-
What Grafana version and what operating system are you using?
Grafana 9.5.5 official Docker Image -
What are you trying to achieve?
Trying to sign in after updating to 9.5.5, using AWS Cognito as IDP, configured as Generic OAuth2 Provider -
How are you trying to achieve it?
Configured AWS Cognito as Generic OAuth Provider in Grafana -
What happened?
Getting an error message:
Login Failed - User already exists
-
What did you expect to happen?
I kinda expected the update not to break the configuration -
Can you copy/paste the configuration(s) that you are having problems with?
Configure generic OAuth2 authentication | Grafana documentation
All settings are configured with the appropriate values, it works fine before Grafana 9.5.5. Here is an example from the Terraform configuration
āāā
{
ānameā = āGF_AUTH_GENERIC_OAUTH_API_URLā,
āvalueā = āhttps://${module.cognito_grafana.domain_prefix}.auth.eu-central-1.amazoncognito.com/oauth2/userInfoā
},
{
ānameā = āGF_AUTH_GENERIC_OAUTH_AUTH_URLā,
āvalueā = āhttps://${module.cognito_grafana.domain_prefix}.auth.eu-central-1.amazoncognito.com/oauth2/authorizeā
},
{
ānameā = āGF_AUTH_GENERIC_OAUTH_TOKEN_URLā,
āvalueā = āhttps://${module.cognito_grafana.domain_prefix}.auth.eu-central-1.amazoncognito.com/oauth2/tokenā
},
{
ānameā = āGF_AUTH_SIGNOUT_REDIRECT_URLā,
āvalueā = āhttps://${module.cognito_grafana.domain_prefix}.auth.eu-central-1.amazoncognito.com/logout?response_type=code&client_id=${module.cognito_grafana.client_id}&redirect_uri=https://${module.routing.domain_map_dashboard[var.environment]}/loginā
},
āāā -
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
-
Did you follow any online instructions? If so, what is the URL?
I followed the official advice from here: Grafana security release for CVE-2023-3128
When Grafana is configured to use multiple identity providers (including a combination of standard Grafana login/password authentication with additional SSO), and you have users with the same email address in multiple identity providers. When Grafana is configured to use generic OAuth with an identity provider that does not support the unique ID field.
I tried to disable Basic Auth, because as mentioned in the Blogpost, this is exactly the scenario we are in. We didnāt create any local users, but basic auth was still active + one configured Generic OAuth2 Provider. But this didnāt help.
I looked into the unique ID field and Cognito indeed does use it, as it uses the mentioned OpenID Connect standard and sends a unique ID in the āsubā field, but apparently Grafana doesnāt recognize or evaluate it.
I can not imagine, we are the only ones having problems after the update. Any idea how to fix this?
As far as I understood, the flaw comes from having multiple IDPs and having the same email address being authorized by more than one IDP. That is an interesting scenario, as in our AWS Cognito we only have one IDP connected, but if we had more than one, I couldnāt limit the domains that one IDP is responsible for. If we add a rogue IDP, it might send authorization tokens for an email address that usually uses another IDP so sign up and we wouldnāt notice it either - but this is something to solve on Cognito end- As the connected IDPs are not visible to Grafana, since Grafana will only ever talk with AWS Cognito.