Forward authentication to Grafana (embedded in an iframe)

I have an application with Grafana embedded as an iframe. My application knows who the authenticated user is. Now I need to communicate this information to Grafana programatically, so that when users open the page where the iframe is, they do not need to log in manually, yet they appear logged in as themselves.

My current approach to tackling this issue is, for each user of my application, I create a user in Grafana, generating a new, different password for the Grafana user, which I then store for later use. Thus, when a user logs in to my application, I know exactly its Grafana credentials. All I’m missing right now is a way to use those credentials to log in my users.

This question has been asked way too many times, but no-one seems to have a clear answer.

Your approach may raise security issues (Credentials of one business app(Grafana) handled by another business app(Your App) : not part of security best practice)
In addition it may involve a more complex user access management.
I would suggest :
Use only one IDP (identity provider) for both (app & Grafana)
Use SSO (Single Sign On : User log in once for several application ) capabilities of the IDP

in order to achieve that you may have two ways of doing it, that imply a third party.

  1. Have a OAuth or SAML IDP (supporting SSO) that is used for user authentication for your App and Grafana (IDK if there is issue with iframe. But theoretically should works)
  2. Have an access gateway (reverse proxy that support SSO) that do request authentication for your app & Grafana against an IDP (OAuth, LDAP … other) then make your app accept the extra http “Header” coming from the trusted gateway to your app as (already logged in) user principal , and use Auth Proxy authentication mechanism in your grafana.configuration. (both, your app and Grafana is behind the reverse proxy/ access gateway)

Hope that help

Thanks for your reply, and apologies for the delay.

The problem I can’t see how to solve with your solution is, right now I have multiple Grafana organizations, with one data source per organization, such that the data sources can only be accessed by users belonging to the organization the data source is associated with.

At the level of authentication/authorization, users are given the appropriate roles/groups so that it is possible to determine which organization they belong to. On my own backend, I can infer which organization a user belongs to based on their roles/groups. Now, I can’t see how is Grafana going to be doing this by somehow putting it behind an SSO layer.

Like, Grafana will see, for instance, username “john_doe” with role “member_of_org_x”, but how will it know that, because of this, it must be inferred that “john_doe” belongs to Grafana organization “X”, and therefore “john_doe” must only have access to the data source linked to organization “X”?

(@emmanueldevaux just mentioning you since it took me so long to reply, in case you missed my message :upside_down_face:)