How does grafana communicate who they are authenticating as to my oauth auth server?

After a user has logged into my app, I embed grafana dashboards on some web pages. We require authorization and access control.

For authorization I have 3 endpoints:

in my grafana.ini:

A) auth_url = my-app/oauth/authorize
B) token_url = my-app/oauth/token
C) api_url = my-app/oauth/token/info

A – Provides an oauth code with 60 seconds before exp.

B – Exchanges a valid oauth code for an oauth token.

C – provides user info
a) user id – email
b) user permissions - Viewer, Editor, or Admin

For each dashboard a user wants to access, I would like to check if the user has permission to view it. Not all users should see see all dashboards.

  1. I frequently see references to OIDC idp. Currently, my app uses sessions based on http-only cookies. I am not sure how the ID of the requestee can by provided to my auth server by grafana. I need something to ID the user… an email, JWT, DB id, etc.

So, When a request is sent to the auth_url, how does grafana communicate who the request is on behalf of? What do I need to add or implement??

  1. We have an internal RBAC system. Users or user groups are assigned roles that I can map to Viewer, Editor, or Admin. I hope this can play nice with grafana. For each resource access request, I would liketo make sure that a user is not trying to read or edit a dashboard
    they are not granted access to. My hope is:

    i) User will request access to a grafana resource.
    ii) Grafana or my auth server can check that the access to that resource specifically has been authorized.

I have done a bit more digging and as far as I understand, there are limitations to grafana community. I have found that as of Grafana v8.1.x “Data source permissions allow you to restrict access for users to query a data source. For each data source there is a permission page that allows you to enable permissions and restrict query permissions to specific Users and Teams .” In addition, Fine-grained access control considers a) who has an access ( identity ), and b) what they can do and on which Grafana resource ( role ). These features are restricted to grafana enterprise.

I was hoping that I could use oauth so that my authorization server would handle access control on behalf of grafana, not just authorization. My workaround would be to gate keep access to grafana dashboards, but I do not think this would stop an experienced user from querying the API and accessing things that they are not supposed to