Managed Service for Grafana supports the OAuth 2.0 protocol for user authentication and application authorization. You can configure third-party applications to log on to Grafana by using OAuth. This topic uses an Alibaba Cloud system as an example.
Background
OAuth (Open Authorization) is an open protocol that provides secure authorization for web, mobile, and desktop applications. Authorized applications can access protected information without requiring user credentials. For more information, see the official OAuth documentation.
After authorization, your self-managed systems can access information in a managed Grafana workspace. This topic uses an Alibaba Cloud system as an example to demonstrate OAuth-based logon to a managed Grafana workspace. To authorize other product accounts, see the official Grafana documentation.
How it works
The following procedure uses an Alibaba Cloud system to simulate the authorization system shown in the diagram. The configurations are for reference only. Your actual system configuration must comply with the OAuth 2.0 standard.
Step 1: Create an application
-
Log on to the RAM console with your Alibaba Cloud account.
-
In the left-side navigation pane, choose .
-
On the Enterprise Applications tab, click Create Application.
-
In the Create Application panel, configure the application parameters.
-
Enter an Application Name and a Display name.
-
Select an Application Type based on the following descriptions.
Application type
Description
WebApp
A web-based application that runs in a browser.
NativeApp
A native application that runs on a desktop or mobile operating system.
ServerApp
An application that accesses Alibaba Cloud services directly, without requiring user logon. This application type currently supports only applications that use the SCIM protocol for user synchronization.
-
Set the Access Token Validity Period.
The validity period can range from 900 seconds (15 minutes) to 10,800 seconds (3 hours). The default is 3,600 seconds.
-
For WebApp and NativeApp types, configure Refresh Token Validity Period and Callback URL.
-
The validity period for a refresh token can range from 7,200 seconds (2 hours) to 31,536,000 seconds (1 year). The default is 2,592,000 seconds.
-
The callback URL is the Grafana workspace endpoint followed by the
/login/generic_oauthsuffix. For example:http://[Grafana-endpoint:port]/login/generic_oauth. You can find the Grafana workspace endpoint and port on the Workspace Information page. For more information, see Create and manage a Grafana workspace.
-
-
-
Click Save.
Step 2: Add a scope
-
On the Enterprise Applications tab, click the name of your application.
NoteOn the application details page, you can find the application ID in the Basic Information section. This ID is required for Step 4.
-
On the Application OAuth Scopes tab, click Add OAuth Scopes.
-
In the Add OAuth Scopes panel, select the profile scope.
-
Click OK.
Step 3: Create a secret
-
On the application details page, click the App Secrets tab, and then click Create Secret.
-
In the Create App Secret dialog box, view and Copy the application secret, and then click close.
Important-
The application secret is visible only at the time of creation and cannot be retrieved later. Save it in a secure location.
-
You can create a maximum of two application secrets for each application.
-
Step 4: Modify workspace parameters
-
Log on to the Managed Service for Grafana console. In the left-side navigation pane, click Workspace Management.
-
On the Workspace Management page, click the ID of the workspace that you want to manage.
-
In the left-side navigation pane, click Parameter Settings.
-
From the parameter list on the left, select auth.generic_oauth and click Modify Parameters.
-
In the Runtime Parameters column, modify the configuration as shown in the following code block, and then click Save and Apply.
name = Alibaba enabled = true allow_sign_up = true client_id = <application_id> // You can find the application ID on the Basic Information page of the application in the RAM console. client_secret = <application_secret> // The application secret created in Step 3. scopes = openid profile auth_url = https://signin.aliyun.com/oauth2/v1/auth token_url = https://oauth.aliyun.com/v1/token api_url = https://oauth.aliyun.com/v1/userinfo email_attribute_path=login_name -
From the parameter list on the left, select server and click Modify Parameters.
-
In the Runtime Parameters column, modify the configuration as shown in the following code block, and then click Save and Apply.
root_url = http://[Grafana-endpoint:port]NoteYou can find the Grafana workspace endpoint and port on the Workspace Information page.