Integrating the identity provider Feishu

Grafana Authentication
1

When integrating the identity provider Feishu with Grafana using OAuth2, automatic login to Grafana is possible, but when logging out of Grafana and attempting to automatically log in again, the Grafana login page displays an error message: “Login failed. User sync failed.”

身份验证提供商 飞书与grafana OAuth2集成时,能自动登录到grafana,但是grafana上退出登录后再次自动登录时grafana登录页面尚出现Login failed User sync failed 报错

The Grafana version is 9.5.16-1.

grafana版本号9.5.16-1

Using generic OAuth2 authentication, with all configurations placed in grafana.ini.

使用通用oauth2身份认证,所有配置都放在grafana.ini

[auth.generic_oauth]
enabled = true
name = Feishu
allow_sign_up = true
auto_login = true
client_id = cli_a8d3e4fdf6bf768c
client_secret = LPEtbUVxPbzWERH7WuysderrTF44vjI4o
scopes = contact:user.base:readonly contact:user.email:readonly contact:user.employee_id:readonly contact:user.id:readonly contact:user.phone:readonly mail:user_mailbox:readonly offline_access passport:session_mask:readonly contact:user.employee_id:readonly contact:user.base:readonly contact:user.email:readonly contact:user.employee_id:readonly offline_access tenant:tenant:readonly
auth_url = https://xxxxxx/open-apis/authen/v1/authorize
token_url = https://xxxxxx/open-apis/authen/v2/oauth/token
api_url = https://xxxxxx/open-apis/authen/v1/user_info
email_attribute_name = email
email_attribute_path = data.email
login_attribute_path = data.en_name
name_attribute_path = data.name
use_refresh_token = true
skip_org_role_sync = true
role_attribute_strict = false

“I am debugging the error logs in /var/log/grafana.log.”

我在/var/log/grafana.log中debug错误日志

logger=ngalert.scheduler t=2024-12-03T17:40:00.001749355+08:00 level=debug msg=“Alert rules fetched” rulesCount=0 foldersCount=0 updatedRules=0
logger=secrets t=2024-12-03T17:40:00.223205611+08:00 level=debug msg=“Removing expired data keys from cache…”
logger=secrets t=2024-12-03T17:40:00.223352107+08:00 level=debug msg=“Removing expired data keys from cache finished successfully”
logger=ngalert.multiorg.alertmanager t=2024-12-03T17:40:00.239402392+08:00 level=debug msg=“synchronizing Alertmanagers for orgs”
logger=ngalert.state.manager t=2024-12-03T17:40:00.239802314+08:00 level=debug msg=“Recording state cache metrics” now=2024-12-03T17:40:00.239799053+08:00
logger=alertmanager org=1 t=2024-12-03T17:40:00.24057748+08:00 level=debug msg=“neither config nor template have changed, skipping configuration sync.”
logger=ngalert.multiorg.alertmanager t=2024-12-03T17:40:00.241629497+08:00 level=debug msg=“done synchronizing Alertmanagers for orgs”
logger=ngalert.sender.router t=2024-12-03T17:40:00.246165899+08:00 level=debug msg=“Attempting to sync admin configs” count=0
logger=ngalert.sender.router t=2024-12-03T17:40:00.246261782+08:00 level=debug msg=“Finish of admin configuration sync”
logger=context userId=0 orgId=0 uname= t=2024-12-03T17:40:00.413095606+08:00 level=info msg=“Request Completed” method=GET path=/ status=302 remote_addr=10.0.48.12 time_ms=1 duration=1.8102ms size=29 referer= handler=/
logger=context userId=0 orgId=0 uname= t=2024-12-03T17:40:00.933453865+08:00 level=info msg=“Request Completed” method=GET path=/ status=302 remote_addr=220.196.193.33 time_ms=1 duration=1.298157ms size=29 referer= handler=/
logger=context userId=0 orgId=0 uname= t=2024-12-03T17:40:00.993444397+08:00 level=info msg=“OAuth auto login enabled. Redirecting to /login/generic_oauth”
logger=context userId=0 orgId=0 uname= t=2024-12-03T17:40:00.993570255+08:00 level=info msg=“Request Completed” method=GET path=/login status=307 remote_addr=220.196.193.33 time_ms=3 duration=3.991504ms size=56 referer= handler=/login
logger=context userId=0 orgId=0 uname= t=2024-12-03T17:40:01.021054724+08:00 level=info msg=“Request Completed” method=GET path=/login/generic_oauth status=302 remote_addr=220.196.193.33 time_ms=1 duration=1.177859ms size=702 referer= handler=/login/:name
logger=context userId=0 orgId=0 uname= t=2024-12-03T17:40:01.080942162+08:00 level=info msg=“Request Completed” method=GET path=/ status=302 remote_addr=10.0.48.11 time_ms=1 duration=1.156199ms size=29 referer= handler=/
logger=oauth t=2024-12-03T17:40:01.574128661+08:00 level=info msg=“state check” queryState=f4a5b54941a1019c41438f0e52731c7d5de3c7ca07b5fa0ecfd9165b78edbd11 cookieState=f4a5b54941a1019c41438f0e52731c7d5de3c7ca07b5fa0ecfd9165b78edbd11
logger=oauth t=2024-12-03T17:40:01.712196184+08:00 level=debug msg=“OAuthLogin: got token” expiry=“2024-12-03 19:40:01.712153309 +0800 CST m=+7623.328675756” type=Bearer has_refresh_token=true
logger=oauth.generic_oauth t=2024-12-03T17:40:01.712292529+08:00 level=debug msg=“Getting user info”
logger=oauth.generic_oauth t=2024-12-03T17:40:01.71231232+08:00 level=debug msg=“Extracting user info from OAuth token”
logger=oauth.generic_oauth t=2024-12-03T17:40:01.712329135+08:00 level=debug msg=“No id_token found” token=“unsupported value type”
logger=oauth.generic_oauth t=2024-12-03T17:40:01.712359385+08:00 level=debug msg=“Getting user info from API”
logger=oauth.generic_oauth t=2024-12-03T17:40:01.803274702+08:00 level=debug msg=“HTTP GET” url=https://open.xxxxxx.cn/open-apis/authen/v1/user_info status=“200 OK” response_body=“{"code":0,"data":{"avatar_big":"https://s3-imfile.xxxxxxcdn.com/static-resource/v1/v3_00h7_1656c53a-ae99-4e86-b864-66ac33a5564g~?image_size=640x640\\u0026cut_type=\\u0026quality=\\u0026format=image\\u0026sticker_format=.webp\“,\“avatar_middle\”:\“https://s3-imfile.xxxxxxcdn.com/static-resource/v1/v3_00h7_1656c53a-ae99-4e86-b864-66ac33a5564g~?image_size=240x240\\u0026cut_type=\\u0026quality=\\u0026format=image\\u0026sticker_format=.webp\”,\“avatar_thumb\”:\“https://s1-imfile.xxxxxxcdn.com/static-resource/v1/v3_00h7_1656c53a-ae99-4e86-b864-66ac33a5564g~?image_size=72x72\\u0026cut_type=\\u0026quality=\\u0026format=image\\u0026sticker_format=.webp\”,\“avatar_url\”:\“https://s1-imfile.xxxxxxcdn.com/static-resource/v1/v3_00h7_1656c53a-ae99-4e86-b864-66ac33a5564g~?image_size=72x72\\u0026cut_type=\\u0026quality=\\u0026format=image\\u0026sticker_format=.webp\”,\“email\”:\“a3647856669@gmail.com\”,\“en_name\”:\“Simon\”,\“mobile\”:\”+8613576845676\“,\“name\”:\“Simon\”,\“open_id\”:\“ou_c185681f173a4bfeec5e14c4c478c157\”,\“tenant_key\”:\“242a5f4114567589\”,\“union_id\”:\“on_2c7bbdcb565a2c346761fc9595b46ed4\”,\“user_id\”:\“bgfb3548\”},\“msg\”:\“success\”}”
logger=oauth.generic_oauth t=2024-12-03T17:40:01.803399018+08:00 level=debug msg=“Received user info response from API” raw_json=”{"code":0,"data":{"avatar_big":"https://s3-imfile.xxxxxxcdn.com/static-resource/v1/v3_00h7_1656c53a-ae99-4e86-b864-66ac33a5564g~?image_size=640x640\\u0026cut_type=\\u0026quality=\\u0026format=image\\u0026sticker_format=.webp\“,\“avatar_middle\”:\“https://s3-imfile.xxxxxxcdn.com/static-resource/v1/v3_00h7_1656c53a-ae99-4e86-b864-66ac33a5564g~?image_size=240x240\\u0026cut_type=\\u0026quality=\\u0026format=image\\u0026sticker_format=.webp\”,\“avatar_thumb\”:\“https://s1-imfile.xxxxxxcdn.com/static-resource/v1/v3_00h7_1656c53a-ae99-4e86-b864-66ac33a5564g~?image_size=72x72\\u0026cut_type=\\u0026quality=\\u0026format=image\\u0026sticker_format=.webp\”,\“avatar_url\”:\“https://s1-imfile.xxxxxxcdn.com/static-resource/v1/v3_00h7_1656c53a-ae99-4e86-b864-66ac33a5564g~?image_size=72x72\\u0026cut_type=\\u0026quality=\\u0026format=image\\u0026sticker_format=.webp\”,\“email\”:\“a3647856669@gmail.com\”,\“en_name\”:\“Simon\”,\“mobile\”:\”+8613576845676\“,\“name\”:\“Simon\”,\“open_id\”:\“ou_c185681f173a4bfeec5e14c4c478c157\”,\“tenant_key\”:\“242a5f4114567589\”,\“union_id\”:\“on_2c7bbdcb565a2c346761fc9595b46ed4\”,\“user_id\”:\“bgfb3548\”},\“msg\”:\“success\”}” data=“Name: , Displayname: , Login: , Username: , Email: , Upn: , Attributes: map
logger=oauth.generic_oauth t=2024-12-03T17:40:01.803425114+08:00 level=debug msg=“Processing external user info” source=API data=“Name: , Displayname: , Login: , Username: , Email: , Upn: , Attributes: map
logger=oauth.generic_oauth t=2024-12-03T17:40:01.803506606+08:00 level=debug msg=“Setting user info name from nameAttributePath” nameAttributePath=data.name
logger=oauth.generic_oauth t=2024-12-03T17:40:01.803528965+08:00 level=debug msg=“Searching for login among JSON” loginAttributePath=data.en_name
logger=oauth.generic_oauth t=2024-12-03T17:40:01.803588057+08:00 level=debug msg=“Set user info email from extracted email” email=a3647856669@gmail.com
logger=oauth.generic_oauth t=2024-12-03T17:40:01.80360616+08:00 level=warn msg=“No valid role found. Skipping role sync. In Grafana 10, this will result in the user being assigned the default role and overriding manual assignment. If role sync is not desired, set skip_org_role_sync for your provider to true”
logger=oauth.generic_oauth t=2024-12-03T17:40:01.803622261+08:00 level=debug msg=“User info result” result=“Id: , Name: Simon, Email: a3647856669@gmail.com, Login: Simon, Role: , Groups:
logger=oauth t=2024-12-03T17:40:01.803652971+08:00 level=debug msg=“OAuthLogin got user info” userInfo=“Id: , Name: Simon, Email: a3647856669@gmail.com, Login: Simon, Role: , Groups:
logger=oauth t=2024-12-03T17:40:01.803676542+08:00 level=debug msg=“Building external user info from OAuth user info”
logger=oauth t=2024-12-03T17:40:01.803693755+08:00 level=debug msg=“Syncing Grafana user with corresponding OAuth profile”
logger=context userId=0 orgId=0 uname= t=2024-12-03T17:40:01.80472971+08:00 level=warn msg=“user already exists”
logger=context userId=0 orgId=0 uname= t=2024-12-03T17:40:01.807623742+08:00 level=info msg=“Request Completed” method=GET path=/login/generic_oauth status=302 remote_addr=220.196.193.33 time_ms=234 duration=234.602484ms size=29 referer= handler=/login/:name

asking for help, thanks