OAuth redirect url

Hi,
I’m trying to integrate OpenID sign in with my Grafana setup, I have it working for the most part but would like to know if there is a way to get around having to go to the Grafana login page to click ‘Log in With OAuth/Keycloak’ when I have ‘disable_login_form = true’ and check if user is logged in on my landing page.

It feels clunky when I check if user is logged in at my landing page and if not show them a login button, that goes to the Grafana login page with another button they must click to get to the Keycloak sign in form.

But any redirect I try from the Keycloak login form fails as it looks like I need the ‘state’ parameter (could be wrong about the state parameter, normally am wrong)

i.e. a url request from Grafana login page looks like:

https://auth.example.com/auth/realms/grafana/protocol/openid-connect/auth?
access_type=online&
client_id=grafana&
redirect_uri=http%3A%2F%2Fexample.com%2Fgrafana%2Flogin%2Fgeneric_oauth&
response_type=code&
scope=openid+profile+email&
state=ghBCz5g-JKBZHFVG-XVpZLFWIY0BLlGDgtuQf_pX-fg%3D

and trying a url request form my landing page like (missing state) just returns a error:

https://auth.example.com/auth/realms/grafana/protocol/openid-connect/auth?
access_type=online&
client_id=grafana&
redirect_uri=http%3A%2F%2Fexample.com%2Fgrafana%2Flogin%2Fgeneric_oauth&
response_type=code&
scope=openid+profile+email

current setting in grafana.ini

[auth]
# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
disable_login_form = true

# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
disable_signout_menu = false

# URL to redirect the user to after sign out
signout_redirect_url = https://auth.example.com/auth/realms/grafana/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fexample.com

#################################### Generic OAuth ##########################
[auth.generic_oauth]
enabled = true
name = Keycloak
allow_sign_up = false
client_id = grafana
client_secret = 32f11773-a3d1-24bf-a599-618440966750
;scopes = user:email,read:org
scopes = openid profile email
auth_url =  https://auth.example.com/auth/realms/grafana/protocol/openid-connect/auth
token_url = https://auth.example.com/auth/realms/grafana/protocol/openid-connect/token
api_url =   https://auth.example.com/auth/realms/grafana/protocol/openid-connect/userinfo
;team_ids =
;allowed_organizations =

Thanks for any help.

Yes, state parameter is required for standard Authorization Code Flow used by Grafana. You may try to use random value there.
Technically you need 3rd party initiated login and I’m not sure if it’s possible with Grafana.

Thanks @jangaraj,
using a random value for the state parameter doesn’t work as Grafana look to be using the State Parameter correctly as I get a login.OAuthLogin(missing saved state) error in Grafana.

url request used

https://auth.example.com/auth/realms/grafana/protocol/openid-connect/auth?
access_type=online&
client_id=grafana&
redirect_uri=http%3A%2F%2Fexample.com%2Fgrafana%2Flogin%2Fgeneric_oauth&
response_type=code&
scope=openid+profile+email&
state=txCjWTwzElM70SRF0DjRhmysfd4UtLDjeBZ8_u1jjyE%3D

So it looks like you are correct Jan in that I would need to use 3rd party initiated login, if I have read the openid doc correctly Grafana would have to supply a endpoint for this to work and I can’t find anything in the Grafana API doc’s. Doesn’t look like they current support it.

Knowing all that is there a different Authorization Flow I could use to get the User experience I’m after?

Ideas:

  • try to get IdP link with a proper state value from Grafana in the background of your landing page
  • try to use Grafana in authproxy mode and use some auth proxy with required features in front of Grafana
  • try to use SAML IdP Initiated SSO - it’s supported by Keycloak

Thanks for the ideas,

I think I will try the Authproxy route and on that subject and this may not be the forum for it, but has anyone reading this successfully setup a Nginx proxy as a Authproxy for Grafana using Keycloak as the Authorization server?

Thanks again for the ideas and If I succeed with any of them I’ll try to report back here so it can help others.

Regards,

Commercial Nginx Plus supports https://github.com/nginxinc/nginx-openid-connect/blob/master/openid_connect.server_conf. Free Nginx has some LUA modules.

I don’t recommend Nginx - OIDC implementations, which I have seen are basics (for example refresh tokens are not used). I recommend keycloak-proxy.