You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A clear and concise description of what you want to accomplish.
We currently use caddy together with basic auth to protect some of our prometheus datasources.
Grafana has a feature called Forward Oauth Identity, where the server requets the datasource by proxing the Authorization Header from your oauth2 session.
Would it be possible for caddy-security to authorize these calls ?
Tried it with the following config but get an unauthorized from caddy authorization policy mypolicy { set auth url http://localhost:8080/oaut2/okta validate bearer header disable auth redirect acl rule { comment Test match email xxx allow log debug } }
Request from Grafana looks like this {"level":"error","ts":1705567522.9418292,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"","remote_port":"37956","client_ip":"","proto":"HTTP/1.1","method":"GET","host":"caddy:8080","uri":"/api/v1/status/buildinfo","headers":{"X-Id-Token":["TOKEN"],"Accept-Encoding":["gzip"],"User-Agent":["Grafana/10.2.3"],"Authorization":["Bearer TOKEN"],"X-Datasource-Uid":["faac24e5-b2c5-4723-87c8-28aaefff61a7"],"X-Grafana-Org-Id":["1"]}},"bytes_read":0,"user_id":"","duration":0.000051834,"size":0,"status":401,"resp_headers":{"Server":["Caddy"]}}
@moritz31 , this is a nuanced question. This plugin supports grafana but looks like things have changed in Grafana labs and some new auth features were added. Here is what I can offer. Connect with me on Linkedin and we will setup Google Meet to look at your setup together.
We currently use caddy together with basic auth to protect some of our prometheus datasources.
Grafana has a feature called Forward Oauth Identity, where the server requets the datasource by proxing the Authorization Header from your oauth2 session.
Would it be possible for caddy-security to authorize these calls ?
Tried it with the following config but get an unauthorized from caddy
authorization policy mypolicy { set auth url http://localhost:8080/oaut2/okta validate bearer header disable auth redirect acl rule { comment Test match email xxx allow log debug } }
Request from Grafana looks like this
{"level":"error","ts":1705567522.9418292,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"","remote_port":"37956","client_ip":"","proto":"HTTP/1.1","method":"GET","host":"caddy:8080","uri":"/api/v1/status/buildinfo","headers":{"X-Id-Token":["TOKEN"],"Accept-Encoding":["gzip"],"User-Agent":["Grafana/10.2.3"],"Authorization":["Bearer TOKEN"],"X-Datasource-Uid":["faac24e5-b2c5-4723-87c8-28aaefff61a7"],"X-Grafana-Org-Id":["1"]}},"bytes_read":0,"user_id":"","duration":0.000051834,"size":0,"status":401,"resp_headers":{"Server":["Caddy"]}}
If this would work there could be a second issue, to verify the signature of the jwt caddy have to go against the introspect endpoint and not against the jwks endpoint like default.
https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token?language=en_US
Could this work ? Or can this maybe be easily implemented. ?
Regards
Moritz
The text was updated successfully, but these errors were encountered: