I need some clarification, by enabling OAuth on Google.
I can have users log in with their Google account right? in terms of permissions, can I set up a list of Google accounts with relative permissions and all the others see nothing?
Hey @marsellimanuel,
Please, first configure you grafana with Configure Google OAuth2 authentication | Grafana documentation
For access to specific information/permissions for user on your grafana, you’ll need to read specifically the part about “Configure team sync for Google OAuth” on the same doc above. And then setup the permissions of your dashboards/folders using the defined teams.
maybe there is something wrong, I have grafana installed via docker-compose and persistent volume, I browsed the volume but I don’t see any configuration ini.
this is the config.
i can enable ssosettingapi in my compose?
Why don’t you just use some GF_ environment settings or map a volume with grafana.ini?
I might add, the installation is almost empty.
it’s okay if I put it like this under volumes
- grafana-storage:/etc/grafana/grafana.ini
I don’t think so… How you’ll edit the file this way? If you trying it this way, I think that would br better to just use the environment “GF_” ok? More info here:
GF_FEATURE_TOGGLES_ENABLE=ssoSettingsApi
is the way?
Yes. That’s the idea.
I have enabled Google authentication now I don’t quite understand how I can put only some accounts for viewing in certain dashboards and all the other accounts have no permission
Yes, enabling OAuth on Google allows users to sign in using their Google account. As for permissions, you can set up a list of Google accounts with appropriate access rights, and other users will not see anything. This is achieved by managing the list of authorized users and their level of access to your application or service.
I did the configuration of OAuth but what I don’t understand is where do I manage the Google accounts that can have access? under admin–>user I can create local users in grafana. I have grafana with docker-compose
I implemented the authentication with the various parameters, I added - GF_SERVER_ROOT_URL=dashboard.mydomain.com on docker, grafana side as allow domains (via ui) I entered mydomain.com and google.com, but when I try to login I get this mistake
and from the log I see this
level=error msg="Failed to authenticate request" client=auth.client.google error="[auth.oauth.userinfo.error] failed to get user info: [the hd claim found in the ID token is not present in the allowed domains]
Are you sure you’re doing all the right GF_ as shown at Configure Google OAuth2 authentication | Grafana documentation ?
There’s this “allowed_domains” settings… Seems like you’re not configuring it the right way.
If you’re still using the preview feature “ssoSettingsApi” try to stop using it and redo the configs using full config.ini with GF_ syntax. (also in the link above)
the same erro.
this my docker compose
environment:
- GF_SECURITY_ADMIN_USER=admin
- GF_SECURITY_ADMIN_PASSWORD=admin
- GF_INSTALL_PLUGINS=
# - GF_FEATURE_TOGGLES_ENABLE=ssoSettingsApi
- GF_SERVER_DOMAIN=dashboard.mydomain.com
- GF_SERVER_ROOT_URL=https://dashboard.mydomain.com
- GF_AUTH_GOOGLE_ENABLED=true
- GF_AUTH_GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID}
- GF_AUTH_GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET}
- GF_AUTH_GOOGLE_SCOPES=openid email profile
- GF_AUTH_GOOGLE_AUTH_URL=https://accounts.google.com/o/oauth2/auth
- GF_AUTH_GOOGLE_TOKEN_URL=https://accounts.google.com/o/oauth2/token
- GF_AUTH_GOOGLE_API_URL=https://www.googleapis.com/oauth2/v1/userinfo
- GF_AUTH_GOOGLE_REDIRECT_URI=https://dashboard.mydomain.com/login/google
- GF_AUTH_GOOGLE_ALLOWED_DOMAINS=mydomain.com,google.com
- GF_AUTH_GOOGLE_ALLOW_SIGN_UP=true
this google consolle
Javascript origin: https://dashboard.mydomain.com
redirect urii: https://dashboard.mydomain.com/login/google
the grafana server is behind NGPM (nginx proxy manager on docker) without any config, but i need add on grafana docker - GF_SERVER_ROOT_URL=https://dashboard.mydomain.com