Grafana 7 using OIDC

I follow Grafana docs and I not sure how to configure the Grafana with OpenID connect.

We already configured several applications with OpenID connect which works OK.

What I need is to configure the OpenID connect to Grafana.

What we have:

  1. ClientID
  2. Client Secret
  3. expose Grafana publicly

In addition, we exposed our Grafana publicly and should configure “/redirect” to it.

Our issuer configs is like following:

“issuer” : “https://accounts.fds.com

AND also “authorization_endpoint” and “token_endpoint”

“response_types_supported”:[“code”,“id_token”,“token”]

“scope_supported”: [“openid”]

from the doc This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the prefix path of /login/generic_oauth"
So we provided this also, my question is what should I do further, what is mandatory ?

Should I create some application or this is just configuration task?

We are using Grafana 7.1 .

I’ve configured it like following:

grafana:
  enabled: true
  namespaceOverride: ""
  grafana.ini:
    server:
      root_url: http://a725be449-30559695.eu-central-1.elb.amazonaws.com/
    auth.generic_oauth:
      enabled: true
      client_id: foo_clientid
      client_secret: foo_secert
      scopes: "openid"
      auth_url: https://accounts.fds.com/oauth2/authorize
      token_url: https://accounts.fds.com/oauth2/token
#     api_url: https://${domain}/userinfo. //Not sure what this
      allow_sign_up: true

In the ‘root_url’ field I’ve put the the link to our grafana which redirects to to /login

Not sure what is the API_URL, what should I provide there? what am i missing here…
When deploying the app I see new button with sigh in with oAuth when I click I got error: “OpenID provider cannot process the request because the configuration is incorrect. Please contact your system administrator.” any idea ?

Doc: https://grafana.com/docs/grafana/latest/auth/generic-oauth/

The JSON used for the path lookup is the HTTP response obtained from querying the UserInfo endpoint specified via the api_url configuration option.

=> API_URL is your IDP userinfo endpoint.

I hope you know that https protocol is mandatory for OIDC.

@jangaraj - thanks!

  1. t should be something like this : https://accounts.fds.com/.well-known/openid-configuration?

  2. in case I want to define a redirect url how should I do it, which property ?

No. https://accounts.fds.com/.well-known/openid-configuration is discovery URL, which should contains also userinfo endpoint (if it is is real OIDC server and not just OAuth server).

For example see Google: https://accounts.google.com/.well-known/openid-configuration -> userinfo_endpoint: https://openidconnect.googleapis.com/v1/userinfo