Grafana 7 using OIDC

I follow Grafana docs and I not sure how to configure the Grafana with OpenID connect.

We already configured several applications with OpenID connect which works OK.

What I need is to configure the OpenID connect to Grafana.

What we have:

  1. ClientID
  2. Client Secret
  3. expose Grafana publicly

In addition, we exposed our Grafana publicly and should configure “/redirect” to it.

Our issuer configs is like following:

“issuer” : “

AND also “authorization_endpoint” and “token_endpoint”


“scope_supported”: [“openid”]

from the doc This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the prefix path of /login/generic_oauth"
So we provided this also, my question is what should I do further, what is mandatory ?

Should I create some application or this is just configuration task?

We are using Grafana 7.1 .

I’ve configured it like following:

  enabled: true
  namespaceOverride: ""
      enabled: true
      client_id: foo_clientid
      client_secret: foo_secert
      scopes: "openid"
#     api_url: https://${domain}/userinfo. //Not sure what this
      allow_sign_up: true

In the ‘root_url’ field I’ve put the the link to our grafana which redirects to to /login

Not sure what is the API_URL, what should I provide there? what am i missing here…
When deploying the app I see new button with sigh in with oAuth when I click I got error: “OpenID provider cannot process the request because the configuration is incorrect. Please contact your system administrator.” any idea ?


The JSON used for the path lookup is the HTTP response obtained from querying the UserInfo endpoint specified via the api_url configuration option.

=> API_URL is your IDP userinfo endpoint.

I hope you know that https protocol is mandatory for OIDC.

@jangaraj - thanks!

  1. t should be something like this :

  2. in case I want to define a redirect url how should I do it, which property ?

No. is discovery URL, which should contains also userinfo endpoint (if it is is real OIDC server and not just OAuth server).

For example see Google: -> userinfo_endpoint: