Okta OAuth Error NewTransportWithCode

jkilby1991 · August 22, 2022, 12:08pm

What Grafana version and what operating system are you using?
Grafana: 9.1.0 and Ubuntu 20.04.4
What are you trying to achieve?
Integrate Okta as OAuth Provider
How are you trying to achieve it?
Updated grafana.ini file with correct client_id and client_secret and URLs. Have tested it with a few accounts and it is working.
What happened?
I had a local account that I had created that got converted to an OAuth account (as the emails matched). It was a Grafana Admin as well as Org Admin.

I configured a new Oauth account that I wanted to be the Grafana and Org Admin (different email) and then removed the old converted account.

Trying to log back in as the non-admin account, I receive the error of login.OAuthLogin(NewTransportWithCode).

I believe something might have happened in the database(default sqlite3) that is causing this issue.

What did you expect to happen?
The local account would be deleted and admin permissions revoked. Then the non-admin account would be created with the proper “Editor” role.
Can you copy/paste the configuration(s) that you are having problems with?
`#################################### Server ####################################
[server]

Protocol (http, https, h2, socket)

protocol = https

The ip address to bind to, empty will bind to all interfaces

;http_addr =

The http port to use

http_port = 9001

The public facing domain name used to access grafana from a browser

domain = [REDACTED]

Redirect to correct domain if host header does not match domain

Prevents DNS rebinding attacks

;enforce_domain = false

The full public facing url you use in browser, used for redirects and emails

If you use reverse proxy and sub path specify full url (with sub path)

root_url = %(protocol)s://%(domain)s:%(http_port)s/

Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.

;serve_from_sub_path = false

Log web requests

;router_logging = false

the path relative working path

;static_root_path = public

enable gzip

;enable_gzip = false

https certs & key file

cert_file = /etc/grafana/[REDACTED]-grafana-selfsigned.crt
cert_key = /etc/grafana/[REDACTED]-grafana-selfsigned.key

Unix socket path

;socket =

CDN Url

;cdn_url =

Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections.

`0` means there is no timeout for reading the request.

;read_timeout = 0

#################################### Okta OAuth #######################
[auth.okta]
name = Okta
enabled = true
allow_sign_up = true
client_id = [REDACTED]
client_secret = [REDACTED]
scopes = openid profile email groups
auth_url = https://[REDACTED].okta.com/oauth2/v1/authorize
token_url = https://[REDACTED].okta.com/oauth2/v1/token
api_url = https://[REDACTED].okta.com/oauth2/v1/userinfo
;allowed_domains =
;allowed_groups =
role_attribute_path = contains(groups[], ‘SW-Grafana-Admin’) && ‘Admin’ || contains(groups[], ‘SW-Grafana-Editor’) && ‘Editor’ || contains(groups[*], ‘SW-Grafana-Viewer’) && ‘Viewer’
role_attribute_strict = false
`

Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
UI: login.OAuthLogin(NewTransportWithCode)
Logs: The authorization code is invalid or has expired. is the line that is odd as it works for my admin account and other users’ accounts

Error Trace (non-admin):
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-22T11:49:34.648552474Z level=info msg=“Request Completed” method=GET path=/login/okta status=302 remote_addr=[REDACTED] time_ms=0 duration=435.886µs size=312 referer=https://[REDACTED]:9001/login traceID=00000000000000000000000000000000
logger=oauth t=2022-08-22T11:49:35.046329197Z level=info msg=“state check” queryState=4cc995c83519a72550ed7ea75f1ee9fc52781be3929355aa3f274718b979bfc2 cookieState=4cc995c83519a72550ed7ea75f1ee9fc52781be3929355aa3f274718b979bfc2
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-22T11:49:35.764577792Z level=error msg=login.OAuthLogin(NewTransportWithCode) error=“oauth2: cannot fetch token: 400 Bad Request\nResponse: {"error":"invalid_grant","error_description":"The authorization code is invalid or has expired."}”
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-22T11:49:35.765272695Z level=error msg=“Request Completed” method=GET path=/login/okta status=500 remote_addr=10.250.135.182 time_ms=719 duration=719.633514ms size=1365 referer= traceID=00000000000000000000000000000000

Good Trace(admin):
logger=http.server t=2022-08-22T11:52:00.817263731Z level=info msg=“Successful Logout” User=[REDACTED]
logger=context traceID=00000000000000000000000000000000 userId=9 orgId=1 uname=[REDACTED] t=2022-08-22T11:52:00.817409227Z level=info msg=“Request Completed” method=GET path=/logout status=302 remote_addr=[REDACTED] time_ms=6 duration=6.034144ms size=29 referer=https://[REDACTED]:9001/admin/users traceID=00000000000000000000000000000000
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-22T11:52:03.546008697Z level=info msg=“Request Completed” method=GET path=/login/okta status=302 remote_addr=[REDACTED] time_ms=0 duration=559.446µs size=312 referer=https://[REDACTED]:9001/login traceID=00000000000000000000000000000000
logger=oauth t=2022-08-22T11:52:04.103118577Z level=info msg=“state check” queryState=0352857c26a4eae55b1d393190fa0eb2ccbd18e68be899b29a1416d976897578 cookieState=0352857c26a4eae55b1d393190fa0eb2ccbd18e68be899b29a1416d976897578
logger=http.server t=2022-08-22T11:52:04.814734624Z level=info msg=“Successful Login” User=[REDACTED]
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-22T11:52:04.815419185Z level=info msg=“Request Completed” method=GET path=/login/okta status=302 remote_addr=[REDACTED] time_ms=713 duration=713.171884ms size=24 referer= traceID=00000000000000000000000000000000
logger=context traceID=00000000000000000000000000000000 userId=9 orgId=1 uname=[REDACTED] t=2022-08-22T11:52:05.367888019Z level=info msg=“Request Completed” method=GET path=/api/live/ws status=0 remote_addr=10.250.135.182 time_ms=0 duration=960.224µs size=0 referer= traceID=00000000000000000000000000000000

Did you follow any online instructions? If so, what is the URL?
I followed the instructions on integrating Okta here: Configure Okta OAuth2 authentication | Grafana documentation

The documentation is a little outdated. Instead of Login redirect URI, Okta now shows it as Sign-in redirect URIs

Topic		Replies	Views
Okta integration Configuration	3	3787	September 20, 2019
User not a member of one of the required groups - OKTA Authentication	1	1439	October 11, 2021
Trying to troubleshoot oauth to okta	7	2455	September 18, 2019
Grafana with Okta OAuth2 authentication is failing with 400 Bad request in Okta Grafana	3	1536	June 28, 2022
okta role based authentication doesnt work in grafana 6.5.1 Grafana	0	924	December 12, 2019