All Products
Search
Document Center

Managed Service for Grafana:Configure OAuth-based logon for Grafana

Last Updated:Jun 16, 2026

Managed Service for Grafana supports the OAuth 2.0 protocol for user authentication and application authorization. You can configure third-party applications to log on to Grafana by using OAuth. This topic uses an Alibaba Cloud system as an example.

Background

OAuth (Open Authorization) is an open protocol that provides secure authorization for web, mobile, and desktop applications. Authorized applications can access protected information without requiring user credentials. For more information, see the official OAuth documentation.

After authorization, your self-managed systems can access information in a managed Grafana workspace. This topic uses an Alibaba Cloud system as an example to demonstrate OAuth-based logon to a managed Grafana workspace. To authorize other product accounts, see the official Grafana documentation.

How it works

image

The following procedure uses an Alibaba Cloud system to simulate the authorization system shown in the diagram. The configurations are for reference only. Your actual system configuration must comply with the OAuth 2.0 standard.

Step 1: Create an application

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Integrated Management > OAuth Applications Preview.

  3. On the Enterprise Applications tab, click Create Application.

  4. In the Create Application panel, configure the application parameters.

    1. Enter an Application Name and a Display name.

    2. Select an Application Type based on the following descriptions.

      Application type

      Description

      WebApp

      A web-based application that runs in a browser.

      NativeApp

      A native application that runs on a desktop or mobile operating system.

      ServerApp

      An application that accesses Alibaba Cloud services directly, without requiring user logon. This application type currently supports only applications that use the SCIM protocol for user synchronization.

    3. Set the Access Token Validity Period.

      The validity period can range from 900 seconds (15 minutes) to 10,800 seconds (3 hours). The default is 3,600 seconds.

    4. For WebApp and NativeApp types, configure Refresh Token Validity Period and Callback URL.

      • The validity period for a refresh token can range from 7,200 seconds (2 hours) to 31,536,000 seconds (1 year). The default is 2,592,000 seconds.

      • The callback URL is the Grafana workspace endpoint followed by the/login/generic_oauth suffix. For example: http://[Grafana-endpoint:port]/login/generic_oauth. You can find the Grafana workspace endpoint and port on the Workspace Information page. For more information, see Create and manage a Grafana workspace.

  5. Click Save.

Step 2: Add a scope

  1. On the Enterprise Applications tab, click the name of your application.

    Note

    On the application details page, you can find the application ID in the Basic Information section. This ID is required for Step 4.

  2. On the Application OAuth Scopes tab, click Add OAuth Scopes.

  3. In the Add OAuth Scopes panel, select the profile scope.

  4. Click OK.

Step 3: Create a secret

  1. On the application details page, click the App Secrets tab, and then click Create Secret.

  2. In the Create App Secret dialog box, view and Copy the application secret, and then click close.

    Important
    • The application secret is visible only at the time of creation and cannot be retrieved later. Save it in a secure location.

    • You can create a maximum of two application secrets for each application.

Step 4: Modify workspace parameters

  1. Log on to the Managed Service for Grafana console. In the left-side navigation pane, click Workspace Management.

  2. On the Workspace Management page, click the ID of the workspace that you want to manage.

  3. In the left-side navigation pane, click Parameter Settings.

  4. From the parameter list on the left, select auth.generic_oauth and click Modify Parameters.

  5. In the Runtime Parameters column, modify the configuration as shown in the following code block, and then click Save and Apply.

    name = Alibaba
    enabled = true
    allow_sign_up = true
    client_id = <application_id>      // You can find the application ID on the Basic Information page of the application in the RAM console.
    client_secret = <application_secret> // The application secret created in Step 3.
    scopes = openid profile
    auth_url = https://signin.aliyun.com/oauth2/v1/auth
    token_url = https://oauth.aliyun.com/v1/token
    api_url = https://oauth.aliyun.com/v1/userinfo
    email_attribute_path=login_name
  6. From the parameter list on the left, select server and click Modify Parameters.

  7. In the Runtime Parameters column, modify the configuration as shown in the following code block, and then click Save and Apply.

    root_url = http://[Grafana-endpoint:port]
    Note

    You can find the Grafana workspace endpoint and port on the Workspace Information page.