Auth.generic_oauth "No id_token found"

I have and Openshift 3.11 cluster that I am trying to use for generic auth.

I have the following grafana.ini

[auth.generic_oauth]
enabled = true
client_id = grafana-oauth
client_secret = usere6Je7NiDfK4O0Rw5Vk3A7TK1PwkNaasbIV1H0EUCjExDEk4DBgElS
scopes= user:info
auth_url=https://master311.example.com:8443/oauth/authorize
token_url=https://master311.example.com:8443/oauth/token
api_url= 
allowed_domains=
allow_sign_up = true
tls_skip_verify_insecure = true

[log]
level=debug

[server]
root_url=http://grafana.example.com:3000

I get redirected to the OpenShift login page and login with the user. However I see this error:

login.OAuthLogin(get info from generic_oauth)

When examining the logs I see this

t=2019-07-11T18:57:24+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=192.168.99.198 time_ms=0 size=29 referer=
t=2019-07-11T18:57:26+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=192.168.99.198 time_ms=0 size=308 referer=http://grafana.example.com:3000/login
t=2019-07-11T18:57:33+0000 lvl=dbug msg="Scheduling update" logger=alerting.scheduler ruleCount=0
t=2019-07-11T18:57:35+0000 lvl=info msg="state check" logger=oauth queryState=55d712fe326c2e88df6dc54b58b8d5193ef5008b80c693f762964a99b5fa6ec8 cookieState=55d712fe326c2e88df6dc54b58b8d5193ef5008b80c693f762964a99b5fa6ec8
t=2019-07-11T18:57:35+0000 lvl=dbug msg="OAuthLogin Got token" logger=oauth token="&{AccessToken:yz3p7kDEIz3dUWGSwG8CFtA44QJ1EJqSDBem4ejF1f0 TokenType:Bearer RefreshToken: Expiry:2019-07-12 18:57:35.992365119 +0000 UTC m=+86423.174791448 raw:map[access_token:yz3p7kDEIz3dUWGSwG8CFtA44QJ1EJqSDBem4ejF1f0 expires_in:86400 scope:user:info token_type:Bearer]}"
t=2019-07-11T18:57:35+0000 lvl=dbug msg="No id_token found" logger=oauth.generic_oauth token="&{AccessToken:yz3p7kDEIz3dUWGSwG8CFtA44QJ1EJqSDBem4ejF1f0 TokenType:Bearer RefreshToken: Expiry:2019-07-12 18:57:35.992365119 +0000 UTC m=+86423.174791448 raw:map[access_token:yz3p7kDEIz3dUWGSwG8CFtA44QJ1EJqSDBem4ejF1f0 expires_in:86400 scope:user:info token_type:Bearer]}"
t=2019-07-11T18:57:35+0000 lvl=eror msg="login.OAuthLogin(get info from generic_oauth)" logger=context userId=0 orgId=0 uname= error="Error getting user info: Get : unsupported protocol scheme \"\""
t=2019-07-11T18:57:35+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=192.168.99.198 time_ms=38 size=1750 referer=
t=2019-07-11T18:57:43+0000 lvl=dbug msg="Scheduling update" logger=alerting.scheduler ruleCount=0

I am not sure how to further troubleshoot this issue. It seems quite clear from the github code here that it is indeed a token issue

For completeness sake, below is a list of the well-known endpoints for Openshift

Any help would be appreciated it

Security first:

• don’t post client secret
• don’t post valid access token

No id token is just debug message, it isn’t error. Error is next line: you didn’t configure api_url, so Grafana can’t get user info from your IdP.

Thanks for the quick reply!

I mangled the actual tokens and such with find/replace before posting. Also this instance is not publically accessible anyways.

The Openshift cluster has this endpoint under /oapi/v1/users

I can curl this endpoint like so:

curl -k -H "Authorization: Bearer $TOKEN" -H 'Accept: application/json' https://master311.example.com:8443/oapi/v1/users/

It gives the following results

{
  "kind": "UserList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/oapi/v1/users/",
    "resourceVersion": "32376138"
  },
  "items": [
    {
      "metadata": {
        "name": "user1",
        "selfLink": "/oapi/v1/users/bob",
        "uid": "d2076d2a-9904-11e9-b064-52540097c136",
        "resourceVersion": "29899597",
        "creationTimestamp": "2019-06-27T17:55:59Z"
      },
      "identities": [
        "htpasswd_auth:user1"
      ],
      "groups": null
    },
    {
      "metadata": {
        "name": "user2",
        "selfLink": "/oapi/v1/users/stratus",
        "uid": "9468f490-0d25-11e9-99cb-52540097c136",
        "resourceVersion": "7906",
        "creationTimestamp": "2018-12-31T17:57:46Z"
      },
      "identities": [
        "htpasswd_auth:user2"
      ],
      "groups": null
    }
  ]
}

Does this json have enough information for Grafana? I am getting a 403 “User is forbidden” error in the logs now. The user’s token was used in the curl above so the user can list this endpoint.

What else should I look at?

That is not a userinfo endpoint. Open discovery url (example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) and search userinfo_endpoint. That url configure in Grafana api_url config.

Thanks for the pointers. With that info I found this issue on github for OpenShift and GitLab. If I understand the linked comment correctly, this is not possible because.

If my understanding is correct please feel free to close this ticket and thanks for your help!

Use standard OIDC IdP (e.g. Keycloak) and integrate it with Openstack and Grafana.