How does grafana appends the new token received from the OAuth2 url configured in proxy routes

r34m1 · March 26, 2022, 2:58am

Hi

I saw below configuration to enable OAuth2 configuration for plugin api authentication.

{
  "routes": [
    {
      "path": "api",
      "url": "https://api.example.com/v1",
      "tokenAuth": {
        "url": "https://api.example.com/v1/oauth/token",
        "params": {
          "grant_type": "client_credentials",
          "client_id": "{{ .SecureJsonData.clientId }}",
          "client_secret": "{{ .SecureJsonData.clientSecret }}"
        }
      }
    }
  ]
}

My auth url response will be like

{ token: "....." }

And i need to append two headers(token, appId) to my apis authenticated URLs, as shown below

X-Client-ID: <application-unique-id>
X-Token: <token-received-from-auth-url>

1 .How do I append the token received from the the auth url to my api requests?
2. Where is this token stored after auth is succeeded? How do I fetch it and append to other api calls.

Appreciate your replies!

marcusolsson · March 31, 2022, 8:09am

If you configure tokenAuth for your route, Grafana will manage the tokens in the background for you. If you need custom authentication, you need to implement it yourself in a backend plugin.

For more information, check out the docs on how to Authenticate using a backend plugin.

r34m1 · March 31, 2022, 5:31pm

Thanks alot Mr @marcusolsson, I appreciate it.

Is there any way to save my token from datasource.ts in to the configuration object, jsonData in ConfigEditor component?

marcusolsson · April 1, 2022, 10:19am

Even if there was, I wouldn’t recommend it. jsonData is not intended for sensitive information (that’s what secureJsonData is for).

If you’re planning to publish your plugin, you should be aware that the team rejects any submission that stores secrets in jsonData.

r34m1 · April 11, 2022, 7:32am

Okay @marcusolsson, I really appreciate your reply.

Is there anyway to save my token into secureJsonData from my datasource.ts.

Thanks in advance!

marcusolsson · April 11, 2022, 7:46am

Not that I know of. Probably since only administrators are allowed to configure data sources. For example, if the query editor could update the secure JSON data, they could potentially reconfigure the credentials of the data source from the dashboard.

system · April 11, 2023, 7:46am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.