OAuth2 authentication with a custom datasource plug-in

Hi all,

I’m in the process of trying to integrate Grafana into a data platform. I have succeeded in getting its OAuth2 client to authenticate users via the data platform and am in the process of writing a data plug-in that will pull data from it.

The data platform requires that the user’s Bearer token be passed back in the Authorization header, and so I created the data plug-in instance in Grafana, ticking the “With Credentials” box. Unfortunately, when I see a back-end query, I see that the Authorization header that was returned to Grafana during the log-in phase is not passed on in the request, and so the data platform bounces the request with a 401 Unauthorized message.

It is desirable that the data connector uses the same user account that the user logged into Grafana with so that the server can apply authorization rules to what that user can see. This cannot be done if all Grafana users log into the data platform back-end with the same user account.

How do I get at that Bearer token so that I can provide it to the back-end server?

Maybe using the auth proxy options and the X-WEBAUTH-USER would be an easier way to solve it?


Apologies for not getting back sooner, that sprint finished and I’ve been busy with other things, so the reply message got lost in the noise. (I get a lot of email traffic.)

Okay, so where in those instructions does the data plug-in get configured to use the auth proxy? The instructions make no mention of plug-ins of any kind. They simply talk about logging in and creating users, and effectively, turning off authentication, relying on some front-end service to do it for them.

I don’t see any discussion on what the data plug-in “sees” in terms of the user’s session.

Seems like an awful lot of trouble to go to when the Bearer token is lurking, somewhere client-side in RAM and could conceivably be exposed by Grafana to the data plug-in.

To me, it solves a completely different problem: authenticating a user to Grafana. As it happens, this problem is already adequately solved using Grafana’s OAuth2 client.

I need to solve this problem: using Grafana’s user to authenticate Grafana to the back-end, namely passing back the OAuth2 session credentials. They are different things.

Is Azure Active Directory authentication enabled for integrating with REST based data sources ?

We’re not using Azure… at all, so no, it isn’t enabled, or available to us.

@redhatter did you ever manage to get the data source plugin to work using the OAuth2 client which you used to authenticate the user? Basically did you ever solve the problem you were facing?

To date, the problem remains unsolved.

I am in the similar situation. We are trying to use oauth authentication but want the user bearer token to be passed to the data source plugin so that we can use it to call the application which we are trying to talk to. It seems in the oauth process, the token is just thrown after login which can easily be used to authenticate datasource.

Any thoughts on that? Should we create this as a new feature request?


Right now, I’m attempting to use the routes{} method in this
but am still unable to get it going. Maybe you can get it to work for you

routes method only provide fixed refresh/access token option based on the client_id, which is different from calling the datasource with unique user info.

What I am proposing is to use the authenticated user id to query the end data source, rather then using a single user. This helps us identify who is the actual caller of the web service.

Just wondering, 3.5 years later… Were you guys able to make it work?

Shockingly, no the issue hasn’t magically fixed itself.

Grafana 8 now… and yep, our production sites still use hard-coded back-end credentials for each group … to say this is something of an embarrassment is an understatement.

It sounds you want to forward the OAuth identity to the plugin. This should be possible with a backend data source. Although, seeing the age of the topic, it might not be relevant for the OP, since backend plugins were introduced in the last couple of years.

Right, so I re-traced my steps and made a quick-and-dirty shim layer with Tornado (Python 3) which would handle the authentication for our back-end since Grafana’s OAuth2 client and our OAuth2 server are not-quite-compatible.

I click a button, it sends me to my custom log-in page, I log in, requests bounce between the servers, and I find myself logged into Grafana under a new user with the credentials from the external server.

Fantastic. First hurdle cleared.

Now, I read the instructions here:

To allow Grafana to pass the access token to the plugin, update the data source configuration and set the jsonData.oauthPassThru property to true.

The data source is a client-side plug-in (as that’s all we could write for Grafana at the time). Where do I find this setting?