I would like to suggest adding more “standard” userinfo API for Oauth2 authentication like many other Oauth2 providers has eg:
api_url = https://<okta domain>/oauth2/v1/userinfo
I’m setting up a production Grafana instance which should allow authentication against Nextcloud userbase via its Oauth2 interface. So far it was surprisingly easy to set up. Just copy paste the keys and endpoints, but the problem is that Grafana wants email addresses and we use userids.
So far I have coded in grafana.ini:
[auth.generic_oauth] enabled = true name = OAuth allow_sign_up = true client_id = ### Nextcloud key ### client_secret = ### Nextcloud key ### scopes = user:email,read:org auth_url = https://SERVER/index.php/apps/oauth2/authorize token_url = https://SERVER/index.php/apps/oauth2/api/v1/token api_url = https://SERVER/ocs/v2.php/cloud/user?format=json allowed_organizations = OwnORG
(api_url was just a quick try :))
It’s little bit frustrating how close it went. Grafana redirects nicely to NC and after authentication NC redirects back to Grafana which then issues error as it cannot find email address from the NC’s token. Here is the process how Grafana tries to find the email address:
Grafana will attempt to determine the user’s e-mail address by querying the OAuth provider as described below in the following order until an e-mail address is found:
- Check for the presence of an e-mail address via the email field encoded in the OAuth id_token parameter.
- Check for the presence of an e-mail address using the JMESPath specified via the email_attribute_path configuration option. The JSON used for the path lookup is the HTTP response obtained from querying the UserInfo endpoint specified via the api_url configuration option. Note: Only available in Grafana v6.4+.
- Check for the presence of an e-mail address in the attributes map encoded in the OAuth id_token parameter. By default Grafana will perform a lookup into the attributes map using the email:primary key, however, this is configurable and can be adjusted by using the email_attribute_name configuration option.
- Query the /emails endpoint of the OAuth provider’s API (configured with api_url) and check for the presence of an e-mail address marked as a primary address.
- If no e-mail address is found in steps (1-4), then the e-mail address of the user is set to the empty string.