Generic_oauth (AWS Cognito) returns empty token

Grafana Authentication
1

Hi there,

at the moment I’m trying to use AWS Cognito as oauth server for our Grafana installation (version 4.3.1)
I made the changes in the auth.generic_oauth section in the grafana.ini file.

Unfortunately i received the error message “create account failed”. After some research i found out that a user is added in the internal sqlite3 database with the information that is returned from the oauth server.
I opened the log file (level: trace) and found out that the returned information (of the token) from Cognito is empty.
See log entries:

t=2018-04-30T07:01:30+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=MY_ADDRESS time_ms=0 size=355
t=2018-04-30T07:01:30+0000 lvl=dbug msg=“OAuthLogin Got token” logger=context userId=0 orgId=0 uname=
t=2018-04-30T07:01:30+0000 lvl=eror msg=“Invalid API key” logger=context error=“Invalid Api Key”
t=2018-04-30T07:01:30+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/ status=401 remote_addr=GRAFANA_ADDR time_ms=0 size=29
t=2018-04-30T07:01:30+0000 lvl=eror msg=“Invalid API key” logger=context error=“Invalid Api Key”
t=2018-04-30T07:01:30+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/emails status=401 remote_addr=GRAFANA_ADR time_ms=0 size=29
t=2018-04-30T07:01:30+0000 lvl=dbug msg=“OAuthLogin got user info” logger=context userId=0 orgId=0 uname= userInfo=“&{Name: Email: Login: Company: Role:}”
t=2018-04-30T07:01:30+0000 lvl=eror msg=“Failed to create account” logger=context userId=0 orgId=0 uname= error=“UNIQUE constraint failed: user.email”
t=2018-04-30T07:01:30+0000 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=MY_ADDRESS time_ms=138 size=688

I’m not sure why the Invalid API key error occurs?

If i test with Postman no error occurs and also the token contains the requested information: openid + profile + email. I don’t know why Grafana isn’t able to receive this information.

As a second approach I added another app client without client_secret, but in this case Grafana returns an invalid_client error when communicating with AWS Cognito which is also a bit confusing for me because also this app client works when I test with postman…

It would be great if you could help me!
Best regards

2

Has anyone ever contacted you about this fix?

What did you do to resolve this issue? I’m getting similar Invalid Api Key errors in my Grafana logs too.