ZITADEL + Grafana Generic OAuth Configuration

mattemin · September 1, 2023, 10:50am

Hello! I am trying to setup ZITADEL for providing SSO to an Angular web app and Grafana, so that I can embed Grafana plots into the web app.
Here is the configuration that I made:

GF_AUTH_GENERIC_OAUTH_ENABLED=true
GF_AUTH_GENERIC_OAUTH_NAME=Zitadel OAuth
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=<ZITADEL_PROJECT_CLIENT_ID>
GF_AUTH_GENERIC_OAUTH_USE_PKCE=true
GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN=true
GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile offline_access roles
GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email
GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name
GF_AUTH_GENERIC_OAUTH_AUTH_URL=http://localhost:8080/oauth/v2/authorize
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=http://zitadel:8080/oauth/v2/token
GF_AUTH_GENERIC_OAUTH_API_URL=http://zitadel:8080/oidc/v1/userinfo

After clicking on the OAuth button on Grafana’s login page I keep receiving an error

logger=context userId=0 orgId=0 uname= t=2023-09-01T10:47:40.851902657Z level=info msg="Request Completed" method=GET path=/login/generic_oauth status=302 remote_addr=172.18.0.1 time_ms=0 duration=347.915µs size=396 referer=http://localhost:3000/login handler=/login/:name
logger=oauth t=2023-09-01T10:47:42.704640444Z level=info msg="state check" queryState=f316eb6ebf202255057064f3f1a0f45a2373e0304f10835ba9cf7728f80cf08f cookieState=f316eb6ebf202255057064f3f1a0f45a2373e0304f10835ba9cf7728f80cf08f
logger=context userId=0 orgId=0 uname= t=2023-09-01T10:47:42.707990045Z level=error msg=login.OAuthLogin(NewTransportWithCode) error="oauth2: cannot fetch token: 404 Not Found\nResponse: ID=QUERY-n0wng Message=Instance not found\n"
logger=context userId=0 orgId=0 uname= t=2023-09-01T10:47:42.708049722Z level=error msg="Request Completed" method=GET path=/login/generic_oauth status=500 remote_addr=172.18.0.1 time_ms=3 duration=3.640827ms size=1365 referer= handler=/login/:name

Anyone knows what does "msg=login.OAuthLogin(NewTransportWithCode) error=“oauth2: cannot fetch token: 404 Not Found\nResponse: ID=QUERY-n0wng Message=Instance not found” mean?

jangaraj · September 1, 2023, 11:41am

It looks like request to configured token url returned 404 response.

ffozitadel · September 2, 2023, 11:41am

Hi Zitadel co-founder here

It looks to me that you run Zitadel on localhost:8080 (your authorization endpoint at least points to this but not the api, token endpoint). If you want to use a different domain/port you need to configure it or you need to tell a proxy to rewrite the host header.

You can configure externaldomain in Zitadel through an env or config. read more here Custom Domain | ZITADEL Docs

Btw. We have a discord community on ZITADEL with a lot of resources for such questions

mattemin · September 4, 2023, 8:41am

Thank you for your answer!
Yeah, the environment variables may appear slightly confusing, but I am trying to make it work on my PC with a Docker Compose with ZITADEL, Grafana, and Caddy images. The containers are on the same Docker network, so the token and api URLs (that are used by the Grafana container) refer to the ZITADEL Compose service.

So, as of now, the Grafana container is interacting directly with the ZITADEL container and, if I understand correctly, the HTTP requests have the wrong “Host” header due to the host configured on the URLs (zitadel:8080), which is not a known ZITADEL instance domain. Is it correct?

I read the “Custom Domain” guide, but it asks for mandatory HTTPS. Is there any way to use HTTP (for development)?