Grafana with oAuth does not work in iframe


I have enabled OAuth in grafana and its working.
Now I am trying to embed grafana in my angular application as iframe.
Its working if I enable anoynymous authentication.
But its not working with oauth enabled. The issue seems to be related to cookie security settings. I have tried various options in grafana configuration.

It would be really great if any one can suggest a solution here so that it can be embedded in iframe with oauth enabled.


Do you really think that someone will be able to tell you what is wrong from this issue description? No config, no error, …

Generic recommendation: GitHub - jangaraj/grafana-iframe + use search feature in this forum.

Hi @jangaraj

Sorry for missing the additional details. Please find it here.

Error: login.OAuthLogin(missing saved state)

Its working properly from the browser, but getting above error in iframe.

I tried with different options in “cookie_samesite”, but still gettting the same error in iframe.

When run in iframe, the cookie header sent in the request to /login/generic_oauth does not include the oauth_state cookie. Please suggest if there is any configuration change that we can do to solve this issue.

Grafana version: 9.1.6

Grafana config:

allow_sign_up true
client_id myclient_id
client_secret *******
email_attribute_name email:primary
empty_scopes false
enabled true
role_attribute_strict true
scopes openid email profile
tls_skip_verify_insecure true
use_pkce false

login_cookie_name grafana_session
login_maximum_inactive_lifetime_duration 7d
login_maximum_lifetime_duration 30d
oauth_auto_login false
oauth_skip_org_role_update_sync false
oauth_state_cookie_max_age 600
sigv4_auth_enabled false
sigv4_verbose_logging false
token_rotation_interval_minutes 10

allow_embedding true
angular_support_enabled true
content_security_policy false
content_security_policy_template script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’ ‘strict-dynamic’ $NONCE;object-src ‘none’;font-src ‘self’;style-src ‘self’ ‘unsafe-inline’ blob:;img-src * data:;base-uri ‘self’;connect-src ‘self’ ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src ‘self’;media-src ‘none’;form-action ‘self’;
cookie_samesite disabled
cookie_secure true
disable_brute_force_login_protection false
disable_gravatar false
disable_initial_admin_creation false
strict_transport_security false
strict_transport_security_max_age_seconds 86400
strict_transport_security_preload false
strict_transport_security_subdomains false
x_content_type_options true
x_xss_protection true

enabled false
hide_version false
org_name Main Org.
org_role Viewer

Same here. Did you manage to solve the issue?