forked from grafana/grafana
-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch '12886-docs-authentication-section'
- Loading branch information
Showing
11 changed files
with
603 additions
and
535 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,172 @@ | ||
+++ | ||
title = "OAuth authentication" | ||
description = "Grafana OAuthentication Guide " | ||
keywords = ["grafana", "configuration", "documentation", "oauth"] | ||
type = "docs" | ||
[menu.docs] | ||
name = "Generic OAuth2" | ||
identifier = "generic_oauth" | ||
parent = "authentication" | ||
weight = 3 | ||
+++ | ||
|
||
# Generic OAuth Authentication | ||
|
||
You can configure many different oauth2 authentication services with Grafana using the generic oauth2 feature. Below you | ||
can find examples using Okta, BitBucket, OneLogin and Azure. | ||
|
||
This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the prefix path of `/login/generic_oauth`. | ||
|
||
Example config: | ||
|
||
```bash | ||
[auth.generic_oauth] | ||
enabled = true | ||
client_id = YOUR_APP_CLIENT_ID | ||
client_secret = YOUR_APP_CLIENT_SECRET | ||
scopes = | ||
auth_url = | ||
token_url = | ||
api_url = | ||
allowed_domains = mycompany.com mycompany.org | ||
allow_sign_up = true | ||
``` | ||
|
||
Set api_url to the resource that returns [OpenID UserInfo](https://connect2id.com/products/server/docs/api/userinfo) compatible information. | ||
|
||
## Set up OAuth2 with Okta | ||
|
||
First set up Grafana as an OpenId client "webapplication" in Okta. Then set the Base URIs to `https://<grafana domain>/` and set the Login redirect URIs to `https://<grafana domain>/login/generic_oauth`. | ||
|
||
Finally set up the generic oauth module like this: | ||
```bash | ||
[auth.generic_oauth] | ||
name = Okta | ||
enabled = true | ||
scopes = openid profile email | ||
client_id = <okta application Client ID> | ||
client_secret = <okta application Client Secret> | ||
auth_url = https://<okta domain>/oauth2/v1/authorize | ||
token_url = https://<okta domain>/oauth2/v1/token | ||
api_url = https://<okta domain>/oauth2/v1/userinfo | ||
``` | ||
|
||
## Set up OAuth2 with Bitbucket | ||
|
||
```bash | ||
[auth.generic_oauth] | ||
name = BitBucket | ||
enabled = true | ||
allow_sign_up = true | ||
client_id = <client id> | ||
client_secret = <client secret> | ||
scopes = account email | ||
auth_url = https://bitbucket.org/site/oauth2/authorize | ||
token_url = https://bitbucket.org/site/oauth2/access_token | ||
api_url = https://api.bitbucket.org/2.0/user | ||
team_ids = | ||
allowed_organizations = | ||
``` | ||
|
||
## Set up OAuth2 with OneLogin | ||
|
||
1. Create a new Custom Connector with the following settings: | ||
- Name: Grafana | ||
- Sign On Method: OpenID Connect | ||
- Redirect URI: `https://<grafana domain>/login/generic_oauth` | ||
- Signing Algorithm: RS256 | ||
- Login URL: `https://<grafana domain>/login/generic_oauth` | ||
|
||
then: | ||
2. Add an App to the Grafana Connector: | ||
- Display Name: Grafana | ||
|
||
then: | ||
3. Under the SSO tab on the Grafana App details page you'll find the Client ID and Client Secret. | ||
|
||
Your OneLogin Domain will match the url you use to access OneLogin. | ||
|
||
Configure Grafana as follows: | ||
|
||
```bash | ||
[auth.generic_oauth] | ||
name = OneLogin | ||
enabled = true | ||
allow_sign_up = true | ||
client_id = <client id> | ||
client_secret = <client secret> | ||
scopes = openid email name | ||
auth_url = https://<onelogin domain>.onelogin.com/oidc/auth | ||
token_url = https://<onelogin domain>.onelogin.com/oidc/token | ||
api_url = https://<onelogin domain>.onelogin.com/oidc/me | ||
team_ids = | ||
allowed_organizations = | ||
``` | ||
|
||
### Set up OAuth2 with Auth0 | ||
|
||
1. Create a new Client in Auth0 | ||
- Name: Grafana | ||
- Type: Regular Web Application | ||
|
||
2. Go to the Settings tab and set: | ||
- Allowed Callback URLs: `https://<grafana domain>/login/generic_oauth` | ||
|
||
3. Click Save Changes, then use the values at the top of the page to configure Grafana: | ||
|
||
```bash | ||
[auth.generic_oauth] | ||
enabled = true | ||
allow_sign_up = true | ||
team_ids = | ||
allowed_organizations = | ||
name = Auth0 | ||
client_id = <client id> | ||
client_secret = <client secret> | ||
scopes = openid profile email | ||
auth_url = https://<domain>/authorize | ||
token_url = https://<domain>/oauth/token | ||
api_url = https://<domain>/userinfo | ||
``` | ||
|
||
### Set up OAuth2 with Azure Active Directory | ||
|
||
1. Log in to portal.azure.com and click "Azure Active Directory" in the side menu, then click the "Properties" sub-menu item. | ||
|
||
2. Copy the "Directory ID", this is needed for setting URLs later | ||
|
||
3. Click "App Registrations" and add a new application registration: | ||
- Name: Grafana | ||
- Application type: Web app / API | ||
- Sign-on URL: `https://<grafana domain>/login/generic_oauth` | ||
|
||
4. Click the name of the new application to open the application details page. | ||
|
||
5. Note down the "Application ID", this will be the OAuth client id. | ||
|
||
6. Click "Settings", then click "Keys" and add a new entry under Passwords | ||
- Key Description: Grafana OAuth | ||
- Duration: Never Expires | ||
|
||
7. Click Save then copy the key value, this will be the OAuth client secret. | ||
|
||
8. Configure Grafana as follows: | ||
|
||
```bash | ||
[auth.generic_oauth] | ||
name = Azure AD | ||
enabled = true | ||
allow_sign_up = true | ||
client_id = <application id> | ||
client_secret = <key value> | ||
scopes = openid email name | ||
auth_url = https://login.microsoftonline.com/<directory id>/oauth2/authorize | ||
token_url = https://login.microsoftonline.com/<directory id>/oauth2/token | ||
api_url = | ||
team_ids = | ||
allowed_organizations = | ||
``` | ||
|
||
<hr> | ||
|
||
|
Oops, something went wrong.