AuthProxy: Can now login with auth proxy and get a login token #20175
Conversation
There was a problem hiding this comment.
It's a simple solution, but would suggest putting some more effort into it.
Regarding option/setting to enable this - definitely yes. I don't want to risk as a first step breaking installations due to this.
To me it would make sense to have a specific url like /auth-proxy-login instead of /login to move everything auth proxy related into that. However then we would have to add logic to disable the normal login page and custom redirect rule.
Questions:
Should something happen when auth token is rotated?
What about using auth proxy and ldap?
What happens when logging out? User redirected to login page and gets logged in again - possible redirect loop problem?
torkelo
force-pushed
the
auth-proxy-with-login-tokens
branch
from
584de6f
to
01a2c11
Compare
|
@ torkelo do we need to upgrade grafana (currently we are using 6.2.5) in order to overcome the problem ? |
|
Yes, this feature requires Grafana v6.5 example nginx config: |
|
@torkelo |
|
6.5 is not released yet, beta out this week. You find nightly builds of 6.5 on Grafana.com |
|
Great feature, but how to for alert rules ? I must, each times, use another datasource with a user for basic auth? |
|
@duylong not exactly sure what you're referring to. Sounds like you want to put same auth proxy in front of datasource. |
|
Sorry for my lack of precision. |
|
@torkelo As we need to integrate grafana in our web site, without asking the user to re-type a password, we want to skip the nginx basic auth username & password dialog. We want to pass the username & password as parameters of the url, or some other solution, so that the user will not have to retype his username & password. Is it possible, and could you please direct us for some php/c etc. code example |
|
Url is not supported, HTTP header is |
|
@torkelo sorry but i do not understand the process, should i display an href like http://user:password@server/grafana/login ??? when i enter such a url to the browser navigation bar it does not reach the destination, or should i generate a curl call from a cgi running on my server, what will be the response for such a curl call ??? i want my users be able to view grafana dashboards. please advise. |
|
you need an nginx proxy that handles the single sign on with your auth system, that proxy can add the required headers for grafana |
|
@torkelo We are already using the nginx proxy, but as i have mentioned the nginx basic auth pops a username & password dialog. We want to be able to skip this dialog |
|
ok, well you have to use some other auth mechanism with nginx then, if you use auth proxy Grafana is not involved in the auth |
|
@torkelo i am trying to use the secure_link nginx auth, but then grafana comes back without a session cookie so that the user is being thrown from his session login. i thought grafana 6.5 should overcome this issue. Please advise |
|
@torkelo i have also tried proxy_set_header Authorization base64(user:password). in case it is hard coded in the nginx.conf file like proxy_set_header Authorization "Basic YWRtaW46VhN12Ud1a284MQ==" it works fine, but when i pass the "YWRtaW46VhN12Ud1a284MQ==" as a url parameter, grafana will come back without a cookie |
|
We proxy access to Grafana through our server since it is where we maintain identities. Conceptually however is it very similar. We proxy grafana at However, at this point, running 6.5.2 things aren't working. The first part is the same, we proxy login, add the header and get the redirect. However, there is no cookie (which I guess is intentional) and I don't see anything in the redirect which is going to help Grafana maintain the user's identity on subsequent requests. I assumed that this fix was going to provide that, so clearly I'm missing something. At this point, how is this supposed to work? Assuming the header is only added to the |
|
OK -- found our issue. We need to set |
|
@sfitts could you please attach the nginx.conf & grafana.ini files that you are using ? |
|
As I mentioned, we're not using Nginx (we proxy the requests through a proprietary server). However, the nginx config provided by @torkelo is equivalent to what we are doing. The relevant section of the grafana.ini looks like: [auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = false
enable_login_token = true |
|
@sfitts i works, but i want to skip the username & password pop up, since the user already authenticated in my site. Do you know any way this can be achived ? |
|
Unfortunately I'm not really an Nginx expert (since we don't use it), so I'm not sure. |
|
@torkelo we like grafana very much, but we can't imagine that our users will have to go through a authentication process to view a grafana board, since they have been already authenticated when logged in to our web site. As i understand the nginx basic auth mechanism saves something like a cookie after the user has entered name & password, and in the next accesses the $remote_user is set to the user-name identified by the cookie. Is there another nginx authentication method which works in a similar way, we want to pass somehow the name&password as parameters (might be encrypted) to the grafana/login and imitate the NGINX basic auth mechanism without poping the auth dialog. Is it possible ? maybe we need to write some callback program that will imitate the basic auth mechanism. Please advise in details how this should be done, i think it is needed by many enthusiastic grafana developers. |
|
@gershongad Don't have an answer for your question, but have you tried asking in the Grafana community? |
Fixes #17316
Changed so you can login using auth proxy. If you access /login and the your already logged in via auth proxy we now create an auth token so you stay logged in after redirect.
Added example nginx config to test this scenario.
Todo:
[x] Unit test for this
[x] Should we have an option for this?
[x] What other scenarios could cause a /login request and you're already logged in?