Using Grafana user credentials for custom plugin backend

Grafana Plugin Development
1

A question regarding authentication for a custom plugin…hopefully this explanation of our situation makes sense:

  • We are using Grafana’s own authentication and authorization engine for managing users and credentials
  • We are developing a custom panel plugin to display a particular user interface
  • That custom panel relies on a back-end API endpoint that’s separate from the Grafana back-end (but could be hosted on the same server, if that makes a difference)
  • We would like to use the Grafana user credentials in order to manage access to that back-end service. That is, we’d like the back-end service to be able to check whether the request is coming from a properly authenticated user

I appreciate the above is somewhat open-ended, but would appreciate any thoughts on the best way to make that happen.

Is it possible for our back-end API to for example verify authentication based on the user’s session cookie? @daniellee, should we be looking at something like what you describe in SimpleJson datasource plugin - send user/pass in request?

Or should we be looking at a completely different way to implement this? We did for example consider OAuth, but the stumbling block there is that we’d really rather just use Grafana’s existing UI to manage a single database with users (+ teams and roles), rather than have a separate UI for managing the OAuth users. AuthProxy also doesn’t seem to be a great solution for the same reason.

Thanks in advance for any pointers!

2

Dont think this is possible right now. Your best approach would be to move authentication to nginx/apache and use the grafana auth proxy feature (and implement a similar feature in your backend api)

3

Thanks for the quick feedback @torkel! On that note, do you think there would be a meaningful functional difference between using an auth proxy vs OAuth? (where in the latter case our back-end would verify the respective token). Just asking since if we’re going to be going down that route, we’ll probably have a slight preference for OAuth2 (e.g. through Auth0), rather than the proxy method.

For what it’s worth, our reluctance with respect to going with an external authentication mechanism is mostly due to the desire to centralize the user and team management in one place (i.e. Grafana), rather than have a couple of different interfaces that are only partially synced. If I’m not mistaken, there isn’t currently support for any external auth services that can for example also provide Grafana with user team memberships?

Thanks again!