One thing I ended up spending lots of time figuring out was how to support logging out of Okta when logging out of Grafana. What I was being faced with was that I would log out of Grafana, but then when I would come to log back in, it would log me back in right away since the Okta user was still logged in.
I didn’t find a solution to that in the Auth Guide (explain wells how to get us to log in with Okta, but not so much how to log out).
Grafana does not seem to fully support oauth logout . It does however support a generic signout_redirect_url value that you can specify in its configuration file.
You need to combine this with Okta functionality which allows as well a generic signout function (not the oauth application logout endpoint, which Grafana doesn’t support) with the ability to specify a redirect URL.
So what I ended up doing is this:
Specify the config value : signout_redirect_url = https://xxxxxx.okta.com/login/signout?fromURI=http://mygrafanaloginpagerul
Where xxxxx is your specific okta instance and the from URI is where you want the user’s browser to be redirected to once OKTA logout is completed.
The URL given in the fromURI field needs to be configured as a Trusted Origin. Otherwise, it will be ignored by Okta. To do this:
1 - login to Okta as an administrator
2- Security Menu - API menu, go to Trusted Origins tab
3 - Add your redirect URL (the one you specified in the fromURI field in the Grafana config) and make it of Type ‘Redirect’
At that point, the logout from Grafana also triggers a logout from Okta and we are sent back to the login page of Grafana.