Oauth2 userinfo API

I would like to suggest adding more “standard” userinfo API for Oauth2 authentication like many other Oauth2 providers has eg: api_url = https://<okta domain>/oauth2/v1/userinfo

I’m setting up a production Grafana instance which should allow authentication against Nextcloud userbase via its Oauth2 interface. So far it was surprisingly easy to set up. Just copy paste the keys and endpoints, but the problem is that Grafana wants email addresses and we use userids.
So far I have coded in grafana.ini:

    enabled = true
    name = OAuth
    allow_sign_up = true
    client_id = ### Nextcloud key ###
    client_secret = ### Nextcloud key ###
    scopes = user:email,read:org
    auth_url = https://SERVER/index.php/apps/oauth2/authorize
    token_url = https://SERVER/index.php/apps/oauth2/api/v1/token
    api_url = https://SERVER/ocs/v2.php/cloud/user?format=json
    allowed_organizations = OwnORG 

(api_url was just a quick try :))
It’s little bit frustrating how close it went. Grafana redirects nicely to NC and after authentication NC redirects back to Grafana which then issues error as it cannot find email address from the NC’s token. Here is the process how Grafana tries to find the email address:

Grafana will attempt to determine the user’s e-mail address by querying the OAuth provider as described below in the following order until an e-mail address is found:

  1. Check for the presence of an e-mail address via the email field encoded in the OAuth id_token parameter.
  2. Check for the presence of an e-mail address using the JMESPath specified via the email_attribute_path configuration option. The JSON used for the path lookup is the HTTP response obtained from querying the UserInfo endpoint specified via the api_url configuration option. Note: Only available in Grafana v6.4+.
  3. Check for the presence of an e-mail address in the attributes map encoded in the OAuth id_token parameter. By default Grafana will perform a lookup into the attributes map using the email:primary key, however, this is configurable and can be adjusted by using the email_attribute_name configuration option.
  4. Query the /emails endpoint of the OAuth provider’s API (configured with api_url) and check for the presence of an e-mail address marked as a primary address.
  5. If no e-mail address is found in steps (1-4), then the e-mail address of the user is set to the empty string.

Your the same problem and when not finding a solution make a change in the oauth application and make a pull request with this functionality.

I managed to get that working on stock Nextcloud 19 with Grafana 7. I used the following in the Grafana OAuth config:

enabled = true
name = Nextcloud
allow_sign_up = true
client_id = <your id>
client_secret = <your secret>
scopes = user:email,read:org
auth_url = https://SERVER/index.php/apps/oauth2/authorize
token_url = https:/SERVER/index.php/apps/oauth2/api/v1/token
api_url = https:/SERVER/ocs/v2.php/cloud/user?format=json&x=
email_attribute_path = ocs.data.email
role_attribute_path = contains(ocs.data.groups[*], 'admin') && 'Admin' || contains(ocs.data.groups[*], 'Grafana') && 'Editor' || 'Viewer'
allowed_organizations =

This assumes members of the groups “admin” or “Grafana” are allowed to edit Grafana dashboards.

1 Like