Reputation: 11
How to do grafana authentication with Nginx and Okta
How do you configure Grafana authentication to go through Okta?
I've looked at a couple of different resources already, so currently what I have is an Nginx server that proxies requests to my Grafana server. However, when I try to add in reverse proxying to Okta, I get back a 500 response. I've been trying to setup Grafana's auth.proxy as well as Nginx's http_auth_proxy_request_module.
Here are my configs for grafana:
[server]
root_url = %(protocol)s://$(domain)s:/grafana
[auth.proxy]
enabled = true
header_name = X-Webauth-User
header_property = username
auto_sign_up = true
Here are my configs for nginx:
server {
location /grafana {
auth_request /auth;
auth_request_set $user $upstream_http_x_user;
proxy_set_header x-user $user;
proxy_pass http://localhost:3000;
rewrite ^/grafana(.*) /$1 break;
} location /auth {
proxy_pass https://myorg.okta.com/home/app/key;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original_URI $request_uri;
}
I'm new to all of this so any tips or help and some explanations would be greatly appreciated. Cheers!
Upvotes: 1
Views: 6265
Answers (2)
Reputation: 538
I also faced this. And, I used docker image of Grafana and Nginx, with SSL ON. I wrote my solution here: https://www.gyanblog.com/gyan/how-configure-grafana-dashboard-oauth-okta-ssl-docker-nginx/
You just need to get Okta client id and secret. Also, configure login redirect url to: https:///login/generic_oauth
Rest is simple.
Upvotes: 0
Reputation: 2176
The simplest way to integrate Grafana with Okta is to use the Generic OAuth2.0 login module. You'll need to set up Grafana as an OpenID client "web application" in Okta. Set the Base URIs to https://<grafana domain>/ and set the Login redirect URIs to https://<grafana domain>/login/generic_oauth.
Then set up the generic oauth module in Grafana like:
[auth.generic_oauth]
name = Okta
enabled = true
scopes = openid profile email
client_id = <okta application Client ID>
client_secret = <okta application Client Secret>
auth_url = https://<okta domain>/oauth2/v1/authorize
token_url = https://<okta domain>/oauth2/v1/token
api_url = https://<okta domain>/oauth2/v1/userinfo
Upvotes: 3
Related Questions
- How do I configure grafana to use Oauth2 when it's behind an Application Load Balancer?
- Grafana returns 401 Unauthorized when accessed behind a reverse proxy
- Grafana: How to login using auth proxy
- Automatic Authentication using Grafana API
- How to setup Nginx with Auth0?
- Grafana using OIDC
- Grafana Oauth Proxy still displaying native login form
- Grafana | Auth Proxy - Security
- Accessing the Grafana API through k8s proxy
- How to use Grafana with my private OAuth server?