Hello,
I would like to suggest adding more āstandardā userinfo API for Oauth2 authentication like many other Oauth2 providers has eg: api_url = https://<okta domain>/oauth2/v1/userinfo
Iām setting up a production Grafana instance which should allow authentication against Nextcloud userbase via its Oauth2 interface. So far it was surprisingly easy to set up. Just copy paste the keys and endpoints, but the problem is that Grafana wants email addresses and we use userids.
So far I have coded in grafana.ini:
(api_url was just a quick try :))
Itās little bit frustrating how close it went. Grafana redirects nicely to NC and after authentication NC redirects back to Grafana which then issues error as it cannot find email address from the NCās token. Here is the process how Grafana tries to find the email address:
Grafana will attempt to determine the userās e-mail address by querying the OAuth provider as described below in the following order until an e-mail address is found:
Check for the presence of an e-mail address via the email field encoded in the OAuth id_token parameter.
Check for the presence of an e-mail address using the JMESPath specified via the email_attribute_path configuration option. The JSON used for the path lookup is the HTTP response obtained from querying the UserInfo endpoint specified via the api_url configuration option. Note: Only available in Grafana v6.4+.
Check for the presence of an e-mail address in the attributes map encoded in the OAuth id_token parameter. By default Grafana will perform a lookup into the attributes map using the email:primary key, however, this is configurable and can be adjusted by using the email_attribute_name configuration option.
Query the /emails endpoint of the OAuth providerās API (configured with api_url) and check for the presence of an e-mail address marked as a primary address.
If no e-mail address is found in steps (1-4), then the e-mail address of the user is set to the empty string.
Nice to see some progress finally with this.
I tried pretty much exactly what you suggested @jum but for some reason it just wonāt work. Here is my Grafana config:
Adding ā&x=ā after api_url seemed to help a little bit forward, but it seems that there is still something not quite right eg. userid=0, uname=
Iām using Nextcloud 20 and Grafana 7. Could you happen to have some ideas what to test next, please?
Yes, I have tried put email address in all the fields with my test user, but the result is always the same. Iām trying to get grip of the attribute definitions you have made but still missing something linking these together:
What input āx=ā waits in api_url?
Is email_attribute_path actual pointer to userid json structure (ocs: { data { emailā¦) or similar?
role_attribute_path definition seems to have actual code (language?). Will Grafana allow and run code snippets defined in config file?
The x= is a dummy to ignore some extra arguments that Grafana adds to the query but Nextcloud does not understand. The email attr path is indeed the path to the email field in the api response of Nextcloud. Similarly the role_attribute_path is an expression to enable Grafana Admin for members of the Nextcloud groups.
Hello,
I never got it working correctly. I managed to get the Nextcloud Oauth button to Grafana login screen, but then the result was what I mentioned before. After searching and reading quite a lot about Nextcloud Oauth service I got a feeling that it wonāt age well. It seems that it has been implemented a long time ago and has not got much updates after that. Also I remember seeing something that it wonāt be supported in the future or something (not 100% sure anymore of this). As the services I was building back then are now in production and used somewhat heavily, I decided to forget this route. Currently we have separate accounts in Grafana and Nextcloud. One self-built application is using Nextcloud Oauth service, but probably soon migrating to GCP with the authentication part.
Itās a pity, the Nextcloud user management was easy to use and just enough to us. Now need to implement much heavier system to get some small features working eg. this Oauth service authentication.
Hi @jum , do you happen to have the settings that you adjusted to get this to work? Would really like to get this to work for a number of applications, the built-in OAuth2 is basically useless!