Openshift - Generic Oauth?

kkraemer · August 6, 2017, 9:16pm

Hello everyone,

I am currently experiencing some troubles connecting a grafana instance deployed on openshift origin to the built-in oauth-provider of openshift (Everything except the oauth works for me).

What I did:

created an OAuthClient in OpenShift with:

oc create -f <(echo '
> kind: OAuthClient
> apiVersion: v1
> metadata:
>   name: grafana
> secret: grafana
> redirectURIs: 
>  - "https://grafana.localhost/login/generic_oauth"
> grantMethod: prompt 
> ')

added these lines to the grafana.ini:

[auth.generic_oauth]
enabled=true
client_id=grafana
client_secret=grafana
scopes= user:full, user:check-access
auth_url=https://10.0.2.15:8443/oauth/authorize
token_url=https://10.0.2.15:8443/oauth/token
api_url= https://10.0.2.15:8443/oapi/v1/users/
allowed_domains=
allow_sign_up=true

, deployed grafana to openshift and try to log in. I get this error message, but I don’t know what to make of it really:

{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.","state":"tacgvvNlx3IsSZjrHzul3x2jE7HOM2wePXX3QjFF/34="}

Has anyone of you ever connected grafana to the openshift oauth? Would really appreciate any suggestions.

Best regards

kkraemer

torkel · August 7, 2017, 8:31pm

don’t know, seems openshift’s oauth implementation is not supported, dont have access to one to test with

holgerkoch · October 9, 2017, 3:23pm

Hello,

i do it the same way and i will redirected to the login screen of openshift. But after this, there is a problem for grafana to fetch the right informationen:

t=2017-10-09T15:00:05+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=10.180.47.0 time_ms=0 size=29 referer=
t=2017-10-09T15:00:12+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=10.180.47.0 time_ms=0 size=299 referer=https://10.104.104.135:3000/login
t=2017-10-09T15:00:21+0000 lvl=eror msg=“login.OAuthLogin(get info from generic_oauth)” logger=context userId=0 orgId=0 uname= error="Error getting user info: {\n “kind”: “Status”,\n “apiVersion”: “v1”,\n “metadata”: {},\n “status”: “Failure”,\n “message”: “scopes [user:info] prevent this action; User \“HolgerKoch\” cannot list all users in the cluster”,\n “reason”: “Forbidden”,\n “details”: {\n “kind”: “users”\n },\n “code”: 403\n}\n"
t=2017-10-09T15:00:21+0000 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=10.180.47.0 time_ms=118 size=703 referer=“https://console.inet-abnahme.ose.db.de/login?then=%2Foauth%2Fauthorize%3Faccess_type%3Donline%26client_id%3Dgrafana%26redirect_uri%3Dhttps%3A%2F%2F10.104.104.135%3A3000%2Flogin%2Fgeneric_oauth%26response_type%3Dcode%26scope%3Duser%3Ainfo%26state%3DhvZGugvSncELjo3WzhGr5N1zw6R7A1kSPT49%2FhPQv0Y%3D”

did you solve the problem? Or did anybody have a hint for me?

best regards

Holger