How to config api_url when there is No /userinfo endpoint provided by my Oauth server

Hi guys,

I’m using the feature auth.generic_oauth in grafana login authentication, there is a mandatory field “api_url”, but my Oauth service only provide 3 endpoints, /authorize,/token and /introspect, neither of them return a returns OpenID UserInfo compatible information. What can I do next? And I’d like to know what is the use of user info returned from “api_url”.

[auth.generic_oauth]
enabled = true
name = IDTest
allow_sign_up = true
client_id = xxx
client_secret = xxx
scopes = openid
auth_url = xxx/authorize
token_url = xxx/token
api_url = xxx/introspect
team_ids =
allowed_organizations =

my /introspect endpoint returns like below
Response:
Authorization Code
{ “sub”:“user1”, “grant_type”:“authorization_code”, “realmName”:“mga”, “scope”:“openid”, “uniqueSecurityName”:“user1”, “active”:true, “exp”:1441859171, “token_type”:“Bearer”, “iat”:1441858871, “client_id”:“12345” }

Client credentials
{ “sub”:“12345”, “grant_type”:“client_credentials”, “realmName”:“mga”, “scope”:“openid”, “active”:true, “exp”:1441859510, “token_type”:“Bearer”, “iat”:1441859210, “client_id”:“12345”}

Invalid/Expired token
{“active”:false}

Grafana needs some user info. So if you do not have this api endpoint you are out of luck :confused:

Thank torkel,
I’m able to get ALL valid user information from another RESTFUL API, including username, email, etc, and according to the Response of /introspect endpoint mentioned in my question description, the /introspect endpoint can return me the login user’s userName, I’m thinking of writing my own RESTFUL API to return the login user’s information, how do u think about it?

BTW. I’m able to write a restful api to return a fake userinfo, and works well.

Yes, if you can create an endpoint that returns the information grafana needs then you can make it work.

Thank torkel,

I have some other questions,

  1. I’d like to call another endpoint /introspect from my ID provider, but it need token returned from /token endpoint in before steps, is it possible for me to get that returned token. I think the answer is no way, right?
  2. Since oauth didn’t fit my shoes, I’m thinking of writing my own authentication for grafana, whether authproxy feature helps in this situation?

Hi tinaren,
How did you change the grant type from authorization_code to client_credentials. I put these grant_type = client_credentials and response_type = token in [auth.generic_oauth] but it dosen’t work.

Bump for this. How did you manage to get this working? I’m now struggling exactly with the same problem. My Oauth2 provider is Nextcloud and it works excellent until I get to the last step where Grafana tries to parse the email from the Nextcloud access token. Sadly Nextcloud gives only username with the token. One could get more information from Nextcloud user API, but the token is needed for accessing it. I writed a simple php script as userinfo API and tried to write all the headers (html_headers) and parameters ($_GET) it receives when Grafana calls it, but got nothing.

When I just simply hardcoded some user information in this php and printed them back in Json format, Grafana nicely accepts it and completes the Oauth2 login and finally writes a cookie with the tokenid. The big question is: Where Grafana stores this token and can it be accessed in anyway when it calls userinfo API endpoint? How all the other supported Oauth services do this securely so that when Grafana calls the userinfo endpoint they give you only the information of the correct user? To my understanding Grafana needs to identify itself somehow to these services when accessing the userinfo API. When writing own API this should be accessible somehow. This is so close but still cannot get a grip on this :grimacing: