I've followed Grafana docs and I'm not sure how to configure the Grafana with OpenID connect.
https://grafana.com/docs/grafana/latest/auth/generic-oauth/
We already configured several applications with OpenID connect which works OK.
What I need is to configure the OpenID connect to Grafana.
What we have:
ClientID
Client Secret
expose Grafana publicly
In addition, we exposed our Grafana publicly and should configure "/redirect" to it.
Our issuer servers configs support the following:
"issuer" : "https://accounts.fds.com"
"authorization_endpoint": "https://accounts.fds.com/oauth2/authorize"
"token_endpoint":"https://accounts.fds.com/oauth2/token"
"response_types_supported":["code","id_token","token"]
"scope_supported": ["openid"]
From the doc This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the prefix path of /login/generic_oauth"
So we provided this also, my question is what should I do further, what is mandatory ?
Should I create some application or this is just configuration task?
We are using Grafana 7.1 .
I've configured it like following:
grafana:
enabled: true
namespaceOverride: ""
grafana.ini:
server:
root_url: http://a725be449-30559695.eu-central-1.elb.amazonaws.com/
auth.generic_oauth:
enabled: true
client_id: foo_clientid
client_secret: foo_secert
scopes: "openid"
auth_url: https://accounts.fds.com/oauth2/authorize
token_url: https://accounts.fds.com/oauth2/token
# api_url: https://${domain}/userinfo. //Not sure what this
allow_sign_up: true
In the 'root_url' field I've put the the link to our grafana which redirects to to /login
Not sure what is the API_URL???, what should I provide there?
When deploying the app I see new button with sigh in with oAuth when I click I got error: "OpenID provider cannot process the request because the configuration is incorrect. Please contact your system administrator." any idea ?
In addition if I want to configure redirect url which property should I use?
update
I was able to see the redirect working but I got this error, any idea ?
Your used OIDC client should have configured this redirect URL:
http://a725be449-30559695.eu-central-1.elb.amazonaws.com/login/generic_oauth
That will be requested redirect URL by Grafana based on your grafana.ini configuration.
I hope you know that https protocol is required for OIDC.
Related
Requesting for some help here. Kind of stuck with a use case. We are trying to integrate OneLogin with our app via Spring security.
The entry point to our application is Azure App Gateway that routes the requests to load balancer further routing to the VMs where the service is deployed. Everything works fine if we DONOT override the hostname in Backend settings for any incoming request, leading to the App Gateway host only getting passed for every request. Here the App Gateway URL being set as the redirect URI in Spring security auth endpoint call.
The problem appears when the Apigee is used as the entry point to our application. Apigee routes the request to App Gateway routing it further to load balancer and VMs. Here, we DO have to override the host as Apigee host name in order to authenticate the client to the OneLogin server. The Apigee endpoint is set as the redirect URI in the Spring security auth endpoint call.
However, the server responds back with "possible CSRF detected - state parameter was required but no state could be found" error. Tried different possible solutions from other SO links to resolve this error like providing a session cookie name, but did not help. Our OneLogin server and client application are also in different domains.
The only thing that works here is when we DONOT override the hostname in Azure App Gateway Backend settings and pass the App Gateway URL as the redirect URI in auth endpoint call. But the problem is it shows the App Gateway URL in the user browser, which we do not want because in an ideal scenario, the user should see only the Apigee host in the browser url and not the App Gateway host. So, is there any way to re-route/redirect/override the URL to Apigee URL in Azure App Gateway settings without the call being made to Apigee endpoint. Just the user sees the Apigee url in the browser, but internally all calls are made to App Gateway endpoint only.
Or the other solution could be to prevent the CSRF issue when Apigee hostname is used as the redirect URL in the auth endpoint instead of App Gateway host. But not sure how to resolve that.
• In your scenario, when you are not overriding the hostname in the Azure application gateway backend settings and pass the ‘Application Gateway’ URL as redirect URL in the ‘Authorization endpoint call’, the application gateway URL is shown in the user’s browser which is not desired since the Apigee host redirects the authentication requests to the ‘App gateway’ endpoint.
Therefore, without the call to be made to the ‘Apigee’ endpoint, you can surely redirect it to the Apigee redirect URL in the Azure application gateway settings by configuring the ‘Rewrite URI rules’ in the gateway. These rewrite rules will check for any presence of configured URLs or specific paths and will therefore, change the original URI path to the new path configured. As a result, please follow the below given snapshots as steps for configuring the same as stated above: -
Thus, as shown above, you can configure the ‘Rewrite rules’ in a ‘Standard V2’ SKU application gateway for redirecting response requests of ‘authorization endpoint call’ from application gateway URL to the Apigee endpoint hostname configured. In this way, when the application gateway URL is shown in the browser, it will be rewrited to the apigee endpoint hostname’s URL in the browser and accordingly the user at the receiving end will be able to see the Apigee endpoint hostname as a result fulfilling your requirement.
For more details regarding the above, kindly refer the below link: -
https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#modify-a-redirection-url
when using the google oAuth2. I keep getting
Erreur 400 : redirect_uri_mismatch The redirect URI in the request, http://hostname/signin-google, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit:
with the HTTP access.
but I'm using the https access to access the url.
I don't know why it's redirecting by HTTP not HTTPS
.
For the auth I'm using
await HttpContext.ChallengeAsync("Google", new AuthenticationProperties() {RedirectUri = "/"})
--
Note : when trying to Add my hostname with http on the redirect_uris acceepted on the GCP, it doesn't accept http, but only HTTPS
thanks a lot
You should pass the address of your own server/client-app as RedirectUri, which can handle the answer of Googles login dialog. This address should be a full URL not just "/", it has to be registered in the Google developer console and is required to be one with a https:// prefix.
You cannot implement OAuth2 with an unsecure http:// redirect address, this would ruin all security.
In fact, it's the way you expose your app that is taken in parameters..
For me I'm using the dockerfile to expose my app, and I used to use
Expose http://*:80
And even if the associated domain was started with an HTTPS, inside the app it's always an HTTP call, so all the redirect are done through the http protocole.
I'v changed the way I expose my app from http://:80 to https://:443
And in the code I used kestrel to launch the app and it's working perfectly now
Thank you
Following this quickstart guide (Python version), I was able to quickly create and deploy a Python Flask app to a project owned by my organization. However, toward the end the guide instructs "Visit your deployed container by opening the service URL in a web browser", and but this is the step I can't get to work.
Curiously, in the logs
(https://console.cloud.google.com/logs/) the 'textPayload' data element for the request is "The request was not authenticated. Either...", which seems unusual, as I'd expect an unauthenticated request to return 401, not 403. In any case, it does not list my org email address in the request, suggesting my identity for some reason isn't being supplied. Any way to fix this so I can access the URL using a user with appropriate permissions?
Note: I can access the URL by manually running "curl -H 'Authorization: Bearer <my token>'"
Cloud Run URLs aren't directly accessible if the service only allows authenticated invocations because passing the URL on your browser will not generate the credential for you. You will have to pass auth credentials on your request and the easiest way to invoke the service is to use a tool like curl which is exactly what you noted.
You have two options to authenticate your end users which are the following:
Integrate Google Sign-In.
Implement Identity Platform or Firebase Authentication.
In either of the above choices, you need a public web or mobile app that handles the sign-in flow and then makes authenticated API calls to a Cloud Run (fully managed) service.
For more information on authenticating end users, check out the official documentation.
To complement what Mr. Donnald Cucharo said, you can also use Identity Aware Proxy (IAP) to expose your application in a secure way.
I am trying to use the WebSphere Liberty Profile OIDC Client feature. I have the feature installed and configured, but I am confused about what URL I should be using to connect to it. In the WLP Knowledge Center, it shows an example like this:
https://server.example.com:443/oidc/endpoint/PROVIDER_NAME/authorize
But when my WLP server comes up, I see the following URL in the log:
com.ibm.ws.webcontainer.osgi.DynamicVirtualHost I addWebApplication SRVE0250I: Web Module OpenID Connect Client Redirect Servlet has been bound to default_host.
com.ibm.ws.http.internal.VirtualHostImpl A CWWKT0016I: Web application available (default_host): http://ibm669-r9v0dvb:11080/oidcclient/
I don't know whether to use 'oidcclient' (probably) or 'oidc'. I also don't know what to put as the PROVIDER_NAME. I tried using the ID of my OIDCClient:
<openidConnectClient id="oidcRP"
clientId="${oauth.client.id}"
clientSecret="${oauth.client.secret}"
authorizationEndpointUrl="${oauth.authorize.endpoint}"
tokenEndpointUrl="${oauth.token.endpoint}"
httpsRequired="false"
redirectToRPHostAndPort="https://myhost.com:443">
I tried connecting with this, but it's not finding it:
http://ibm669-r9v0dvb:11080/oidcclient/endpoint/oidcRP/authorize?scope=openid&response_type=code&client_id=XXX&redirect_uri=https://myhost.com:443
com.ibm.ws.webcontainer.extension.DefaultExtensionProcessor W handleRequest SRVE0190E: File not found: /endpoint/oidcRP/authorize
Can anyone tell me what URL I should be using to connect to the client?
The Liberty openidConnectClient feature enables Liberty as a client to openid connect provider. The configuration parameters inside openidConnectClient are information about openidConnectProvider, for example, the openidConnect provider's authorization endpoint and token endpoint.
What is your openid connect provider? Liberty also can be configured as openid Connect provider. If you also want to use Liberty as openid connect provider, you can create another Liberty instance and enable openidConnectProvider feature.
I'm following Brock's tutorial on OAuth2 identity providers: OAuth2 in Thinktecture IdentityServer : OAuth2 identity providers and I'm having problems trying to setup each provider details. I'm trying to use google and facebook.
Google: What I've done is. I've created new project, within which I've gone to APIs & auth > Credentials > Create New Client ID and then chose "Web Application" option. On "Client ID for web application" panel in "Javascript Origins" section I have pasted base URL of my IdSrv (https://somename). I have copied Client ID and Client secret and pasted both into appropriate sections in IdSrv identity provider shown in tutorial. When I run the application I get the invalid_request error from Google saying Invalid parameter value for redirect_uri: Non-public domains not allowed: https://somename/idsrv/issue/hrd/oauth2callback
In case of Facebook, I've created new App, and was trying to set "Site URL" in basic settings to https://somename, but got an alert saying "must be a URL with a valid domain." which I believe is essentially the same as what the Google error message is saying
My question is: How can I deploy a test version of my IdSrv then? I just want a quick and simple environment for testing purposes for now. Am running the IdSrv in my local IIS, was following Dominick installation tutorial video Thinktecture IdentityServer v2 Tutorial: Installation
When we setup IdentityServer for local testing we configure it to run under IIS with a custom host name and then setup a entry in the local hosts file. To google this should appear as a public URL.
An easier approach is to use one of the localhost DNS services that exist.
For example, whatever.vcap.me resolves to 127.0.0.1 as does production.vcap.me, staging.vcap.me and development.vcap.me.