0

Issue:

I am trying to set up the following configuration locally [nginx] <-> [oauth2_proxy] <-> [grafana]

  • nginxlistens on 80
  • oauth2_proxy listens on 4180
  • grafana listens 3000

Although successfully authenticating through the proxy (from proxy and identity provider perspective - here google) the authenticated user is not carried over to grafana, instead is redirected to the login screen.

While we could use the auth.generic_oauth for authenticating users through third party OAuth2 provider (see here), the reason I have chosen this approach is to enable multiple applications to be configured with the common authentication backend.

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

# docker-compose.yml
version: '3'
services:
  grafana:
    container_name: grafana
    image: grafana/grafana:latest
    restart: always
    user: '104'
    volumes:
      - $PWD/data/grafana:/var/lib/grafana
    ports:
      - 3000:3000
    environment:
      # [users]
      - GF_USERS_ALLOW_SIGN_UP=false
      - GF_USERS_AUTO_ASSIGN_ORG=true
      - GF_USERS_AUTO_ASSIGN_ORG_ROLE=Admin

      
      # [auth.basic]
      - GF_AUTH_BASIC_ENABLED=false
      
      # [auth]
      - GF_AUTH_DISABLE_LOGIN_FORM=true

      # [auth.proxy]
      - GF_AUTH_PROXY_ENABLED=true
      - GF_AUTH_PROXY_HEADER_NAME=X-Email
      - GF_AUTH_PROXY_HEADER_PROPERTY=email
      - GF_AUTH_PROXY_AUTO_SIGN_UP=true
      - GF_AUTH_PROXY_ENABLE_LOGIN_TOKEN=false

  oauth2-proxy:
    container_name: oauth2-proxy
    image: quay.io/oauth2-proxy/oauth2-proxy:latest
    restart: always
    ports:
      - 4180:4180
    volumes:
      - $PWD/data/oauth2:/var/lib/oauth2_proxy
    environment:
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_CLIENT_ID=<google_client_id>
      - OAUTH2_PROXY_CLIENT_SECRET=<google_client_secret>
      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://accounts.google.com
      - OAUTH2_PROXY_COOKIE_SECRET=abcdefgh
      - OAUTH2_PROXY_COOKIE_DOMAIN=http://localhost:3000
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_COOKIE_SECURE=false
      - OAUTH2_PROXY_UPSTREAMS=http://grafana:3000
      - OAUTH2_PROXY_HTTP_ADDRESS=http://:4180
      - OAUTH2_PROXY_REDIRECT_URL=http://localhost:3000/oauth2/callback
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      
      - OAUTH2_PROXY_ERRORS_TO_INFO_LOG=true
      - OAUTH2_PROXY_AUTH_LOGGING=true
      - OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR=true
      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true    
      - OAUTH2_PROXY_PASS_USER_HEADERS=true
      - OAUTH2_PROXY_PASS_HOST_HEADER=true
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY=true
      - OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY=true
  
  nginx:
    container_name: nginx
    image: nginx
    restart: always
    ports:
      - 80:80
    volumes:
      - $PWD/data/nginx/:/etc/nginx/conf.d/

# nginx.conf
server {
  listen 80;
  server_name localhost;

  location /oauth2/ {
    proxy_pass       http://oauth2-proxy:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
  }
  location = /oauth2/auth {
    proxy_pass       http://oauth2-proxy:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
  }

  location /grafana/ {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    proxy_pass http://grafana:3000;
  }
}

Run docker-compose up -d --build

Then in browser navigate to /localhost/grafana/ => User redirected to oauth2_proxy => google login succesfull => back to grafana login screen.

It just so seems that I am missing some settings for carrying over the auth headers or something. Could anyone point me in the right direction?

It was a similar issue opened a while ago here , but it didn't work for me. I already have have GF_AUTH_BASIC_ENABLED=false

Anything else we need to know?: All 3 actors: grafana, nginx, oauth2_proxy have clean logs, no warnings or errors.

Environment: local

  • Grafana version: grafana:latest
  • Data source type & version:
  • OS Grafana is installed on: MacOS
  • User OS & Browser: Chrome
  • Grafana plugins:
  • Others: nginx, oauth2_proxy
Improve this question

1 Answer 1

Reset to default
0

You need to configure headers correctly:

      - GF_AUTH_PROXY_HEADER_NAME=X-Email

So this config is saying that username/email will be in the X-Email header.

But it looks like username/email is in the different header, see https://github.com/grafana/grafana/issues/27251#issuecomment-682477379:

X-Forwarded-User: <my email>

So it should be probably:

GF_AUTH_PROXY_HEADERS='Name:X-Forwarded-User Email:X-Forwarded-Email'
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Unfortunately it doesn't work. I've used in grafana config: - GF_AUTH_PROXY_HEADER_NAME=X-Forwarded-Email - GF_AUTH_PROXY_HEADER_PROPERTY=email - GF_AUTH_PROXY_HEADERS="Name:X-Forwarded-Email,Email:X-Forwarded-Email" And in nginx.conf proxy_set_header Forwarded $proxy_add_forwarded; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.