Generic Oauth internal error

maximus · April 29, 2025, 9:15pm

What Grafana version and what operating system are you using?
Debian 12, Grafana 11.6.1
What are you trying to achieve?
SSO with Generic Oauth
How are you trying to achieve it?
Settings are configured in the UI for Generic Oauth.
I can reach the authorization flow but when logging in and getting redirected to grafana I get an internal error. Checking the logs I see from the looks that something in Grafana is not able to parse the token.
What happened?
Errors parsing token perhaps…I see in the logs that the 6 digits for sub (which I want to use as login, and not email) are logged as a number instead of a string. When I check externally from a different service, sub is a string, as it should be. Perhaps this helps…
What did you expect to happen?
Login successfully
Can you copy/paste the configuration(s) that you are having problems with?
Done in the UI
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

logger=oauth.generic_oauth t=2025-04-29T19:59:03.531791766Z level=debug msg="Getting user info"
logger=oauth.generic_oauth t=2025-04-29T19:59:03.53182113Z level=debug msg="Extracting user info from OAuth token"
logger=oauth.generic_oauth t=2025-04-29T19:59:03.531902673Z level=error msg="Error decoding id_token JSON" raw_json="{\"aud\":\"redacted\",\"sub\":000000,\"type\":\"id_token\",\"nonce\":\"YaLUy7AlHlzKov47O+/bok6ST/FwJUXfi+qy+r5byhA=\",\"email\":\"redacted@gmail.com\",\"given_name\":\"John\",\"family_name\":\"Doe\",\"nickname\":\"John\",\"ivao.aero/permissions\":\"ALTITUDE_ALPHA ALTITUDE_ALPHA:HQ AURORA_ALPHA AURORA_ALPHA:HQ\",\"ivao.aero/staff_positions\":\"\",\"ivao.aero/division\":\"ES\",\"profile\":\"https://www.ivao.aero/Member.aspx?Id=000000\",\"iss\":\"https://api.ivao.aero\",\"iat\":1745956743,\"exp\":1745958543,\"jti\":\"F13/SAjHyKVyHxWloE3sGymqaWdsoKBd/Ejae9uAQts=\"}" error="json: cannot unmarshal number into Go struct field UserInfoJson.sub of type string"
logger=oauth.generic_oauth t=2025-04-29T19:59:03.531917808Z level=debug msg="Getting user info from API"
logger=oauth.generic_oauth t=2025-04-29T19:59:03.590600078Z level=debug msg="HTTP GET" url=https://api.ivao.aero/v2/users/me status="200 OK" response_body="{\"id\":000000,\"centerId\":\"LECB\",\"countryId\":\"ES\",\"createdAt\":\"2008-01-08T17:59:43.000Z\",\"divisionId\":\"ES\",\"isStaff\":false,\"languageId\":\"es\",\"email\":\"redacted@gmail.com\",\"firstName\":\"John\",\"lastName\":\"Doe\",\"rating\":{\"isPilot\":true,\"isAtc\":true,\"pilotRating\":{\"id\":5,\"name\":\"Private Pilot\",\"shortName\":\"PP\",\"description\":\"Rating requires at least 50 hours online as a pilot<br>and a successful theoretical and practical test\"},\"atcRating\":{\"id\":4,\"name\":\"Advanced ATC Trainee\",\"shortName\":\"AS3\",\"description\":\"Rating requires at least 25 hours online as a controller<br>and a successful theoretical Aurora test\"},\"networkRating\":{\"id\":2,\"name\":\"Active User\",\"description\":\"Active user, has VID/PWD on IVAN\"}},\"gcas\":[],\"hours\":[{\"type\":\"pilot\",\"hours\":345764},{\"type\":\"atc\",\"hours\":233329},{\"type\":\"staff\",\"hours\":0}],\"userStaffPositions\":[],\"userStaffDetails\":null,\"prCreator\":null,\"ownedVirtualAirlines\":[],\"sub\":000000,\"given_name\":\"John\",\"family_name\":\"Doe\",\"nickname\":\"John\",\"profile\":\"https://www.ivao.aero/Member.aspx?Id=000000\",\"publicNickname\":\"John (000000)\"}"
logger=oauth.generic_oauth t=2025-04-29T19:59:03.590670476Z level=error msg="Error decoding user info response" raw_json="{\"id\":000000,\"centerId\":\"LECB\",\"countryId\":\"ES\",\"createdAt\":\"2008-01-08T17:59:43.000Z\",\"divisionId\":\"ES\",\"isStaff\":false,\"languageId\":\"es\",\"email\":\"redacted@gmail.com\",\"firstName\":\"John\",\"lastName\":\"Doe\",\"rating\":{\"isPilot\":true,\"isAtc\":true,\"pilotRating\":{\"id\":5,\"name\":\"Private Pilot\",\"shortName\":\"PP\",\"description\":\"Rating requires at least 50 hours online as a pilot<br>and a successful theoretical and practical test\"},\"atcRating\":{\"id\":4,\"name\":\"Advanced ATC Trainee\",\"shortName\":\"AS3\",\"description\":\"Rating requires at least 25 hours online as a controller<br>and a successful theoretical Aurora test\"},\"networkRating\":{\"id\":2,\"name\":\"Active User\",\"description\":\"Active user, has VID/PWD on IVAN\"}},\"gcas\":[],\"hours\":[{\"type\":\"pilot\",\"hours\":345764},{\"type\":\"atc\",\"hours\":233329},{\"type\":\"staff\",\"hours\":0}],\"userStaffPositions\":[],\"userStaffDetails\":null,\"prCreator\":null,\"ownedVirtualAirlines\":[],\"sub\":000000,\"given_name\":\"John\",\"family_name\":\"Doe\",\"nickname\":\"John\",\"profile\":\"https://www.ivao.aero/Member.aspx?Id=000000\",\"publicNickname\":\"John (000000)\"}" error="json: cannot unmarshal number into Go struct field UserInfoJson.sub of type string"
logger=oauth.generic_oauth t=2025-04-29T19:59:03.628121025Z level=error msg="Error getting email address" url=https://api.ivao.aero/v2/users/me/emails error="unsuccessful response status code 404: {\n  \"message\":\"no Route matched with those values\",\n  \"request_id\":\"7f780977c291a47c38811b795cea2776\"\n}"
logger=authn.service t=2025-04-29T19:59:03.628168329Z level=error msg="Failed to authenticate request" client=auth.client.generic_oauth error="[auth.oauth.userinfo.error] failed to get user info: Error getting email address: unsuccessful response status code 404: {\n  \"message\":\"no Route matched with those values\",\n  \"request_id\":\"7f780977c291a47c38811b795cea2776\"\n}"
logger=context userId=0 orgId=0 uname= t=2025-04-29T19:59:03.629534984Z level=info msg="Request Completed" method=GET path=/login/generic_oauth status=302 remote_addr=85.144.18.173 time_ms=408 duration=408.359001ms size=29 referer= handler=/login/:name status_source=server

Did you follow any online instructions? If so, what is the URL?
Configure Generic OAuth authentication | Grafana documentation

jangaraj · April 29, 2025, 9:43pm

So why Grafana receives sub as number and not as a string?

See RFC RFC 7519: JSON Web Token (JWT)

sub must be string, not number - used IDP doesn’t follow OIDC specification.

maximus · April 29, 2025, 9:45pm

Not really, that is the thing I mentioned.

When using an external Oauth debugger I get sub as a string…I believe Idp behaves correctly.

But somehow it is later transformed in a number.

maximus · April 29, 2025, 9:47pm

from the external debugger looks like a string

jangaraj · April 29, 2025, 9:48pm

Ok, so then you have something between Grafana and IDP, which makes that transformation. IDK

You proved sub as string in the access token. But Grafana uses id token, user info, not access token.

maximus · April 29, 2025, 9:50pm

As an extra info, I get the same behavior in Grafana Cloud (Internal error).

Since I could not see the logs, I ran a local instance, and the symptoms are the same.

How can I exclude the issue is not within Grafana?

Thanks

jangaraj · April 29, 2025, 9:51pm

Show id token and user info response from your “debugger”. Not access token.

Debug OIDC, not OAuth (OIDC is on top of OAuth).

maximus · April 29, 2025, 11:13pm

You are totally correct!

Many many thanks @jangaraj, OIDC token was returned with “sub” as integer

Cheers!

Topic		Replies	Views
Generic OAuth - Error decoding user info JSON (Grafana + Drupal) Authentication	1	1325	January 17, 2020
Error decoding user info JSON: [Generic OAuth2] Authentication	4	2302	September 25, 2019
Generic Oauth error: Failed to get token from provider Authentication api	2	2148	June 19, 2024
Auth.generic_oauth "No id_token found" Grafana	5	3209	July 11, 2019
Problems setting up SSO with Keycloak Authentication	3	10526	July 9, 2020

Generic Oauth internal error

Related topics