I am pulling from grafana:latest. Everything is proxied, currently locally, behind basic auth. This is to authenticate for static dashboards. I also wanted to implement github auth for admin. So I created my OAuth app, set it up, etc etc.
The problem is, my email is private and so is not returned in the user endpoint (https://api.github.com/user). I tried matching the username to the login field, to no avail.
So I tried to set up generic auth. This way, I could hit /user/emails instead which does return a list of primary/secondary associated emails.
The problem with this is: “json: cannot unmarshal array into Go value of type connectors.UserInfoJson”. There is no way, as far as I know, to map this data as it expects a top-level json response.
My question is: ow have other people achieved this? Thanks
Thanks. I appreciate the help.
I have already meticulously followed both this process and many others. It does not work.
I am not interested in mapping roles - I simply want to map a pre-configured user to a github login. The user info endpoint for github does not return an email when the email is not public, even when it is verified. Grafana does not fall back on /user/emails nor does it match on ‘uname’.
As a result, I tried to set up generic auth. The issue with this is described above - the format of the return from /user/emails is multiple email objects in an array, which throws an error.
So what do I do - do I need to switch on auto sign up, try to create an account through github auth, then immediately disable? Not safe for prod.
Do I need to map roles first? I don’t see this as a solution as it doesn’t ‘know’ that the account exists in the first place.
Suggestions?
Thanks
It is not clear what do you want.
Do you need proper user values without additional infra? Then fork&patch that structure and build own Grafana. There is no way for that in Grafana.
Do you want to make it work somehow? Then remap those attributes (see generic oauth configs *_attribute_path) to attributes which you have available in access token - what will happen if email won’t be real email, but username for example? I guess only username must be unique.
Or find auth proxy, which works fine with Github explicitly and use it in front of Grafana + use Grafana in auth proxy mode.
Thanks, I appreciate your help.
Trying to map in generic OAuth was the second thing I tried and it didn’t work due to the error outlined in the first post.
This is already being proxied to provide a layer over public dashboards. I wasn’t looking for anyone to add functionality - only someone who had successfully managed to map pre-existing users to a github oauth provider. My assumption was that this was possible, but I don’t think it is.
That’s fine. I can engineer a different solution. No harm, and thank you all for your time!
You didn’t provide reproducible example and debug logs, so nobody is able to tell you what’s wrong exactly.
Apologies. I did some more testing and it it is not to do with the lack of calls to /user/emails as running in debug shows this.
So in summary:
- Signing in, with allow sign up, using a github account with a unique email creates an account
- Creating a user via the UI /users works
- Creating a user then attempting to log in to a github account with a matching email/details does not link them - it throws “user sync failed”
That’s insecure approach. But you may try
Thanks that’s useful. Email based linking is more secure in my case as I want it to be a closed door. Whether this is automatic or manual is irrelevant, so i think your link will do the trick. I appreciate it.
