Trying to troubleshoot oauth to okta

I’m trying to get Grafana to authenticate with Okta and I am using the instructions here: hhttps://grafana.com/docs/auth/generic-oauth/#set-up-oauth2-with-okta using the docker image provided by grafana.

The config looks like:
GF_AUTH_BASIC_ENABLED=“True”
GF_AUTH_GENERIC_OAUTH_CLIENT_API_URL="hhttps://company.oktapreview.com/oauth2/v1/userinfo
GF_AUTH_GENERIC_OAUTH_CLIENT_AUTH_URL="hhttps://company.oktapreview.com/oauth2/v1/authorize
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=“MYID”
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=“MYSECRET”
GF_AUTH_GENERIC_OAUTH_CLIENT_TOKEN_URL="hhttps://compnay.oktapreview.com/oauth2/v1/token
GF_AUTH_GENERIC_OAUTH_ENABLED=“True”
GF_AUTH_GENERIC_OAUTH_NAME=“Okta”
GF_AUTH_GENERIC_OAUTH_SCOPES=“openid profile email”
GF_LOG_LEVEL=“debug”
GF_SERVER_DOMAIN=“grafana-dev.company.com
GF_SERVER_PROTOCOL=“https”
GF_SERVER_ROOT_URL=“hhttps://grafana-dev.company.com/”

When I click on the oauth login the only thing I get in the logs is this:

t=2019-09-13T18:44:31+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=###### time_ms=0 size=261 referer=“hhttps://grafana-dev.company.com/login?access_type=online&client_id=0oandzes8imEguIlG0h7&redirect_uri=https:%2F%2Fgrafana-dev.company.com%2Flogin%2Fgeneric_oauth&response_type=code&scope=openid&state=4zMcHlaSQsV4tI5B7OT5mrc6Fl5wE42dLZcBi_WSpTs%3D”

If I have autologin set to true, it’ll just keep looping over and over until I an error that there were too many redirects.

Checking my cookies I have an oauth_state which is set, and a redirect_to cookie that is set to %252F

I’m not sure how to debug this any further, the okta admin says they see the client hitting the server, and the client isn’t throwing any error messages, it just won’t login.

Is there anything else I can check to debug this issue?

(Note all the hhttps above are intentional as new users can only post 2 links per post and those are being counted)

thanks,
matt

Is the compnay typo in GF_AUTH_GENERIC_OAUTH_CLIENT_TOKEN_URL present in your config?

Forget it, that is just your obfuscation…

You should see 2 requests hitting Grafana, one that redirects you out to okta, then another when you get sent back. One thing you can try is to enable devtools in your browser and watch the requests in the network traffic tab. You should see one request to /login/generic_oauth that returns a redirect out to okta, then a request to okta that returns either a page for you to log in and/or authorize (if you haven’t already) and a response that redirects you back to grafana.

This is the network traffic I’m seeing, So I should see something that is reaching out to the okta server here?

Hmm, that seems like the redirect uri might not be set properly in okta, you should check in the definition of the client in okta that it’s set to https://grafana-dev.company.com/login/generic_oauth and not https://grafana-dev.company.com/login/

(btw, i’m not an okta expert) but, I think it is configured correctly:

Thanks for all your suggestions.