Hi,
I have a question on grafana running in aks with azure front door and caching enabled, ran into an issue, here is the error : login.OAuthLogin(missing saved state)
Should I reach out to another teams or to azure or okta?
Thanks.
when and where are you seeing this error? When trying to add a datasource?
i don’t know anything about aks…
Hey,
So when I navigate to the grafana url it’s redirecting me directly to okta and once I logged in with my okta details I get this error:
If you have seen this, let me know if not it’s okay.
Thanks.
Search the forum/internet. It is very likely a problem with your Grafana cookie config.
Great, thanks I will search and share my findings 
Hey,
This is my current grafana.ini file. What should I add in my current config :
[analytics]
check_for_updates = true
[auth]
disable_login_form = true
oauth_auto_login = true
[auth.basic]
enabled = false
[auth.generic_oauth]
api_url = xxx
auth_url = xxx
client_id = xxx
client_secret = xxx
enabled = true
name = Okta
role_attribute_path = contains(groups[*], 'xxx') && 'Admin' || contains(groups[*], 'xxx') && 'Admin' || contains(groups[*], 'xxx') && 'Editor' || contains(groups[*], 'xxx') && 'Viewer'
scopes = openid profile email groups
token_url = xxx
[feature_toggles]
enable = ngalert
[grafana_net]
url = https://grafana.net
[log]
mode = console
[paths]
data = /var/lib/grafana/data
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
root_url = xxx
[users]
viewers_can_edit = true
Thanks.
Please provide whole login procedure recorded in the har file and then I will tell you. There is many variables and your problem description doesn’t provide reproducible example.
@jangaraj, thanks for the reply and details. I can send it to you but it contains sensitive information. I will redact it and then how should I sent it to you? Thanks.
This is public community support, so you have to make it public (of course without user id/password). There is millions options how to share files publicly: github, gist, pastebin, google drive, ms one, … you name it.
2 Likes
@jangaraj, thanks for the reply and details, yeah I know there is a lot of open source places to share the details, I was just concerned out the sensitive details but I redacted it, here is the link to the file. Please let me know what you can find. Thanks.
I gave up loading of your har file after fixing 2 syntax errors:
Right question/description/input gives you higher chance for an answer. So it will be really appreciated if you spend your time wisely and provide right quality input.
/login/generic_oauth must set oauth_state cookie, which is missing in your case. What you has to have:
It is good idea to configure cookies properly as I stated before:
At least:
cookie_secure = true
cookie_samesite = none
1 Like
Thanks @jangaraj for the reply and details, really appreciate it.
I’ve added your suggestion of :
cookie_secure = true
cookie_samesite = none
But still not working.
Here is some details on my findings :
I’ve also done a curl on the url :
And I don’t see the set cookie nor the oauth_state so not sure what I’m missing.
Here is a output of my current grafana.ini file :
[analytics]
check_for_updates = true
[auth]
disable_login_form = true
oauth_auto_login = false
login_cookie_name = grafana_session
oauth_state_cookie_max_age = 60
enable_login_token = true
[security]
cookie_secure = true
cookie_samesite = none
[auth.basic]
enabled = false
[auth.generic_oauth]
api_url = XXXXXXXX
auth_url = XXXXXXXX
client_id = XXXXXXXX
client_secret = XXXXXXXX
enabled = true
name = Okta
role_attribute_path = contains(groups[*], 'XXXXXXXX') && 'Admin' || contains(groups[*], 'XXXXXXXX') && 'Admin' || contains(groups[*], 'XXXXXXXX') && 'Editor' || contains(groups[*], 'XXXXXXXX') && 'Viewer'
scopes = openid profile email groups
token_url = XXXXXXXX
[feature_toggles]
enable = ngalert
[grafana_net]
url = https://grafana.net
[log]
mode = console
[paths]
data = /var/lib/grafana/data
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
root_url = XXXXXXXX
[users]
viewers_can_edit = true
Obviously redacted the sensitive information but if you need additional info, please let me know
What else can I look for in the .har file to narrow down my search?
Thanks.
1 Like
Start the same Grafana config locally with plain vanila container without any proxy/middleware and test it. If set cookie header is generated correctly, then blame your infrastruture.
Hey, thanks for the reply. I will test locally and let you know what the outcome is. Hosted on Azure so their to blame Have you seen something like this before?
It would not be bad to share with others who will or are already solving the same problem.
Hi,
This is happening because you configured 2 hostnames in your Ingress and your GF_SERVER_ROOT_URL points only to 1 of them. If you go to the other domain, this error is thrown
login.OAuthLogin(missing saved state)
And this is how your page looks like
Clicking on that Grafana link will tell you which domain is GF_SERVER_ROOT_URL pointing at.
I’m not sure how this is handled in Grafana if you’ve got 2 hosts in your Ingress, there must be a way to solve this