4.1 KiB
4.1 KiB
| title | description | lead | date | draft | images | menu | weight | toc | community | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Grafana | Integrating Grafana with the Authelia OpenID Connect Provider. | 2022-06-15T17:51:47+10:00 | false |
|
620 | true | true |
Tested Versions
Before You Begin
Common Notes
- You are required to utilize a unique client id for every client.
- The client id on this page is merely an example and you can theoretically use any alphanumeric string.
- You should not use the client secret in this example, We strongly recommend reading the [Generating Client Secrets] guide instead.
Assumptions
This example makes the following assumptions:
- Application Root URL:
https://grafana.example.com - Authelia Root URL:
https://auth.example.com - Client ID:
grafana - Client Secret:
grafana_client_secret
Configuration
Application
To configure Grafana to utilize Authelia as an OpenID Connect Provider you have two effective options:
Configuration File
Add the following Generic OAuth configuration to the Grafana configuration:
[server]
root_url = https://grafana.example.com
[auth.generic_oauth]
enabled = true
name = Authelia
icon = signin
client_id = grafana
client_secret = grafana_client_secret
scopes = openid profile email groups
empty_scopes = false
auth_url = https://auth.example.com/api/oidc/authorization
token_url = https://auth.example.com/api/oidc/token
api_url = https://auth.example.com/api/oidc/userinfo
login_attribute_path = preferred_username
groups_attribute_path = groups
name_attribute_path = name
use_pkce = true
Environment Variables
Configure the following environment variables:
| Variable | Value |
|---|---|
| GF_SERVER_ROOT_URL | https://grafana.example.com |
| GF_AUTH_GENERIC_OAUTH_ENABLED | true |
| GF_AUTH_GENERIC_OAUTH_NAME | Authelia |
| GF_AUTH_GENERIC_OAUTH_CLIENT_ID | grafana |
| GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET | grafana_client_secret |
| GF_AUTH_GENERIC_OAUTH_SCOPES | openid profile email groups |
| GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES | false |
| GF_AUTH_GENERIC_OAUTH_AUTH_URL | https://auth.example.com/api/oidc/authorization |
| GF_AUTH_GENERIC_OAUTH_TOKEN_URL | https://auth.example.com/api/oidc/token |
| GF_AUTH_GENERIC_OAUTH_API_URL | https://auth.example.com/api/oidc/userinfo |
| GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH | preferred_username |
| GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH | groups |
| GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH | name |
| GF_AUTH_GENERIC_OAUTH_USE_PKCE | true |
Authelia
The following YAML configuration is an example Authelia client configuration for use with Grafana which will operate with the above example:
- id: grafana
description: Grafana
secret: '$plaintext$grafana_client_secret'
public: false
authorization_policy: two_factor
redirect_uris:
- https://grafana.example.com/login/generic_oauth
scopes:
- openid
- profile
- groups
- email
userinfo_signing_algorithm: none