search

grafana / loki

Like Prometheus, but for logs.
https://grafana.com/loki
GNU Affero General Public License v3.0
23.97k stars 3.46k forks source link

Configuring OAuth2 for Authentication #13927

Open marcanio opened 3 months ago

marcanio commented 3 months ago

Describe the bug OAuth2 proxy set up and using Okta OIDC as provider. Grafana is also using the same application in Okta for authentication. Oauth2 does not work for authentication.

To Reproduce Steps to reproduce the behavior:

  1. Deploy Grafana and Loki through helm charts
  2. Deploy Oauth2 proxy and configure to use Okta OIDC
  3. Deploy an Ingress through Loki helm chart and connect to OAuth2 via annotations in the ingress (auth-url & auth-siginin)

Expected behavior

When connecting to the Loki datasource via Grafana provide the ingress and set authentication as forward Oauth

Environment:

I have got this working with basic Oauth through Nginx but have not been able to get it working with Oauth2 and have not found anything on the internet supporting that anyone has completed this before. Below is the configuration of the Loki ingress in the helm chart -

ingress:
  enabled: true
  ingressClassName: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/proxy-body-size: "1024m"
    nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.DOMAIN_NAME/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.DOMAIN_NAME/oauth2/start?rd=$escaped_request_uri"
    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-proxy-set-headers: ingress-nginx-loki-controller
  hosts:
    - loki.DOMAIN_NAME
  tls:
    - hosts:
      - loki.DOMAIN_NAME
      secretName: loki-tls

Below is the configuration of the OAuth2 helm chart and the secret has the client_id, secret and cookie

namespaceOverride: "oauth2"

image:
  repository: IMAGE_REPO/oauth2-proxy/oauth2-proxy
  tag: latest

config:
  existingSecret: SECRET_OKTA_OAUTH_SECRET_NAME
  configFile: |-
    provider = "oidc"
    redirect_url = "http://grafana.DOMAIN_NAME/oauth2/callback"
    oidc_issuer_url = "https://OKTA_AUTH_URL"
    email_domains = ["*"]
    upstreams = [ "https://loki.DOMAIN_NAME" ]
    pass_access_token = true
    skip_provider_button = true
    pass_authorization_header = true

ingress:
  enabled: true
  className: nginx
  path: /oauth2
  pathType: ImplementationSpecific
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    ingress.kubernetes.io/force-ssl-redirect: "true"
    ingress.kubernetes.io/proxy-body-size: "1024m"
    nginx.ingress.kubernetes.io/proxy-body-size: "1024m"
  hosts:
    - oauth2-proxy.DOMAIN_NAME
  tls:
    - hosts:
        - oauth2-proxy.DOMAIN_NAME
      secretName: oauth2-tls

When trying to connect to the datasource via Grafana using the Ingress created and authentication set to forward Oauth Grafana pods throw an error - 503 Loki service unavailable

I can supply additional configuration if needed

marcanio commented 3 months ago

Versions - Grafana - 11.1.0 Loki - 3.1.1 Oauth2 - 7.7.9