Grafana OAuth2 by Google and HTTPS

Question

Trying to set up OAUTH 2 for access to Grafana (https by openssl)

Grafana v8.0.5 is hosted on AWS EC2 accessed via subdomain. Been working fine for months but time came to improve security, hence https & OAuth.

I followed this link and configured https access & SSL. Worked like a charm!

I followed this link to configure Google OAuth here Below is the server options in grafana.ini

[server]
#Protocol (http, https, h2, socket)
protocol = https

#The ip address to bind to, empty will bind to all interfaces
;http_addr =

#The http port  to use
http_port = 3000
#;http_port = 80

#The public facing domain name used to access grafana from a browser
domain = grafana.redacted.io

#Redirect to correct domain if host header does not match domain
#Prevents DNS rebinding attacks
;enforce_domain = false

#The full public facing url you use in browser, used for redirects and emails
#If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://grafana.redacted.io/login/google/

#Serve Grafana from subpath specified in `root_url` setting. By default it is set to 
`false` for compatibility reasons.
;serve_from_sub_path = false

Google.Auth options in grafana.ini are:

[auth.google]
enabled = true
allow_sign_up = false
client_id = theClientIdFromGoogleCloudConsole
client_secret = theClientSecretFromGoogleCloudConsole
scopes = https://www.googleapis.com/auth/userinfo.profile 
https://www.googleapis.com/auth/userinfo.email
auth_url = https://accounts.google.com/o/oauth2/auth
token_url = https://accounts.google.com/o/oauth2/token
api_url = https://www.googleapis.com/oauth2/v1/userinfo
allowed_domains = redacted.io

Google Console Settings Authorised JS Origins: https://grafana.redacted.io:3000 Authorised redirect URIs: https://grafana.redacted.io/login/google

grafana service restarted and instance restarted.

Visiting URL:

https://grafana.redacted.io:3000 forwards to https://grafana.redacted.io:3000/login/google/login - page won't load
https://grafana.redacted.io:3000/login loads a page with text telling me "If you host grafana under subpath make sure your grafana.ini root_url setting includes subpath. If not using a reverse proxy make sure to set serve_from_sub_path to true."

Try:

serve_from_sub_path = true

Then revisit URL 2, the login page will load with the Google Auth button. Clicking it, loads "Error 400: redirect_uri_mismatch". This is obviously not what correct and reacding the specs I know I need this to be false

redirect_uri: https://grafana.redacted.io/login/google/login/google

Try:

root_url = https://grafana.redacted.io:3000/login/google
serve_from_sub_path = false

Update Google Console Redirect URL to equal root_url. Revisit URL 2 (above) and login screen loads again; click Google, safari error:

 Too many redirects occurred trying to open "https://grafana.redacted.io:3000/login/google/login"

Why the extra /login again?

OK, so I can get all the way through to signing in with Google: Try:

root_url = https://grafana.redacted.io/
serve_from_sub_path = false

Google Console left as: https://grafana.redacted.io/login/google Visit link 2 above, page loads, sign in screen appears, 2FA on google all good, then

"Safari can't open the page "https://grafana.redacted.io/login/google?state...etc.etc.""

Why, when all redirects are set equal is a /login being appended to the URL? Spent ages on this, and would really appreciate some help Thanks

Grafana OAuth2 by Google and HTTPS

Answers (1)

Related Questions