Generic OAuth Authentication

    This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the prefix path of .

    You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.

    Example config:

    Set api_url to the resource that returns OpenID UserInfo compatible information.

    Grafana will attempt to determine the user’s e-mail address by querying the OAuth provider as described below in the following order until an e-mail address is found:

    • Check for the presence of an e-mail address via the email field encoded in the OAuth id_token parameter.
    • Check for the presence of an e-mail address in the attributes map encoded in the OAuth id_token parameter. By default Grafana will perform a lookup into the attributes map using the email:primary key, however, this is configurable and can be adjusted by using the email_attribute_name configuration option.
    • Query the /emails endpoint of the OAuth provider’s API (configured with api_url) and check for the presence of an e-mail address marked as a primary address.
    • If no e-mail address is found in steps (1-3), then the e-mail address of the user is set to the empty string.

    First set up Grafana as an OpenId client “webapplication” in Okta. Then set the Base URIs to domain>/ and set the Login redirect URIs to https://<grafana domain>/login/generic_oauth.

    Finally set up the generic oauth module like this:

    1. [auth.generic_oauth]
    2. name = Okta
    3. enabled = true
    4. scopes = openid profile email
    6. client_secret = <okta application Client Secret>
    7. auth_url = https://<okta domain>/oauth2/v1/authorize
    8. token_url = https://<okta domain>/oauth2/v1/token
    9. api_url = https://<okta domain>/oauth2/v1/userinfo

    Set up OAuth2 with Bitbucket

    • Create a new Custom Connector with the following settings:

      • Name: Grafana
      • Sign On Method: OpenID Connect
      • Redirect URI: https://<grafana domain>/login/generic_oauth
      • Signing Algorithm: RS256
      • Login URL: domain>/login/generic_oauththen:

    • Under the SSO tab on the Grafana App details page you’ll find the Client ID and Client Secret.

    Your OneLogin Domain will match the url you use to access OneLogin.

    1. [auth.generic_oauth]
    2. name = OneLogin
    3. enabled = true
    4. allow_sign_up = true
    5. client_id = <client id>
    6. client_secret = <client secret>
    7. scopes = openid email name
    8. auth_url = https://<onelogin domain>.onelogin.com/oidc/auth
    9. token_url = https://<onelogin domain>.onelogin.com/oidc/token
    10. api_url = https://<onelogin domain>.onelogin.com/oidc/me
    11. team_ids =

    Set up OAuth2 with Auth0

    • Create a new Client in Auth0
    • Name: Grafana

    • Type: Regular Web Application

    • Go to the Settings tab and set:

    • Allowed Callback URLs: domain>/login/generic_oauth

    • Click Save Changes, then use the values at the top of the page to configure Grafana:

    • Log in to portal.azure.com and click “Azure Active Directory” in the side menu, then click the “Properties” sub-menu item.

    • Copy the “Directory ID”, this is needed for setting URLs later

    • Click “App Registrations” and add a new application registration:

      • Name: Grafana
      • Application type: Web app / API
      • Sign-on URL: https://<grafana domain>/login/generic_oauth

    • Note down the “Application ID”, this will be the OAuth client id.

    • Click “Settings”, then click “Keys” and add a new entry under Passwords

      • Key Description: Grafana OAuth
      • Duration: Never Expires

    • Click Save then copy the key value, this will be the OAuth client secret.

    1. [auth.generic_oauth]
    2. name = Azure AD
    3. enabled = true
    4. allow_sign_up = true
    5. client_id = <application id>
    6. client_secret = <key value>
    7. scopes = openid email name
    8. auth_url = https://login.microsoftonline.com/<directory id>/oauth2/authorize
    9. token_url = https://login.microsoftonline.com/<directory id>/oauth2/token
    10. api_url =
    11. team_ids =
    12. allowed_organizations =

    Set up OAuth2 with Centrify

    • Create a new Custom OpenID Connect application configuration in the Centrify dashboard.

    • Create a memorable unique Application ID, e.g. “grafana”, “grafana_aws”, etc.

    • Put in other basic configuration (name, description, logo, category)

    • On the Trust tab, generate a long password and put it into the OpenID Connect Client Secret field.

    • Put the URL to the front page of your Grafana instance into the “Resource Application URL” field.

    • Add an authorized Redirect URI like https://your-grafana-server/login/generic_oauth

    • Set up permissions, policies, etc. just like any other Centrify app

    • Configure Grafana as follows:

    Only available in Grafana v6.0 and above.

    Some OAuth2 providers might not support client_id and client_secret passed via Basic Authentication HTTP header, which results in invalid_client error. To allow Grafana to authenticate via these type of providers, the client identifiers must be send via POST body, which can be enabled via the following settings:

    1. send_client_credentials_via_post = true