Replies: 1 comment
-
|
I have it working now @MrSeven3. I'm configuring Grafana OSS via Environment Variables within Docker Compose, so if you're using the config file you'll have to translate these options to the correct format. These are the environment variables that I've set up for my Grafana container. # Configure the root server URL, needed for the redirect URL to be correct.
- "GF_SERVER_ROOT_URL=https://${FQDN}"
# Enable OAUTH support
- "GF_AUTH_GENERIC_OAUTH_ENABLED=true"
# Set the name of the login button
- "GF_AUTH_GENERIC_OAUTH_NAME='Voidauth'"
# Configure the OIDC Client ID
- "GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}"
# Configure the OIDC Client Secret
- "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}"
# Configure the Auth URL - This is as found in the VoidAuth OIDC Apps under "OIDC Information" -> "Authorization Endpoint"
- "GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://${AUTH_DOMAIN}/oidc/auth"
# Configure the UserInfo URL - This is as found in the VoidAuth OIDC Apps under "OIDC Information" -> "UserInfo Endpoint"
- "GF_AUTH_GENERIC_OAUTH_API_URL=https://${AUTH_DOMAIN}/oidc/me"
# Configure the Token Endpoint - This is as found in the VoidAuth OIDC Apps under "OIDC Information" -> "Token Endpoint"
- "GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://${AUTH_DOMAIN}/oidc/token"
# Set the OIDC Scopes - This is as per the Grafana documentation, with one change
# I've removed 'roles' and am using 'groups' instead, so access is managed by groups
- "GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile offline_access groups"
# Set Attribute Paths for email, username, and full_name
- "GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email"
- "GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=username"
- "GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=full_name"
# Enable Proof Key for Code Exchange - This is as per the Grafana documentation
- "GF_AUTH_GENERIC_OAUTH_USE_PKCE=true"
# Enable Refresh Tokens - This is as per the Grafana documentation
- "GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN=true"
# NOTE: This is likely to need changing for your environment
# This is for mapping groups inside VoidAuth to Grafana roles
# If a user has the VoidAuth group grafana_admin, they get admin rights in Grafana, if they have the VoidAuth group grafana_editor, they get editor rights in Grafana
# If a user isn't in any of these groups, but still has access, they'll be given viewer rights in Grafana
- "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(groups[*], 'grafana_admin') && 'GrafanaAdmin' || contains(roles[*], 'grafana_editor') && 'Editor' || 'Viewer'"
# Allow Grafana Admin to be assigned via OAUTH roles
- "GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true"So then there's also a corresponding # The domain that Voidauth is running on
AUTH_DOMAIN=auth.mydomain.com
# The domain that Grafana is available on
FQDN=grafana.mydomain.com
# The value of the Client ID within VoidAuth
OAUTH_CLIENT_ID=secretvalue
# The value of the Client Secret within VoidAuth
OAUTH_CLIENT_SECRET=secretvalueFurther to this, my VoidAuth config for the OIDC app is:
The end result of all of this is that clicking the login button on Grafana takes me to VoidAuth, then back through to Grafana with roles mapped. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I can't find a valid config that Voidauth accepts. Every time I click the signin button on Grafana, I get sent back to the Grafana login, and Voidauth logs that
oidc-provider:authentication:error { error: 'access_denied. I have no idea why it does this, as all the secrets should be configured correctly. Grafana doesn't log anything meaningful. Does anyone know how it should work?Beta Was this translation helpful? Give feedback.
All reactions