Maybe simple question, but I’m lost.
I’ve got a domain (Domain.X) that Grafana is installed on (DigitalOcean Droplet). I’m trying to allow our main domain users sign up and log in using their G Suite account which is on another domain (Domain.Y). I’ve got everything just about working, button shows up, can click on it and choose your account, but when it tries to redirect back to Domain.X it times out and gives ‘ERR_CONNECTION_TIMED_OUT’.
I’ve got the following ufw rules:
To Action From
-- ------ ----
2222/tcp ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH ALLOW Anywhere
8080/tcp ALLOW Anywhere
3000/tcp ALLOW Anywhere
2222/tcp (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
3000/tcp (v6) ALLOW Anywhere (v6)
The Grafana Server is active (running) without any errors.
This is how I’ve got my grafana.ini:
[server]
# Protocol (http, https, socket)
;protocol = https
# The ip address to bind to, empty will bind to all interfaces
;http_addr =
# The http port to use
;http_port = 3000
# The public facing domain name used to access grafana from a browser
;domain = localhost
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://www.Domain.X:3000
# Log web requests
;router_logging = false
# the path relative working path
;static_root_path = public
[auth.google]
enabled = true
allow_sign_up = true
client_id = CLIENT_ID
client_secret = CLIENT_SECRET
scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
auth_url = https://accounts.google.com/o/oauth2/auth
token_url = https://accounts.google.com/o/oauth2/token
api_url = https://www.googleapis.com/oauth2/v1/userinfo
;allowed_domains = Domain.X www.Domain.X
I’ve also got the OAuth setup as follows:
Authorized JavaScript origins:
https://www.Domain.X
https://Domain.X
https://www.Domain.X:3000
https://Domain.X:3000
Authorized redirect URIs:
https://www.Domain.X/login/google
https://Domain.X/login/google
https://www.Domain.X:3000/login/google
https://Domain.X:3000/login/google
The OAuth consent screen is setup as follows:
Application type: Internal
Authorized Domains: Domain.X, Domain.Y
Application Homepage link: https://www.Domain.X/login
I’ve even added both the G Suite domain and the Grafana domain to the Domain verification within OAuth. I can log into it with the admin account. I just can’t log into it with any G Suite account. Is there something I’m missing?