greenpau
commented
8 months ago @moritz31 , this is a nuanced question. This plugin supports grafana but looks like things have changed in Grafana labs and some new auth features were added. Here is what I can offer. Connect with me on Linkedin and we will setup Google Meet to look at your setup together.
We currently use caddy together with basic auth to protect some of our prometheus datasources. Grafana has a feature called Forward Oauth Identity, where the server requets the datasource by proxing the Authorization Header from your oauth2 session. Would it be possible for caddy-security to authorize these calls ? Tried it with the following config but get an unauthorized from caddy
authorization policy mypolicy { set auth url http://localhost:8080/oaut2/okta validate bearer header disable auth redirect acl rule { comment Test match email xxx allow log debug } }Request from Grafana looks like this
{"level":"error","ts":1705567522.9418292,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"","remote_port":"37956","client_ip":"","proto":"HTTP/1.1","method":"GET","host":"caddy:8080","uri":"/api/v1/status/buildinfo","headers":{"X-Id-Token":["TOKEN"],"Accept-Encoding":["gzip"],"User-Agent":["Grafana/10.2.3"],"Authorization":["Bearer TOKEN"],"X-Datasource-Uid":["faac24e5-b2c5-4723-87c8-28aaefff61a7"],"X-Grafana-Org-Id":["1"]}},"bytes_read":0,"user_id":"","duration":0.000051834,"size":0,"status":401,"resp_headers":{"Server":["Caddy"]}}If this would work there could be a second issue, to verify the signature of the jwt caddy have to go against the introspect endpoint and not against the jwks endpoint like default. https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token?language=en_US
Could this work ? Or can this maybe be easily implemented. ?
Regards Moritz