Grafana SSO [auth.generic_oauth] Login Failed Login provider didn't return an email address

hello,

i want to put sso in grafana with auth.generic_oauth, i put all information in grafana.ini :slight_smile:

enabled = true
name = xxxxxxxx
allow_sign_up = true
client_id = xxxxxxxxxx
client_secret = xxxxxxxxxxxxx
email_attribute_name = email:primary
scopes = mail
send_client_credentials_via_post = false
tls_skip_verify_insecure = false
auth_url = https://xxxx/openam/oauth2/authorize?realm=AccessManagement&service=simple
token_url = https://xxxx/openam/oauth2/access_token?realm=AccessManagement&service=simple
api_url = https://xxxx/openam/oauth2/tokeninfo?realm=AccessManagement&service=simple

i have this message in /var/log/grafana.log

> t=2019-09-13T11:33:43+0200 lvl=info msg="state check" logger=oauth queryState=d538205dcb597bec9d88dfb50fb9eb13fe1641146b0555e92f7f11780741cf03 cookieState=d538205dcb597bec9d88dfb50fb9eb13fe1641146b0555e92f7f11780741cf03
> t=2019-09-13T11:33:43+0200 lvl=eror msg="Login provider didn't return an email address" logger=context userId=0 orgId=5 uname=
> t=2019-09-13T11:33:43+0200 lvl=info msg="Request Completed" logger=context userId=0 orgId=5 uname= method=GET path=/login/generic_oauth status=302 remote_addr=10.139.55.177 time_ms=319 size=29 referer=

do you have an idea ? , thanks

What Grafana version? Seems like an attribute email:primary is not returned in payload so you may have to change that to an attribute that’s returned. You can enable debug logging to get more information:

[log]
filters = oauth.generic_oauth:debug
``'

i use grafana version 6.3.5, i put filters = oauth.generic_oauth:debug

t=2019-09-17T11:47:12+0200 lvl=info msg=“state check” logger=oauth queryState=8f d408ab635108b68122f30f6d6f189b17a66849429567bd5b0c7f11fba18696 cookieState=8fd40 8ab635108b68122f30f6d6f189b17a66849429567bd5b0c7f11fba18696
t=2019-09-17T11:47:13+0200 lvl=dbug msg=“No id_token found” logger=oauth.generic _oauth token="&{AccessToken:eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwia2lkIjoiNGlDS0ZC MFJYSXh5dG9yMXIzVG9CZFJpZXZzPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJHNTk5OTk4OCIsImN

i have this message, do you have an idea ? @mefraimsson

You seem to use an oauth provider I haven’t heard of. But you’ll need to configure it so that the token_url returns a token that includes an id_token property. Maybe you’ll need provide some additional scope?

i sue [auth.generic_oauth], i tested
scopes = mail

but not work

@mefraimsson

You have to read up on the details of your oauth provider. Do you have any link to documentation that you’re following now?

Quick google search and found this https://stackoverflow.com/questions/48040724/grafana-integration-with-identity-provider-using-openid-connect-and-generic-oaut

Seems to use scopes = openid email profile but I have no idea, I’m just guessing here.

scopes = mail work well, i have a webpage with my name and surname like :

image

@mefraimsson

Please try and configure grafana to use scopes = openid mail profile then and see what happens,

You should be able to find the documentation of your oauth provider to understand what scopes to configure in Grafana.

when i use scopes = openid mail profile, i have this message :

t=2019-09-18T09:17:17+0200 lvl=eror msg=“Login provider denied login request” logger=context userId=0 orgId=5 uname= error=invalid_scope errorDesc=“Unknown/invalid scope(s): [openid, profile]”

and when i use scopes = mail

i have this message :slight_smile:

t=2019-09-18T09:19:43+0200 lvl=dbug msg=“No id_token found” logger=oauth.generic_oauth token="&{AccessToken:eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwia2lkIjoiNGlDS0ZCMFJYSXh5dG9yMXIzVG9CZFJpZXZzPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJHNTk5OTk4OCIsImN0cyI6Ik9BVVRIMl9TVEFURUxFU1NfR1JBTlQiLCJhdXRoX2xldmVsIjoxLCJhdWRpdFRyYWNraW5nSWQiOiJmODg0NDBkNC1lNzc4LTQwMTItOGMyNC1kY2I1YjFkN2U2YmItMjk4NDUwMTEiLCJpc3MiOiJodHRwczovL3VhdC5jbG91ZGdhdGV3YXkuc2FpbnQtZ29iYWluLmNvbTo0NDMvb3BlbmFtL29hdXRo

when i use scopes = mail , that recognize me and i have a popup with image

@mefraimsson

id_token is issued only for certain scopes and you need id_token for authentication. Your Identity Provider (IDP) documentation should clarify that. Usually, openid scope is used for Open ID Connect (OIDC). It looks like you are using only OAuth (authorization), but you need OIDC (authentication).

If your IDP is OIDC compliant, then check discovery URL, where you can see supported scopes. See Google discovery as example - https://accounts.google.com/.well-known/openid-configuration:

 "scopes_supported": [
  "openid",
  "email",
  "profile"
 ],

i use 3 link in grafana.ini :

auth_url = https://xxxxx/oauth2/authorize
token_url = https://xxxxx/oauth2/access_token
api_url = https://xxxxx/oauth2/tokeninfo

@jangaraj
@mefraimsson

Please read documentation of used IDP https://xxxxx. You didn’t disclose which product/app/service is it, so nobody will be able to help you.

i try to use ldap, and i have this message : lvl=eror msg=“user does not belong in any of the specified LDAP groups”

Don’t include tokens in logs, you’re leaking information about your auth server (and potentially more depending on how far through setup you’ve made it)

e.g. this token came from https://uat.cloudgateway.saint-gobain.com:443/openam/oauth