Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oauth with Dex does not work - error login.OAuthLogin(missing saved state) #23907

Closed
treydock opened this issue Apr 26, 2020 · 6 comments
Closed

Oauth with Dex does not work - error login.OAuthLogin(missing saved state) #23907

treydock opened this issue Apr 26, 2020 · 6 comments

Comments

@treydock
Copy link

treydock commented Apr 26, 2020
edited

What happened:

I log into Grafana with OAuth using Dex and get login.OAuthLogin(missing saved state) error.

Log entries:

t=2020-04-26T16:29:11+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=OMIT time_ms=0 size=57 referer=
t=2020-04-26T16:29:11+0000 lvl=info msg="OAuth auto login enabled. Redirecting to /login/generic_oauth"
t=2020-04-26T16:29:11+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login status=307 remote_addr=OMIT time_ms=13 size=84 referer=
t=2020-04-26T16:29:11+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=OMIT time_ms=1 size=261 referer=
t=2020-04-26T16:29:18+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=OMIT time_ms=0 size=747 referer="http://haswell2.OMIT:5556/dex/auth/ldap?req=lp56niaylv3hfdr7pmyxmmwbf"

What you expected to happen:

I'd expect OAuth to work with Dex

How to reproduce it (as minimally and precisely as possible):

grafana.ini:

app_mode = production

[alerting]
enabled = false

[auth]
oauth_auto_login = true

#[auth.anonymous]
#enabled = true
#org_name = OSC
#org_role = Viewer

[auth.generic_oauth]
allow_sign_up = true
api_url = http://haswell2.ten.osc.edu:5556/dex/userinfo
auth_url = http://haswell2.ten.osc.edu:5556/dex/auth
client_id = grafana
client_secret = ce9ebb74-58e2-449e-b580-67515e58048a
enabled = true
name = Dex
scopes = openid profile email groups
token_url = http://haswell2.ten.osc.edu:5556/dex/token
email_attribute_path = email

[auth.generic_oauth.group_mapping]
role_attribute_path = contains(groups[*], 'sysstf') && 'Admin' || contains(groups[*], 'oscall') && 'Editor' || 'Viewer'
org_id =1

[dashboards]
min_refresh_interval = 30s

[security]
admin_password = OMIT
admin_user = admin
allow_embedding = true
cookie_secure = true

[server]
enable_gzip = true
http_port = 3000
domain = haswell2.OMIT

[users]
allow_sign_up = false

[log]
mode = console
level = debug

[log.console]
level = debug

Dex config:

issuer: http://haswell2.OMIT:5556/dex
storage:
  type: sqlite3
  config:
    file: examples/dex.db
web:
  http: 0.0.0.0:5556
telemetry:
  http: 0.0.0.0:5558
oauth2:
    skipApprovalScreen: true
staticClients:
- id: grafana
  redirectURIs:
  - 'http://haswell2.OMIT:3000/login/generic_oauth'
  name: 'Grafana'
  secret: OMIT
- id: example-app
  redirectURIs:
  - 'http://haswell2.OMIT:5555/callback'
  name: 'Example App'
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0
connectors:
- type: ldap
  id: ldap
  name: LDAP
  config:
    host: ldap1.OMIT:636
    bindDN: cn=read,ou=Admin,dc=osc,dc=edu
    bindPW: OMIT
    userSearch:
      baseDN: ou=People,dc=osc,dc=edu
      filter: "(objectClass=oscUser)"
      username: uid
      idAttr: uid
      emailAttr: mail
      nameAttr: gecos
      preferredUsernameAttr: uid
    groupSearch:
      baseDN: ou=Groups,dc=osc,dc=edu
      filter: "(objectClass=oscGroup)"
      userMatchers:
      - userAttr: DN
        groupAttr: member
      nameAttr: cn
enablePasswordDB: false

Anything else we need to know?:

A setup almost identical to this works with Grafana 6.7.2 and Keycloak.

This is the claims returned using Dex example app to extract claims using scopes I configured for Grafana:

{
  "iss": "http://haswell2.OMIT:5556/dex",
  "sub": "Cgt0ZG9ja2VuZG9yZhIEbGRhcA",
  "aud": "example-app",
  "exp": 1588004808,
  "iat": 1587918408,
  "azp": "example-app",
  "at_hash": "K8wsDkhc81yA2ytxbKvqSw",
  "email": "tdockendorf@osc.edu",
  "email_verified": true,
  "groups": [
    "awesim",
    "awsmdev",
    "bcpadmin",
    "bcpshell",
    "dhgremot",
    "hpcsoft",
    "hpcsys",
    "oscall",
    "oscstaff",
    "PZS0201",
    "PZS0465",
    "PZS0703",
    "PZS0708",
    "ruby",
    "singadm",
    "sysall",
    "sysstf"
  ],
  "name": "Trey Dockendorf",
  "preferred_username": "tdockendorf"
}

Dex is capable of running using local fake LDAP server from docker: https://github.com/dexidp/dex/blob/master/Documentation/dev-integration-tests.md#ldap

Environment:

  • Grafana version: 7.0.0-pre
  • Data source type & version: No data source yet
  • OS Grafana is installed on: Docker
  • User OS & Browser:
  • Grafana plugins: None
  • Others:
@treydock
Copy link
Author

treydock commented Apr 26, 2020
edited

While testing I noticed if I comment out cookie_secure then redirect back to Grafana after authenticating just hangs and this is last thing in logs:

t=2020-04-26T16:38:08+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=OMIT time_ms=0 size=260 referer=
t=2020-04-26T16:38:16+0000 lvl=info msg="state check" logger=oauth queryState=48959f16c6d4546ee00786f085846e5568d494177b10f7df6fb4583857705556 cookieState=48959f16c6d4546ee00786f085846e5568d494177b10f7df6fb4583857705556

I was running docker and the data volume out of NFS so will experiment with a docker volume to see if maybe the hang was NFS access. Docker run using this command:

docker run --user $ID --volume "$PWD/data:/var/lib/grafana" --volume "$PWD/conf/custom.ini:/etc/grafana/grafana.ini" -p 3000:3000 grafana/grafana:dev

@treydock
Copy link
Author

New docker command and symptom remains where grafana just hangs after OAuth with dex.

docker run --user $ID --volume grafana-storage:/var/lib/grafana --volume "$PWD/conf/custom.ini:/etc/grafana/grafana.ini" -p 3000:3000 grafana/grafana:dev

@treydock
Copy link
Author

The hang only occurs with Dex. When I use Keycloak I have no issues.

@treydock
Copy link
Author

treydock commented May 2, 2020

I got this working. First I wasn't using HTTPS for my testing so I had to ensure cookie_secure was false. Second Because I was running Dex on port 5556 I had neglected to open that port in the host firewall for the host itself as I was running both Grafana and Dex on same host. I had only opened 5556 from the system I was accessing via browser. Once I corrected those issues, Dex works just fine.

@treydock treydock closed this as completed May 2, 2020
@munsayac13
Copy link

Im having same issue, hope you can help me too. First how did you create client_id and client_secret you use in your grafana.ini? The error i get from dex is Invalid client_id.

@cateto
Copy link

cateto commented Oct 28, 2022
edited

@munsayac13 what are you using database(postgresql) or configmap?
if you using db, you should using sql
and if you using configmap, you should using configmap that connected with your dex application

https://dexidp.io/docs/development/oidc-certification/#configuring-dex

this is sample

client_secret i think it just for discrimination. you can using uuid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@treydock @munsayac13 @cateto