Is it possible to get the generic.oauth client_secret on runtime?

  • What Grafana version and what operating system are you using?
    Version 9.x.x up to latest. I need the behaviour of all versions inbetween.

  • What are you trying to achieve?
    I want to read out the client_secret from the generic_oauth configuration in clear text. (Grafana is self hosted)

  • How are you trying to achieve it?
    I tried to view it in the Grafana UI and to fetch it using the Grafana API.

  • What happened?
    I got the secret but blurred out.

  • What did you expect to happen?
    I want to read it out in clear text without having to look into the grafana.ini.

If it is not possible please tell that right away. Or otherwise, is it safe to store a secret in there without the users being able to read it out even if they have the full admin privileges on the instance.

I would use PKCE flow, so you don’t need secret at all and you won’t have this problem anymore.

It states that pkce is not a replacement for client credentials.

PKCE for OAuth 2.0
“PKCE is not a form of client authentication, and PKCE is not a replacement for a client secret or other client authentication.”

Correct, PKCE is not replacement for client credentials. It is different flow. Check OIDC/OAuth standard and you will see there is multiple flows, which suit for different needs.

I’m saying switch to different more suitable flow, where you don’t need client credentials - that’s exactly PKCE.
You have PKCE support in Grafana => you won’t need client credentials in Grafana config => not a problem with security of that client credentials

But is it even a problem in the first place? Is it possible to read out the secret to begin with?

That depends on your security awareness. Config (client secret included) is saved in the repo in plaintext usually . That’s probably fine if you are working on 1 person project, but that is security antipattern in enteprise env.

Okay, but as a customer with no access to the repo, there is no way to leak that secret from grafana ui or api itself? So it should be safe in there?