Grafana running behind nginx and authenticated through oauth2_proxy

Question

Issue:

I am trying to set up the following configuration locally [nginx] <-> [oauth2_proxy] <-> [grafana]

• nginxlistens on 80
• oauth2_proxy listens on 4180
• grafana listens 3000

Although successfully authenticating through the proxy (from proxy and identity provider perspective - here google) the authenticated user is not carried over to grafana, instead is redirected to the login screen.

While we could use the auth.generic_oauth for authenticating users through third party OAuth2 provider (see here), the reason I have chosen this approach is to enable multiple applications to be configured with the common authentication backend.

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

# docker-compose.yml
version: '3'
services:
  grafana:
    container_name: grafana
    image: grafana/grafana:latest
    restart: always
    user: '104'
    volumes:
      - $PWD/data/grafana:/var/lib/grafana
    ports:
      - 3000:3000
    environment:
      # [users]
      - GF_USERS_ALLOW_SIGN_UP=false
      - GF_USERS_AUTO_ASSIGN_ORG=true
      - GF_USERS_AUTO_ASSIGN_ORG_ROLE=Admin

      
      # [auth.basic]
      - GF_AUTH_BASIC_ENABLED=false
      
      # [auth]
      - GF_AUTH_DISABLE_LOGIN_FORM=true

      # [auth.proxy]
      - GF_AUTH_PROXY_ENABLED=true
      - GF_AUTH_PROXY_HEADER_NAME=X-Email
      - GF_AUTH_PROXY_HEADER_PROPERTY=email
      - GF_AUTH_PROXY_AUTO_SIGN_UP=true
      - GF_AUTH_PROXY_ENABLE_LOGIN_TOKEN=false

  oauth2-proxy:
    container_name: oauth2-proxy
    image: quay.io/oauth2-proxy/oauth2-proxy:latest
    restart: always
    ports:
      - 4180:4180
    volumes:
      - $PWD/data/oauth2:/var/lib/oauth2_proxy
    environment:
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_CLIENT_ID=<google_client_id>
      - OAUTH2_PROXY_CLIENT_SECRET=<google_client_secret>
      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://accounts.google.com
      - OAUTH2_PROXY_COOKIE_SECRET=abcdefgh
      - OAUTH2_PROXY_COOKIE_DOMAIN=http://localhost:3000
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_COOKIE_SECURE=false
      - OAUTH2_PROXY_UPSTREAMS=http://grafana:3000
      - OAUTH2_PROXY_HTTP_ADDRESS=http://:4180
      - OAUTH2_PROXY_REDIRECT_URL=http://localhost:3000/oauth2/callback
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      
      - OAUTH2_PROXY_ERRORS_TO_INFO_LOG=true
      - OAUTH2_PROXY_AUTH_LOGGING=true
      - OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR=true
      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true    
      - OAUTH2_PROXY_PASS_USER_HEADERS=true
      - OAUTH2_PROXY_PASS_HOST_HEADER=true
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY=true
      - OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY=true
  
  nginx:
    container_name: nginx
    image: nginx
    restart: always
    ports:
      - 80:80
    volumes:
      - $PWD/data/nginx/:/etc/nginx/conf.d/

# nginx.conf
server {
  listen 80;
  server_name localhost;

  location /oauth2/ {
    proxy_pass       http://oauth2-proxy:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://oauth2-proxy:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location /grafana/ {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    proxy_pass http://grafana:3000;
  }
}

Run docker-compose up -d --build

Then in browser navigate to /localhost/grafana/ => User redirected to oauth2_proxy => google login succesfull => back to grafana login screen.

It just so seems that I am missing some settings for carrying over the auth headers or something. Could anyone point me in the right direction?

It was a similar issue opened a while ago here , but it didn't work for me. I already have have GF_AUTH_BASIC_ENABLED=false

Anything else we need to know?: All 3 actors: grafana, nginx, oauth2_proxy have clean logs, no warnings or errors.

Environment: local

• Grafana version: grafana:latest
• Data source type & version:
• OS Grafana is installed on: MacOS
• User OS & Browser: Chrome
• Grafana plugins:
• Others: nginx, oauth2_proxy

Answer 1

You need to configure headers correctly:

      - GF_AUTH_PROXY_HEADER_NAME=X-Email

So this config is saying that username/email will be in the X-Email header.

But it looks like username/email is in the different header, see https://github.com/grafana/grafana/issues/27251#issuecomment-682477379:

X-Forwarded-User: <my email>

So it should be probably:

GF_AUTH_PROXY_HEADERS='Name:X-Forwarded-User Email:X-Forwarded-Email'