Generic OAuth (AWS Cognito) - Login failed

Hello,

Recently upgraded grfana to version 6.6.2, we are not able to login to our Cognito pool anymore.
It was working perfectly fine with version 6.1.3

image

Could it be related to JMESPath addition on email_attribute_path in 6.4 or role_attribute_path / role mapping in 6.5 ?

I did not change the way I am connecting to Cognito IDP, nor the way I pass env variables to grafana docker at execution time…

Don’t know where to look to get more details about the error…

Here is the grafana server log:

Logs
2020-03-06T15:48:09.082+01:00
t=2020-03-06T14:48:09+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=<my_ip> time_ms=0 size=373 referer=https://my_grafana_url/login

2020-03-06T15:48:09.338+01:00
t=2020-03-06T14:48:09+0000 lvl=info msg="state check" logger=oauth queryState=431e3738941d87e69275c08e80f2ef8f407736ed2a6c19457ceebb9c630d51e cookieState=431e3738941d87e69275c08e80f2ef8f407736ed2a6c19457ceebb9c630d51e

2020-03-06T15:48:09.615+01:00
t=2020-03-06T14:48:09+0000 lvl=eror msg="Required email domain not fulfilled" logger=context userId=0 orgId=0 uname=

2020-03-06T15:48:09.626+01:00
t=2020-03-06T14:48:09+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=<my_ip> time_ms=288 size=29 referer=https://my_grafana_url/login

User email reported by Cognito is not allowed by allowed_domains config option.

Hello,

Thanks, I was thinking something like this.
However we did not change Cognito pool, nor users. Only Grafana version from 6.1.3 to 6.6.2

I have added “amazoncognito.com” and “amazonses.com” in env var: GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS when lunching grafana docker.

But no luck…

The email address of my created cognito user is: success@simulator.amazonses.com
And changing “amazonses.com” into “simulator.amazonses.com” it is now working :wink:

:+1:

Thanks for the hint, did not tested enough ^^

Alternatively, one can simply pass empty string to GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS : “”
To not check for domains.