Closed kian99 closed 3 months ago
This is really more of an issue for the Identity team. Let me tag in a couple of relevant people. @massigori @nsklikas @shipperizer @natalian98
Hello @kian99, thanks for reporting the issue.
The purpose of the grafana oauth integration was to plug in the Identity Platform, which is the reason why a generic oauth config is propagated rather than a provider-specific one. The Identity Platform acts as an identity broker and can therefore be configured with multiple identity providers (Google included) using kratos-external-idp integrator charm instances. The oauth-external-idp-integrator is not maintained by the Identity team.
Please see this tutorial for more reference.
Having said that, grafana hardcodes the scopes, so the offline_access
is not google-compliant. We'll investigate whether it can be fixed in grafana or directly in the identity platform.
Thank you both, I'll close the issue with the above in mind.
Bug Description
I'm trying to use the new OAuth relation to integrate the operator with Google for OIDC. I was able to use this integrator charm to pass my clientID/secret and all the necessary URLs to Grafana.
When clicking "Sign in with external identity provider" I get redirected to an error page on Google as below![image](https://github.com/canonical/grafana-k8s-operator/assets/46668016/eac6cb95-2144-4936-ae35-d4b66847a99c)
I believe the issue is that Google does not accept the offline_access scope in the usual place, which is further discussed in this GH issue for another project. Grafana seems to have a generic oauth config which is what the charm configures when you add the relation and it also has provider specific config like for Google which is never used.
I'm not sure what the best solution is here but perhaps the charm should check the provider based on the returned URL and set the appropriate config instead of always using the generic oauth config?
To Reproduce
Environment
Grafana-k8s - latest/beta revision 105
Relevant log output
Additional context
No response