I have an application with Grafana embedded as an iframe. My application knows who the authenticated user is. Now I need to communicate this information to Grafana programatically, so that when users open the page where the iframe is, they do not need to log in manually, yet they appear logged in as themselves.
My current approach to tackling this issue is, for each user of my application, I create a user in Grafana, generating a new, different password for the Grafana user, which I then store for later use. Thus, when a user logs in to my application, I know exactly its Grafana credentials. All I’m missing right now is a way to use those credentials to log in my users.
This question has been asked way too many times, but no-one seems to have a clear answer.
Your approach may raise security issues (Credentials of one business app(Grafana) handled by another business app(Your App) : not part of security best practice)
In addition it may involve a more complex user access management.
I would suggest :
Use only one IDP (identity provider) for both (app & Grafana)
Use SSO (Single Sign On : User log in once for several application ) capabilities of the IDP
in order to achieve that you may have two ways of doing it, that imply a third party.
- Have a OAuth or SAML IDP (supporting SSO) that is used for user authentication for your App and Grafana (IDK if there is issue with iframe. But theoretically should works)
- Have an access gateway (reverse proxy that support SSO) that do request authentication for your app & Grafana against an IDP (OAuth, LDAP … other) then make your app accept the extra http “Header” coming from the trusted gateway to your app as (already logged in) user principal , and use Auth Proxy authentication mechanism in your grafana.configuration. (both, your app and Grafana is behind the reverse proxy/ access gateway)
Hope that help