eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-27 09:57:31 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e7fcfb7e67d5df3e8a8a5da170f18fa4c6b98731
authentik/website/integrations/monitoring/grafana/index.mdx
Dominic R f7871d726e website/integrations: grafana: migrate to entitlements (#21676) 
* website/integrations: grafana: migrate to entitlements

* website/integrations: migrate Grafana role mappings to entitlements

* rm

* Add scope

* Add scope

* Update website/integrations/monitoring/grafana/index.mdx

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Dominic R <dominic@sdko.org>

---------

Signed-off-by: Dominic R <dominic@sdko.org>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
2026-04-21 14:08:22 +00:00

233 lines
11 KiB
Plaintext
Raw Blame History

---
title: Integrate with Grafana
sidebar_label: Grafana
support_level: authentik
---
## What is Grafana
> Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources, Grafana Enterprise version with additional capabilities is also available. It is expandable through a plug-in system.
>
> -- https://en.wikipedia.org/wiki/Grafana
## Preparation
The following placeholders are used in this guide:
- `grafana.company` is the FQDN of the Grafana installation.
- `authentik.company` is the FQDN of the authentik installation.
:::info
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Grafana with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://grafana.company/login/generic_oauth`.
- Set the Logout URI to `https://grafana.company/logout`.
- Set the Logout Method to `Front-channel`.
- Select any available signing key.
- Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the display and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Create application entitlements for Grafana roles
Use [application entitlements](/docs/add-secure-apps/applications/manage_apps/#application-entitlements) to represent the Grafana roles that can be assigned to users.
1. Open the Grafana application that you just created in the authentik Admin interface.
2. Click the **Application entitlements** tab.
3. Create the entitlements that you want Grafana to evaluate, such as `Grafana Admins`, `Grafana Editors`, and `Grafana Viewers`.
4. Bind the appropriate users or groups to each entitlement.
:::tip
For this integration, the entitlement names should exactly match the values referenced in Grafana's `role_attribute_path`. This keeps Grafana-specific authorization scoped to the Grafana application instead of relying on global authentik group names.
:::
<details>
<summary>Configure with Terraform</summary>
```hcl
data "authentik_flow" "default-provider-authorization-implicit-consent" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_property_mapping_provider_scope" "scope-email" {
name = "authentik default OAuth Mapping: OpenID 'email'"
}
data "authentik_property_mapping_provider_scope" "scope-profile" {
name = "authentik default OAuth Mapping: OpenID 'profile'"
}
data "authentik_property_mapping_provider_scope" "scope-openid" {
name = "authentik default OAuth Mapping: OpenID 'openid'"
}
data "authentik_property_mapping_provider_scope" "scope-entitlements" {
name = "authentik default OAuth Mapping: OpenID 'entitlements'"
}
resource "authentik_provider_oauth2" "grafana" {
name = "Grafana"
# Required. You can use the output of:
# $ openssl rand -hex 16
client_id = "my_client_id"
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
allowed_redirect_uris = [
{
matching_mode = "strict",
url = "https://grafana.company/login/generic_oauth",
}
]
property_mappings = [
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
data.authentik_property_mapping_provider_scope.scope-entitlements.id,
]
}
resource "authentik_application" "grafana" {
name = "Grafana"
slug = "grafana"
protocol_provider = authentik_provider_oauth2.grafana.id
}
```
</details>
## Grafana configuration
import TabItem from "@theme/TabItem";
import Tabs from "@theme/Tabs";
<Tabs
defaultValue="docker"
values={[
{label: 'Docker', value: 'docker'},
{label: 'Standalone', value: 'standalone'},
{label: 'Helm', value: 'helm'},
]}>
<TabItem value="docker">
If your Grafana instance is running in Docker, set the following environment variables:
```yaml
environment:
GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
GF_AUTH_GENERIC_OAUTH_NAME: "authentik"
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "<Client ID from above>"
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "<Client Secret from above>"
GF_AUTH_GENERIC_OAUTH_SCOPES: "openid profile email entitlements"
GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://authentik.company/application/o/authorize/"
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://authentik.company/application/o/token/"
GF_AUTH_GENERIC_OAUTH_API_URL: "https://authentik.company/application/o/userinfo/"
GF_AUTH_SIGNOUT_REDIRECT_URL: "https://authentik.company/application/o/<application_slug>/end-session/"
# Optionally enable auto-login (bypasses Grafana login screen)
GF_AUTH_OAUTH_AUTO_LOGIN: "true"
# Optionally map user entitlements to Grafana roles
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(entitlements[*], 'Grafana Admins') && 'Admin' || contains(entitlements[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
# Required if Grafana is running behind a reverse proxy
GF_SERVER_ROOT_URL: "https://grafana.company"
```
</TabItem>
<TabItem value="standalone">
If you are using a config-file instead, you have to set these options:
```ini
[auth]
signout_redirect_url = https://authentik.company/application/o/<application_slug>/end-session/
# Optionally enable auto-login
oauth_auto_login = true
[auth.generic_oauth]
name = authentik
enabled = true
client_id = <Client ID from above>
client_secret = <Client Secret from above>
scopes = openid email profile entitlements
auth_url = https://authentik.company/application/o/authorize/
token_url = https://authentik.company/application/o/token/
api_url = https://authentik.company/application/o/userinfo/
# Optionally map user entitlements to Grafana roles
role_attribute_path = contains(entitlements, 'Grafana Admins') && 'Admin' || contains(entitlements, 'Grafana Editors') && 'Editor' || 'Viewer'
```
</TabItem>
<TabItem value="helm">
If you are using a Helm `values.yaml` file instead, you have to set these options:
```yaml
grafana.ini:
auth:
signout_redirect_url: "https://authentik.company/application/o/<application_slug>/end-session/"
oauth_auto_login: true
auth.generic_oauth:
name: authentik
enabled: true
client_id: "<Client ID from above>"
client_secret: "<Client Secret from above>"
scopes: "openid profile email entitlements"
auth_url: "https://authentik.company/application/o/authorize/"
token_url: "https://authentik.company/application/o/token/"
api_url: "https://authentik.company/application/o/userinfo/"
# Optionally map user entitlements to Grafana roles
role_attribute_path: contains(entitlements, 'Grafana Admins') && 'Admin' || contains(entitlements, 'Grafana Editors') && 'Editor' || 'Viewer'
```
:::info
For security reasons you shouldn't inline the client_secret in the values, but use a secret instead. For more information, see https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#how-to-securely-reference-secrets-in-grafanaini
:::
</TabItem>
</Tabs>
### Role Mappings
In the configuration above you can see an example of a role mapping. Upon login, this configuration looks at the `entitlements` claim returned by authentik. If any of the specified entitlement names are found, the user will be granted the resulting role in Grafana.
In the example shown above, one of the specified entitlement names is `Grafana Admins`. If that entitlement is present, the user will be granted the `Admin` role in Grafana.
If `Grafana Admins` is not present, Grafana checks for `Grafana Editors`. If that entitlement is present, the user is granted the `Editor` role. Finally, if neither entitlement is present, it falls back to granting the `Viewer` role.
For more information on role mappings, see [Grafana's docs](https://grafana.com/docs/grafana/latest/auth/generic-oauth/#role-mapping).
### Grafana Configuration Considerations
To ensure redirects work correctly in Grafana, make sure the `root_url` in your configuration accurately reflects how users access Grafana through your reverse proxy. For example, if your Grafana instance is behind a proxy and accessed at `https://grafana.company`, set `root_url` to `https://grafana.company`. This ensures that OAuth and other redirects use the correct URL, such as `https://grafana.company/login/generic_oauth`, instead of defaulting to something like `localhost:3000`.
If you get `user does not belong to org` error when trying to log into grafana for the first time via OAuth, check if you have an organization with the ID of `1`, if not, then you have to add the following to your grafana config:
```ini
[users]
auto_assign_org = true
auto_assign_org_id = <id-of-your-default-organization>
```
If your first OAuth login fails with a `user.sync` error such as `cannot remove last grafana admin`, verify whether the OAuth user's username or email matches that of an existing local Grafana server admin account. In such cases, Grafana attempts to link the local account to the OAuth user. If the OAuth role mapped to that user is not a server admin, the login can fail because Grafana tries to remove the last remaining server admin account.
For OSS Grafana, the simplest workaround is to create a separate OAuth-backed user first, grant that new user admin access, and only then remove the old local admin account.
If you are configuring Generic OAuth from the Grafana UI instead of a config file, the `Allow assign Grafana admin` toggle is under **Administration** > **Authentication** > **Generic OAuth**.
Its config-file equivalent is `allow_assign_grafana_admin`, or `GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN` in Docker-based deployments. This setting is only required if your `role_attribute_path` can return `GrafanaAdmin`; the example role mapping on this page returns `Admin`, `Editor`, or `Viewer`.
Reference in New Issue View Git Blame Copy Permalink