-
What Grafana version and what operating system are you using?
- Grafana version: 12.0.2
- Operating System: Alpine Linux v3.21 (3.21.3)
-
What are you trying to achieve?
Trying to authenticate with SSO -
How are you trying to achieve it?
- provided Oauth Client secret through standard Kubernetes Secret-to-environment variable mappings.
-
What happened?
- It’s adding new line characters in to the client secret. Therefore authentication fails.
-
What did you expect to happen?
- Not add new line characters. Grafana should successfully read and parse the OAuth client secret from the environment variable and complete authentication.
-
Can you copy/paste the configuration(s) that you are having problems with?
-
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
-
logger=authn.service t=2026-01-16T17:31:33.954671787Z level=error msg="Failed to authenticate request" client=auth.client.generic_oauth error="[auth.oauth.token.exchange] failed to exchange code to token: oauth2: \"invalid_client\" \"The client secret supplied for a confidential client is invalid.\" -
Did you follow any online instructions? If so, what is the URL?
N/AFull details:
Grafana appears to fail to properly parse OAuth client secrets when they are provided through standard Kubernetes Secret-to-environment variable mappings.Steps to Reproduce:
-
Create a Kubernetes Secret containing OAuth client credentials
-
Mount the secret as environment variables using standard K8s
envFromorenvwithsecretKeyRef -
Configure Grafana to use these environment variables for OAuth authentication
-
Attempt to authenticate via OAuth
**Expected Behavior:**
-
-
Grafana should successfully read and parse the OAuth client secret from the environment variable and complete authentication.
-
We even tried entering the secret manually in the Grafana UI. That did not work either.
-
We had to hardcode the SSO client secret in Grafana ENVs and commit our code to repository
