:06:24-0400 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error="oauth2: cannot fetch token: 401 Unauthorized\nResponse: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: ff57dc8d-fd35-4c47-8545-34c7a3880300\r\nCorrelation ID: 4d719eb4-2b60-4212-9e13-497be57b6d8b\r\nTimestamp: 2021-09-02 22:06:24Z","error_codes":[7000215],"timestamp":"2021-09-02 22:06:24Z","trace_id":"ff57dc8d-fd35-4c47-8545-34c7a3880300","correlation_id":"4d719eb4-2b60-4212-9e13-497be57b6d8b","error_uri":"https://login.microsoftonline.com/error?code=7000215\“}”
t=2021-09-02T18:06:24-0400 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/azuread status=500 remote_addr=@ time_ms=513 size=1744 referer=https://grafana-test.pr.business/
t=2021-09-02T18:06:24-0400 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error="oauth2: cannot fetch token: 401 Unauthorized\nResponse: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 57e4500b-91d6-4cf7-842c-7c46e52a7100\r\nCorrelation ID: bbd43f12-eb13-470f-91a0-ddb0c7ea336e\r\nTimestamp: 2021-09-02 22:06:24Z","error_codes":[7000215],"timestamp":"2021-09-02 22:06:24Z","trace_id":"57e4500b-91d6-4cf7-842c-7c46e52a7100","correlation_id":"bbd43f12-eb13-470f-91a0-ddb0c7ea336e","error_uri":"https://login.microsoftonline.com/error?code=7000215\“}”

I verified all the client ID, secret, token, and authorize urls, all are correctly set in Grafana.ini I verified it with Azure application multiple times. Does this works only with Enterprise version of Grafana? Please suggest what configurations I am missing or setting incorrectly.

Regards,
Sudeep

Hi @sdatta,
we are using open source version and able to successfully setup Azure AD authentication.
The error says, Invalid client secret is provided. can you cross check this once ?
Are you maintaining these secrets in keyvault and referring them here in configurations ?

client secret id is the one I got form client secrets from azure app and then added the value in client_Secret in grafana.ini . I verified the value copied and saved correctly.

@sdatta

[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = APPLICATION_ID
client_secret = CLIENT_SECRET
scopes = openid email profile
auth_url = Sign in to your account
token_url = Sign in to your account
allowed_domains =
allowed_groups =

From the above configuration:

1. Hope you updated url with right tenant ID
2. secret mentioned in double quotes. most of the time, will maintain these secrets in AKV and refer that path here.
3. allowed domains: hope you mentioned all your domain names that try to access your grafana application.

Hi @vjsre

Thanks for helping. Yes I was incorrect with the Client secrets, I was using secret id rather than the value. Second I was missing the allowed_domains in the grafana.ini config file. This fixed the issue.

Another issue we are facing now is with the roles permission through the Azure OAuth authentication. If I have an user added directly to the ‘Users and Groups’ in the Enterprise Application of the app with the Grafana Admin role, then I am able to access as admin.
But if I add the group from the Azure AD and given access as admin. Then I login into the grafana application with one of the member, I get in as viewer. Have you faced any issue with the groups?