search

canonical / grafana-k8s-operator

This charmed operator automates the operational procedures of running Grafana, an open-source visualization toolkit, on Kubernetes.
https://charmhub.io/grafana-k8s
Apache License 2.0
6 stars 23 forks source link

Unable to connect Grafana to Google for OAuth #308

Closed kian99 closed 3 months ago

kian99 commented 4 months ago

Bug Description

I'm trying to use the new OAuth relation to integrate the operator with Google for OIDC. I was able to use this integrator charm to pass my clientID/secret and all the necessary URLs to Grafana.

When clicking "Sign in with external identity provider" I get redirected to an error page on Google as below image

I believe the issue is that Google does not accept the offline_access scope in the usual place, which is further discussed in this GH issue for another project. Grafana seems to have a generic oauth config which is what the charm configures when you add the relation and it also has provider specific config like for Google which is never used.

I'm not sure what the best solution is here but perhaps the charm should check the provider based on the returned URL and set the appropriate config instead of always using the generic oauth config?

To Reproduce

  1. Deploy grafana-k8s
  2. Deploy oauth-external-idp-integrator
  3. Create OAuth credentials in Google Cloud
  4. Configure oauth-external-idp-integrator
  5. Relate grafana-k8s to oauth-external-idp-integrator and try to login.

Environment

Grafana-k8s - latest/beta revision 105

Relevant log output

Some requested scopes were invalid. {valid=[openid, https://www.googleapis.com/auth/userinfo.email], invalid=[offline_access]} Learn more about this error

Additional context

No response

simskij commented 3 months ago

This is really more of an issue for the Identity team. Let me tag in a couple of relevant people. @massigori @nsklikas @shipperizer @natalian98

natalian98 commented 3 months ago

Hello @kian99, thanks for reporting the issue.

The purpose of the grafana oauth integration was to plug in the Identity Platform, which is the reason why a generic oauth config is propagated rather than a provider-specific one. The Identity Platform acts as an identity broker and can therefore be configured with multiple identity providers (Google included) using kratos-external-idp integrator charm instances. The oauth-external-idp-integrator is not maintained by the Identity team.

Please see this tutorial for more reference.

Having said that, grafana hardcodes the scopes, so the offline_access is not google-compliant. We'll investigate whether it can be fixed in grafana or directly in the identity platform.

kian99 commented 3 months ago

Thank you both, I'll close the issue with the above in mind.