Trying to troubleshoot oauth to okta

I’m trying to get Grafana to authenticate with Okta and I am using the instructions here: hhttps://grafana.com/docs/auth/generic-oauth/#set-up-oauth2-with-okta using the docker image provided by grafana.

The config looks like:
GF_AUTH_BASIC_ENABLED=“True”
GF_AUTH_GENERIC_OAUTH_CLIENT_API_URL="hhttps://company.oktapreview.com/oauth2/v1/userinfo
GF_AUTH_GENERIC_OAUTH_CLIENT_AUTH_URL="hhttps://company.oktapreview.com/oauth2/v1/authorize
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=“MYID”
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=“MYSECRET”
GF_AUTH_GENERIC_OAUTH_CLIENT_TOKEN_URL="hhttps://compnay.oktapreview.com/oauth2/v1/token
GF_AUTH_GENERIC_OAUTH_ENABLED=“True”
GF_AUTH_GENERIC_OAUTH_NAME=“Okta”
GF_AUTH_GENERIC_OAUTH_SCOPES=“openid profile email”
GF_LOG_LEVEL=“debug”
GF_SERVER_DOMAIN=“grafana-dev.company.com”
GF_SERVER_PROTOCOL=“https”
GF_SERVER_ROOT_URL=“hhttps://grafana-dev.company.com/”

When I click on the oauth login the only thing I get in the logs is this:

t=2019-09-13T18:44:31+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=###### time_ms=0 size=261 referer=“hhttps://grafana-dev.company.com/login?access_type=online&client_id=0oandzes8imEguIlG0h7&redirect_uri=https:%2F%2Fgrafana-dev.company.com%2Flogin%2Fgeneric_oauth&response_type=code&scope=openid&state=4zMcHlaSQsV4tI5B7OT5mrc6Fl5wE42dLZcBi_WSpTs%3D”

If I have autologin set to true, it’ll just keep looping over and over until I an error that there were too many redirects.

Checking my cookies I have an oauth_state which is set, and a redirect_to cookie that is set to %252F

I’m not sure how to debug this any further, the okta admin says they see the client hitting the server, and the client isn’t throwing any error messages, it just won’t login.

Is there anything else I can check to debug this issue?

(Note all the hhttps above are intentional as new users can only post 2 links per post and those are being counted)

thanks,
matt

Is the compnay typo in GF_AUTH_GENERIC_OAUTH_CLIENT_TOKEN_URL present in your config?

Forget it, that is just your obfuscation…

You should see 2 requests hitting Grafana, one that redirects you out to okta, then another when you get sent back. One thing you can try is to enable devtools in your browser and watch the requests in the network traffic tab. You should see one request to /login/generic_oauth that returns a redirect out to okta, then a request to okta that returns either a page for you to log in and/or authorize (if you haven’t already) and a response that redirects you back to grafana.

image2344×354 102 KB

This is the network traffic I’m seeing, So I should see something that is reaching out to the okta server here?

Hmm, that seems like the redirect uri might not be set properly in okta, you should check in the definition of the client in okta that it’s set to https://grafana-dev.company.com/login/generic_oauth and not https://grafana-dev.company.com/login/

(btw, i’m not an okta expert) but, I think it is configured correctly:

image1152×1404 153 KB

Thanks for all your suggestions.

So I setup github oauth to see what should be happening, and when I do that, I see it try to login, bounce to github.com’s authorize endpoint, then back to grafana. Looking at the generic oauth which isn’t working for me, I see it try to login, but it never jumps over to OKTA, it just jumps directly to /login after you hit the login/generic_oauth. What would make it refuse to jump over to OKTA?

thanks,
matt

It was me, I was setting GF_AUTH_GENERIC_OAUTH_CLIENT_API_URL instead of the correct GF_AUTH_GENERIC_OAUTH_API_URL. Unfortunately grafana never logged anything, and just tried to connect to itself when that variable was left blank.

Glad to hear you got it figured out!