Grafana with Okta OAuth2 authentication is failing with 400 Bad request in Okta

  • What Grafana version and what operating system are you using?
    open source v7.5.5

  • What are you trying to achieve?
    Okta OAuth2 authentication

  • How are you trying to achieve it?
    By following the documentation link

  • What happened?
    Getting HTTP 400 Bad request

  • What did you expect to happen?

  • Can you copy/paste the configuration(s) that you are having problems with?

#################################### Okta OAuth #######################
[auth.okta]
name = Okta
enabled = true
;allow_sign_up = true
client_id = xxxx
client_secret = xxxxx
scopes = openid profile email groups
auth_url = https ://.okta. com/oauth2/v1/authorize
token_url = https ://.okta. com/oauth2/v1/token
api_url = https ://.okta. com/oauth2/v1/userinfo
allowed_domains =
;allowed_groups = Developers, Admins
;role_attribute_path =

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    t=2021-06-28T10:08:01-0700 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/okta status=302 remote_addr=172.19.208.237 time_ms=0 size=303 referer=https://wus2grfnadev03..com:3000/login

  • Did you follow any online instructions? If so, what is the URL?
    Okta OAuth2 authentication | Grafana Labs

i have added space intentionally in the urls due to the limitation. but in actual configuration, its not the case.

Issue was with default redirect url under [server] section in grafana config.ini

#################################### Server ####################################
[server]
#Protocol (http, https, h2, socket)
protocol = https

#The ip address to bind to, empty will bind to all interfaces
;http_addr =

#The http port to use
;http_port = 3000

#The public facing domain name used to access grafana from a browser
;domain = localhost
domain = wus2grfnadev03.linkedin.biz

#Redirect to correct domain if host header does not match domain
#Prevents DNS rebinding attacks
;enforce_domain = false

#The full public facing url you use in browser, used for redirects and emails
#If you use reverse proxy and sub path specify full url (with sub path)
;root_url = %(protocol)s://%(domain)s:%(http_port)s/

you have to change the domain from local host to the actual server name.
From:
;domain = localhost
To
domain = www.example.com