Grafana generic.oauth with a certificate

Grafana Authentication
1

Hello Grafana Team.

I have an issue with setting up grafana and oauth.
My grafana.ini file looks like this:
[analytics]
check_for_updates = true
[grafana_net]
url = https://grafana.net
[log]
mode = console
level = trace
[paths]
data = /var/lib/grafana/data
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
root_url = https://
domain =
[auth.generic_oauth]
name = SSO
enabled = true
allow_sign_up = true
client_id =
scopes = openid email profile
auth_url = https://auth_url/authorize
token_url = https://auth_url/access_token
api_url = https://auth_url/userinfo
tls_skip_verify_insecure = false
tls_client_cert = /etc/grafana/ssl/tls.crt
tls_client_key = /etc/grafana/ssl/tls.key
tls_client_key = /etc/grafana/ssl/tls-root.crt

In my configuration I’m not using client_secret I should be authenticated by the certificate tls.crt
When I try to use SSO I’m redirected to my oauth server. I’m providing the credentials and then I’m redirected back to grafana with an error login.OAuthLogin(NewTransportWithCode)

In logs I see following entry
t=2021-10-11T12:56:04+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error=“oauth2: cannot fetch token: 400 Bad Request\nResponse: {“error_description”:“Invalid authentication method for accessing this endpoint.”,“error”:“invalid_client”}”
t=2021-10-11T12:56:04+0000 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=10.9.20.175 time_ms=1079 size=1744 referer=https:///

From our oauth server team I received following commands which I’m able to trigger from my laptop:

  1. In a browser https:///authorize?access_type=online&client_id=&redirect_uri=https:///login/generic_oauth&response_type=code&scope=openid+email
    In a response I’m receiving a code inside the redirect url
    https:///generic_oauth?code=oR7qlfxa3l_tdiuD3Q7pEc0pb6Y&iss=https%3A%2F%2F&client_id=

The error is about login.OAuthLogin(missing saved state)

  1. I can sue the code with curl command
    curl -v -v -s -k --request POST -H “X-Cert: tls.crt” --data “client_id=&grant_type=authorization_code&code=&redirect_uri=https:///login/generic_oauth” https:///access_token

In a response I’m getting
{“access_token”:“aaaaaa”,“scope”:“openid email”,“id_token”:“jwtToken”,“token_type”:“Bearer”,“expires_in”:3599}

The question is why I’m getting an error about Invalid authentication method for accessing this endpoint

Thanks in advance for help.
2

You doubled tls_client_key config:

That example curl command is not using client certificates (aka X.509 standard), but header with static value: X-Cert: tls.crt. It looks like a custom SSO OIDC server (insecure) implementation or your issue description is simplified.

3

Hi Jangaraj.
Thank you for your input. My bad with the tls_client_key.
Right now grafana.ini looks like this

[analytics]
check_for_updates = true
[grafana_net]
url = https://grafana.net
[log]
mode = console
level = trace
[paths]
data = /var/lib/grafana/data
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
root_url = https://<dns name>
domain = <dns name>
[auth.generic_oauth]
name = SSO
enabled = true
allow_sign_up = true
client_id = <client_id>
scopes = openid email profile
auth_url = https://<auth_url>/authorize
token_url = https://<auth_url>/access_token
api_url = https://<auth_url>/userinfo
tls_skip_verify_insecure = true
tls_client_cert = /etc/grafana/ssl/tls.crt
tls_client_key = /etc/grafana/ssl/tls.key
tls_client_ca = /etc/grafana/ssl/tls-root.crt
[dataproxy]
# This enables data proxy logging, default is false
logging = true

Behind the scene we are using ForgeRock
And you are again right I’ve simplified the X-Cert: tls.crt which goes like this:
X-Cert: MIIG9TCCBN2gAwIBAg.................