Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proxy Provider fetches a new access-token for each request #19730

mmikalsen opened this issue Oct 9, 2019 · 2 comments · May be fixed by #19928


Copy link

commented Oct 9, 2019

What happened:
I'm trying to implement a datasource plugin for Grafana, the api used requires oauth2 client credentials authentication, which is implement as written in the oauth-guide. Grafana does not reuse the token, and will request a new token for each request.

The Access Token Response from auth0 is as follows:


Which causes issues with the current implementation of Grafana.

What you expected to happen:
Grafana will reuse the token already fetched by the proxy-provider, and not fetch the already cached token.

How to reproduce it (as minimally and precisely as possible):
Configure a datasource as written in the guide, with auth0 as oauth2-provider. It should not reuse the token.

Anything else we need to know?:
rfc6749 defines the fields in the Access Token Response, where expire_on is not defined, which is used by Grafana to set the expire time of the token.

A more universal implementation would use the expire_in field instead or as a fallback.. A note on this is that authentication providers have different types for the expire_in field, for example Microsoft uses a string, and the RFC defines it as a number RFC6749 So the implemenation needs to handle both strings and number in the expire_in field of the Access Token Response.


  • Grafana version: v6.5.0-pre (commit: d6eb4e8) and Grafana v6.4.2 (commit: 443a0ba)
  • Data source type & version: custom with oauth2 authentication
  • OS Grafana is installed on: Official Docker image and Debian
  • User OS & Browser: na
  • Grafana plugins: na
  • Others: na
@mmikalsen mmikalsen changed the title Proxy Provider fetches a access-token for each request Proxy Provider fetches a new access-token for each request Oct 9, 2019

This comment has been minimized.

Copy link

commented Oct 11, 2019

What does your plugin.json look like?


This comment has been minimized.

Copy link

commented Oct 11, 2019

  "type": "datasource",
  "name": "datasource-Grafana",
  "id": "datasource_example",
  "info": {
    "description": "DataSource Plugin for",
    "author": {
    "keywords": [
    "logos": {
      "small": "img/logo.png",
      "large": "img/logo.png"
    "links": [
        "name": "Homepage",
    "version": "0.0.1",
    "updated": "%TODAY%"
  "dependencies": {
    "grafanaVersion": "4.5.x",
    "plugins": []
  "metrics": true,
  "annotations": false,
  "backend": true,
  "alerting": true,
  "executable": "datasource-plugin",
  "routes": [
      "path": "meta",
      "method": "GET",
      "url": "https://{{.JsonData.environment.url}}/api/meta",
      "tokenAuth": {
        "url": "https://{{.JsonData.environment.tokenurl}}/oauth/token",
        "params": {
          "grant_type": "client_credentials",
          "client_id": "{{.JsonData.client_id}}",
          "client_secret": "{{.SecureJsonData.client_secret}}",
          "audience": "https://{{.JsonData.environment.audience}}/",
          "client_name": "datasource_plugin"

The backend is not responsible for the flood if Access Token requests, it's only when the meta-path is used, which only happens in the query-editing. These tokens are cached, but not reused because the expire_on is not set by auth0, and causes Grafana to believe that they expires 01-01-1970.

reference to structure in code:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.