-
What Grafana version and what operating system are you using?
Grafana: 9.1.0 and Ubuntu 20.04.4 -
What are you trying to achieve?
Integrate Okta as OAuth Provider -
How are you trying to achieve it?
Updated grafana.ini file with correct client_id and client_secret and URLs. Have tested it with a few accounts and it is working. -
What happened?
I had a local account that I had created that got converted to an OAuth account (as the emails matched). It was a Grafana Admin as well as Org Admin.
I configured a new Oauth account that I wanted to be the Grafana and Org Admin (different email) and then removed the old converted account.
Trying to log back in as the non-admin account, I receive the error of login.OAuthLogin(NewTransportWithCode).
I believe something might have happened in the database(default sqlite3) that is causing this issue.
-
What did you expect to happen?
The local account would be deleted and admin permissions revoked. Then the non-admin account would be created with the proper “Editor” role. -
Can you copy/paste the configuration(s) that you are having problems with?
`#################################### Server ####################################
[server]
Protocol (http, https, h2, socket)
protocol = https
The ip address to bind to, empty will bind to all interfaces
;http_addr =
The http port to use
http_port = 9001
The public facing domain name used to access grafana from a browser
domain = [REDACTED]
Redirect to correct domain if host header does not match domain
Prevents DNS rebinding attacks
;enforce_domain = false
The full public facing url you use in browser, used for redirects and emails
If you use reverse proxy and sub path specify full url (with sub path)
root_url = %(protocol)s://%(domain)s:%(http_port)s/
Serve Grafana from subpath specified in root_url setting. By default it is set to false for compatibility reasons.
;serve_from_sub_path = false
Log web requests
;router_logging = false
the path relative working path
;static_root_path = public
enable gzip
;enable_gzip = false
https certs & key file
cert_file = /etc/grafana/[REDACTED]-grafana-selfsigned.crt
cert_key = /etc/grafana/[REDACTED]-grafana-selfsigned.key
Unix socket path
;socket =
CDN Url
;cdn_url =
Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections.
0 means there is no timeout for reading the request.
;read_timeout = 0
#################################### Okta OAuth #######################
[auth.okta]
name = Okta
enabled = true
allow_sign_up = true
client_id = [REDACTED]
client_secret = [REDACTED]
scopes = openid profile email groups
auth_url = https://[REDACTED].okta.com/oauth2/v1/authorize
token_url = https://[REDACTED].okta.com/oauth2/v1/token
api_url = https://[REDACTED].okta.com/oauth2/v1/userinfo
;allowed_domains =
;allowed_groups =
role_attribute_path = contains(groups[], ‘SW-Grafana-Admin’) && ‘Admin’ || contains(groups[], ‘SW-Grafana-Editor’) && ‘Editor’ || contains(groups[*], ‘SW-Grafana-Viewer’) && ‘Viewer’
role_attribute_strict = false
`
-
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
-
UI:
login.OAuthLogin(NewTransportWithCode) -
Logs:
The authorization code is invalid or has expired.is the line that is odd as it works for my admin account and other users’ accounts
Error Trace (non-admin):
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-22T11:49:34.648552474Z level=info msg=“Request Completed” method=GET path=/login/okta status=302 remote_addr=[REDACTED] time_ms=0 duration=435.886µs size=312 referer=https://[REDACTED]:9001/login traceID=00000000000000000000000000000000
logger=oauth t=2022-08-22T11:49:35.046329197Z level=info msg=“state check” queryState=4cc995c83519a72550ed7ea75f1ee9fc52781be3929355aa3f274718b979bfc2 cookieState=4cc995c83519a72550ed7ea75f1ee9fc52781be3929355aa3f274718b979bfc2
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-22T11:49:35.764577792Z level=error msg=login.OAuthLogin(NewTransportWithCode) error=“oauth2: cannot fetch token: 400 Bad Request\nResponse: {"error":"invalid_grant","error_description":"The authorization code is invalid or has expired."}”
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-22T11:49:35.765272695Z level=error msg=“Request Completed” method=GET path=/login/okta status=500 remote_addr=10.250.135.182 time_ms=719 duration=719.633514ms size=1365 referer= traceID=00000000000000000000000000000000
Good Trace(admin):
logger=http.server t=2022-08-22T11:52:00.817263731Z level=info msg=“Successful Logout” User=[REDACTED]
logger=context traceID=00000000000000000000000000000000 userId=9 orgId=1 uname=[REDACTED] t=2022-08-22T11:52:00.817409227Z level=info msg=“Request Completed” method=GET path=/logout status=302 remote_addr=[REDACTED] time_ms=6 duration=6.034144ms size=29 referer=https://[REDACTED]:9001/admin/users traceID=00000000000000000000000000000000
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-22T11:52:03.546008697Z level=info msg=“Request Completed” method=GET path=/login/okta status=302 remote_addr=[REDACTED] time_ms=0 duration=559.446µs size=312 referer=https://[REDACTED]:9001/login traceID=00000000000000000000000000000000
logger=oauth t=2022-08-22T11:52:04.103118577Z level=info msg=“state check” queryState=0352857c26a4eae55b1d393190fa0eb2ccbd18e68be899b29a1416d976897578 cookieState=0352857c26a4eae55b1d393190fa0eb2ccbd18e68be899b29a1416d976897578
logger=http.server t=2022-08-22T11:52:04.814734624Z level=info msg=“Successful Login” User=[REDACTED]
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-22T11:52:04.815419185Z level=info msg=“Request Completed” method=GET path=/login/okta status=302 remote_addr=[REDACTED] time_ms=713 duration=713.171884ms size=24 referer= traceID=00000000000000000000000000000000
logger=context traceID=00000000000000000000000000000000 userId=9 orgId=1 uname=[REDACTED] t=2022-08-22T11:52:05.367888019Z level=info msg=“Request Completed” method=GET path=/api/live/ws status=0 remote_addr=10.250.135.182 time_ms=0 duration=960.224µs size=0 referer= traceID=00000000000000000000000000000000
- Did you follow any online instructions? If so, what is the URL?
I followed the instructions on integrating Okta here: Configure Okta OAuth2 authentication | Grafana documentation
The documentation is a little outdated. Instead of Login redirect URI, Okta now shows it as Sign-in redirect URIs