Two factor authentication in grafana 8.3.0

ekta291 · July 11, 2023, 10:35am

Team,

I am using Grafana-8.3.0 version in my side.

OS- Linux 22.04

I want to install two-factor authentication like google authenticator

can any help here how we can do it?

jangaraj · July 11, 2023, 10:49am

The easiest option is to use OAuth/SAML authentication and point to OAuth/SAML IDP server, which has support for required MFA method (TOTP, HOTP, push, passwordless, RSA, …)

ekta291 · July 11, 2023, 10:59am

Hi @jangaraj

Thanks for the quick response

but one question is by this authentication it is asking first to user for login by authenticator like duo mobile or google authenticator?

ekta291 · July 11, 2023, 11:02am

and I am using opensource grafana so can It applicable

ekta291 · July 11, 2023, 11:17am

@jangaraj

OAuth means need to follow the below authentication?

jangaraj · July 11, 2023, 11:21am

Yes, OSS Grafana has support for OAuth.

Whole login process then depends on used IDP server. Nothing stopping you to configure IDP to require token from RSA hardware key, then TOTP from TOTP app (Microsoft/Google Authenticator, Authy, …) and then to confirm push notification on the phone. You users will hate you, but it is possible.

IMHO the most user friendly and modern is passwordless MFA.

But this is not a Grafana topic, but topic about used IDP server. You just need to configure Grafana to use OAuth and that’s the whole config on the Grafana side.

ekta291 · July 19, 2023, 5:07am

Hi @jangaraj

I am using grafana in my company environment so how can I generate OAuth url and token url ?

ekta291 · July 19, 2023, 5:23am

is it compulsory require to generate a new page like google login page?

jangaraj · July 19, 2023, 8:44am

OAuth url and token url, login page is provided by your IDP server. It is not compulsory, it is by design: your app will “outsource” authentification to IDP server and app trusts user identity provided by IDP (but with cryptographic validation).

Typical developer/user will be crying: I have cool app (reactive SPA, material design, …) and now I have to use ugly IDP login page. But again check doc of used IDP. They may allow to customize login page, so it may match app design (if that is a requirement).
Example - dev is using Vuetify, so Vuetity can be used in the login page (Keycloak is IDP in this particular case): GitHub - jangaraj/vuetify-keycloak-theme: Proof of concept: how to use Vuetify in Keycloak theme

ekta291 · July 19, 2023, 8:52am

@jangaraj Thanks for the update

In Grafana 8.3. we can take any OAuth authentication like google, github etc… ?

jangaraj · July 19, 2023, 9:02am

Yes, any OAuth 2 (eventually any with OpenID Connect, which another protocol on OAuth): List of OAuth providers - Wikipedia

ekta291 · July 19, 2023, 9:16am

Thanks for update @jangaraj