TLS skip verify for generic OAuth

lgazo · July 28, 2018, 7:42am

Hi,

I have KeyCloak identity server that is running with non-production certificate so far. I would like to connect Grafana’s OAuth to it but it complains because of TLS verification. I have found there is a flag to overcome it.

I have set GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE=true but it seems the variable is not taken at the beginning, other generic OAuth variables are.

I use following version:

t=2018-07-28T07:22:10+0000 lvl=info msg="Starting Grafana" logger=server version=5.2.2 commit=aeaf7b2 compiled=2018-07-25T11:17:28+0000

I can also see multiple values being overriden:

t=2018-07-28T07:22:10+0000 lvl=info msg="Config overridden from Environment variable" logger=settings var="GF_AUTH_GENERIC_OAUTH_ENABLED=true"

Is there a bug or I am doing something wrong?

Thank you for help.

jangaraj · July 28, 2018, 10:58am

I guess, it’s not implemented. Did you find it in the documentation?

lgazo · July 28, 2018, 11:14am

I found it in the code And it was merged in October 2017…

github.com/grafana/grafana

Bugfix: Always verify TLS unless explicitly told otherwise

grafana:master ← mattbostock:verify_tls

opened 02:20PM - 28 Sep 17 UTC

mattbostock

+53 -36

TLS was not being verified in a number of places: - connections to grafana.co…m - connections to OAuth providers when TLS client authentication was enabled - connections to self-hosted Grafana installations when using the CLI tool TLS should always be verified unless the user explicitly enables an option to skip verification. Removes some instances where `InsecureSkipVerify` is explicitly set to `false`, the default, to help avoid confusion and make it more difficult to regress on this fix by accident. Adds a `--insecure` flag to `grafana-cli` to skip TLS verification. Adds a `tls_skip_verify_insecure` setting for OAuth. Adds a `app_tls_skip_verify_insecure` setting under a new `[plugins]` section. I'm not super happy with the way the global setting is used by `pkg/api/app_routes.go` but that seems to be the existing pattern used. 16c5d0e Fixes #9373, #9419 and is similar to #9377 (which fixes this for datasources).

https://github.com/grafana/grafana/blob/master/pkg/social/social.go

So probably I am missing something…

jangaraj · July 28, 2018, 2:05pm

You are right. It looks like a bug. Config option is missing in conf/defaults.ini, so you can’t override it with env variable.

lgazo · July 28, 2018, 5:17pm

if that is the only thing, I can create pull request for that, but I am not a Go developer yet I will report an issue along.

lgazo · July 28, 2018, 5:21pm

github.com/grafana/grafana

TLS skip verify environment option for generic OAuth does not override defaults

opened 05:21PM - 28 Jul 18 UTC

closed 08:12AM - 30 Jul 18 UTC

lgazo

area/backend/config area/auth/oauth

I have talked about it here - https://community.grafana.com/t/tls-skip-verify-fo…r-generic-oauth/9197 I have KeyCloak identity server that is running with non-production certificate so far. I would like to connect Grafana’s OAuth to it but it complains because of TLS verification. I have found there is a flag to overcome it. I have set GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE=true but it seems the variable is not taken at the beginning, other generic OAuth variables are. I use following version: `t=2018-07-28T07:22:10+0000 lvl=info msg="Starting Grafana" logger=server version=5.2.2 commit=aeaf7b2 compiled=2018-07-25T11:17:28+0000` I can also see multiple values being overriden: `t=2018-07-28T07:22:10+0000 lvl=info msg="Config overridden from Environment variable" logger=settings var="GF_AUTH_GENERIC_OAUTH_ENABLED=true"` Corresponding code is here - https://github.com/grafana/grafana/blob/master/pkg/social/social.go @jangaraj suggests it's small bug - > It looks like a bug. Config option is missing in conf/defaults.ini, so you can’t override it with env variable.

Topic		Replies	Views
Grafana generic oauth with keycloak Grafana	1	6791	August 15, 2018
Grafana compliance with keycloak cert openid endpoint Authentication	1	1738	February 28, 2019
SSO Grafana & Keycloak problem redirect Grafana	5	1681	April 15, 2022
X509: certificate signed by unknown authority with autentication by keycloak Authentication auth , oauth	10	7520	October 21, 2022
Grafana generic.oauth with a certificate Authentication	2	1535	October 12, 2021

TLS skip verify for generic OAuth

Related topics