login.OAuthLogin(missing saved state)

dotwest · October 22, 2021, 8:06pm

Hi,

I have a question on grafana running in aks with azure front door and caching enabled, ran into an issue, here is the error : login.OAuthLogin(missing saved state)

Should I reach out to another teams or to azure or okta?

Thanks.

mattabrams · October 22, 2021, 8:08pm

when and where are you seeing this error? When trying to add a datasource?

i don’t know anything about aks…

dotwest · October 22, 2021, 10:44pm

Hey,

So when I navigate to the grafana url it’s redirecting me directly to okta and once I logged in with my okta details I get this error:

12345

If you have seen this, let me know if not it’s okay.

Thanks.

jangaraj · October 23, 2021, 2:53am

Search the forum/internet. It is very likely a problem with your Grafana cookie config.

dotwest · October 23, 2021, 9:58pm

Great, thanks I will search and share my findings

dotwest · October 28, 2021, 3:41pm

Hey,

This is my current grafana.ini file. What should I add in my current config :

[analytics]
check_for_updates = true

[auth]
disable_login_form = true
oauth_auto_login = true

[auth.basic]
enabled = false

[auth.generic_oauth]
api_url = xxx
auth_url = xxx
client_id = xxx
client_secret = xxx
enabled = true
name = Okta 
role_attribute_path = contains(groups[*], 'xxx') && 'Admin' || contains(groups[*], 'xxx') && 'Admin' || contains(groups[*], 'xxx') && 'Editor' || contains(groups[*], 'xxx') && 'Viewer'
scopes = openid profile email groups
token_url = xxx

[feature_toggles]
enable = ngalert

[grafana_net]
url = https://grafana.net

[log]
mode = console

[paths]
data = /var/lib/grafana/data
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning

[server]
root_url = xxx

[users]
viewers_can_edit = true

Thanks.

jangaraj · October 31, 2021, 1:13pm

Please provide whole login procedure recorded in the har file and then I will tell you. There is many variables and your problem description doesn’t provide reproducible example.

dotwest · October 31, 2021, 8:23pm

@jangaraj, thanks for the reply and details. I can send it to you but it contains sensitive information. I will redact it and then how should I sent it to you? Thanks.

jangaraj · November 1, 2021, 7:54am

This is public community support, so you have to make it public (of course without user id/password). There is millions options how to share files publicly: github, gist, pastebin, google drive, ms one, … you name it.

dotwest · November 1, 2021, 10:20pm

@jangaraj, thanks for the reply and details, yeah I know there is a lot of open source places to share the details, I was just concerned out the sensitive details but I redacted it, here is the link to the file. Please let me know what you can find. Thanks.

jangaraj · November 1, 2021, 10:55pm

I gave up loading of your har file after fixing 2 syntax errors:

Right question/description/input gives you higher chance for an answer. So it will be really appreciated if you spend your time wisely and provide right quality input.

/login/generic_oauth must set oauth_state cookie, which is missing in your case. What you has to have:

It is good idea to configure cookies properly as I stated before:

github.com

grafana/grafana/blob/e73cd2fdeb3a08db32139f5ce4da4accf162737e/conf/defaults.ini#L240-L244

    
      
          # set to true if you host Grafana behind HTTPS. default is false.
          cookie_secure = false
          
          
# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
          cookie_samesite = lax

At least:

cookie_secure = true
cookie_samesite = none

dotwest · November 2, 2021, 8:01pm

Thanks @jangaraj for the reply and details, really appreciate it.

I’ve added your suggestion of :

cookie_secure = true
cookie_samesite = none

But still not working.

Here is some details on my findings :

I’ve also done a curl on the url :

And I don’t see the set cookie nor the oauth_state so not sure what I’m missing.

Here is a output of my current grafana.ini file :

[analytics]
check_for_updates = true
[auth]
disable_login_form = true
oauth_auto_login = false
login_cookie_name = grafana_session
oauth_state_cookie_max_age = 60
enable_login_token = true
[security]
cookie_secure = true
cookie_samesite = none
[auth.basic]
enabled = false
[auth.generic_oauth]
api_url = XXXXXXXX
auth_url = XXXXXXXX
client_id = XXXXXXXX
client_secret = XXXXXXXX
enabled = true
name = Okta 
role_attribute_path = contains(groups[*], 'XXXXXXXX') && 'Admin' || contains(groups[*], 'XXXXXXXX') && 'Admin' || contains(groups[*], 'XXXXXXXX') && 'Editor' || contains(groups[*], 'XXXXXXXX') && 'Viewer'
scopes = openid profile email groups
token_url = XXXXXXXX
[feature_toggles]
enable = ngalert
[grafana_net]
url = https://grafana.net
[log]
mode = console
[paths]
data = /var/lib/grafana/data
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
root_url = XXXXXXXX
[users]
viewers_can_edit = true

Obviously redacted the sensitive information but if you need additional info, please let me know

What else can I look for in the .har file to narrow down my search?

Thanks.

jangaraj · November 2, 2021, 9:16pm

Start the same Grafana config locally with plain vanila container without any proxy/middleware and test it. If set cookie header is generated correctly, then blame your infrastruture.

dotwest · November 3, 2021, 4:02pm

Hey, thanks for the reply. I will test locally and let you know what the outcome is. Hosted on Azure so their to blame Have you seen something like this before?