How to fix DAST-OAuth Implicit Grant Type flaw?

  • What Grafana version and what operating system are you using?

  • What are you trying to achieve?
    Fix OAuth Implicit Grant Type flaw security issue

  • How are you trying to achieve it?
    I’ve already set use_pkce = true under [auth.generic_oauth] section

  • What happened?
    The security issue still there after I set the use_pkce = true

  • What did you expect to happen?
    OAuth Implicit Grant Type flaw issue fixed

  • Can you copy/paste the configuration(s) that you are having problems with?

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

  • Did you follow any online instructions? If so, what is the URL?
    This is a Grafana setup in Openshift, and using the Oauth authentication

Please explain how you can have “OAuth Implicit Grant Type flow issue”, when you are using " Authorization Code Flow with Proof Key for Code Exchange (PKCE)"?
It looks like you are copying reports from some security scanner without any logical validation.

Yes, it was from the DAST scan report:

Add the parameter under [auth.basic] section, but the problem still there:

That’s wrong section. Pls read doc.

And fix that scanner. Grafana never used implicit grant flow.