login.OAuthLogin(missing saved state)

Hi,

I have a question on grafana running in aks with azure front door and caching enabled, ran into an issue, here is the error : login.OAuthLogin(missing saved state)

Should I reach out to another teams or to azure or okta?

Thanks.

when and where are you seeing this error? When trying to add a datasource?

i don’t know anything about aks…

Hey,

So when I navigate to the grafana url it’s redirecting me directly to okta and once I logged in with my okta details I get this error:

12345

If you have seen this, let me know if not it’s okay.

Thanks.

Search the forum/internet. It is very likely a problem with your Grafana cookie config.

Great, thanks I will search and share my findings :slight_smile:

Hey,

This is my current grafana.ini file. What should I add in my current config :

[analytics]
check_for_updates = true

[auth]
disable_login_form = true
oauth_auto_login = true

[auth.basic]
enabled = false

[auth.generic_oauth]
api_url = xxx
auth_url = xxx
client_id = xxx
client_secret = xxx
enabled = true
name = Okta 
role_attribute_path = contains(groups[*], 'xxx') && 'Admin' || contains(groups[*], 'xxx') && 'Admin' || contains(groups[*], 'xxx') && 'Editor' || contains(groups[*], 'xxx') && 'Viewer'
scopes = openid profile email groups
token_url = xxx

[feature_toggles]
enable = ngalert

[grafana_net]
url = https://grafana.net

[log]
mode = console

[paths]
data = /var/lib/grafana/data
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning

[server]
root_url = xxx

[users]
viewers_can_edit = true

Thanks.

Please provide whole login procedure recorded in the har file and then I will tell you. There is many variables and your problem description doesn’t provide reproducible example.

@jangaraj, thanks for the reply and details. I can send it to you but it contains sensitive information. I will redact it and then how should I sent it to you? Thanks.

This is public community support, so you have to make it public (of course without user id/password). There is millions options how to share files publicly: github, gist, pastebin, google drive, ms one, … you name it.

2 Likes

@jangaraj, thanks for the reply and details, yeah I know there is a lot of open source places to share the details, I was just concerned out the sensitive details but I redacted it, here is the link to the file. Please let me know what you can find. Thanks.

I gave up loading of your har file after fixing 2 syntax errors:

Right question/description/input gives you higher chance for an answer. So it will be really appreciated if you spend your time wisely and provide right quality input.

/login/generic_oauth must set oauth_state cookie, which is missing in your case. What you has to have:

It is good idea to configure cookies properly as I stated before:

At least:

cookie_secure = true
cookie_samesite = none

Thanks @jangaraj for the reply and details, really appreciate it.

I’ve added your suggestion of :

cookie_secure = true
cookie_samesite = none

But still not working.

Here is some details on my findings :

I’ve also done a curl on the url :

And I don’t see the set cookie nor the oauth_state so not sure what I’m missing.

Here is a output of my current grafana.ini file :

[analytics]
check_for_updates = true
[auth]
disable_login_form = true
oauth_auto_login = false
login_cookie_name = grafana_session
oauth_state_cookie_max_age = 60
enable_login_token = true
[security]
cookie_secure = true
cookie_samesite = none
[auth.basic]
enabled = false
[auth.generic_oauth]
api_url = XXXXXXXX
auth_url = XXXXXXXX
client_id = XXXXXXXX
client_secret = XXXXXXXX
enabled = true
name = Okta 
role_attribute_path = contains(groups[*], 'XXXXXXXX') && 'Admin' || contains(groups[*], 'XXXXXXXX') && 'Admin' || contains(groups[*], 'XXXXXXXX') && 'Editor' || contains(groups[*], 'XXXXXXXX') && 'Viewer'
scopes = openid profile email groups
token_url = XXXXXXXX
[feature_toggles]
enable = ngalert
[grafana_net]
url = https://grafana.net
[log]
mode = console
[paths]
data = /var/lib/grafana/data
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
root_url = XXXXXXXX
[users]
viewers_can_edit = true

Obviously redacted the sensitive information but if you need additional info, please let me know

What else can I look for in the .har file to narrow down my search?

Thanks.

Start the same Grafana config locally with plain vanila container without any proxy/middleware and test it. If set cookie header is generated correctly, then blame your infrastruture.

Hey, thanks for the reply. I will test locally and let you know what the outcome is. Hosted on Azure so their to blame :slight_smile: Have you seen something like this before?