Grafana配置Cognito身份验证。

huangapple go评论71阅读模式
英文:

Grafana configure Cognito Authentication

问题

我在AWS上有两个Grafana EC2实例,后面是一个ALB。
现在我想要使用AWS Cognito配置访问。

我尝试将grafana.ini设置如下:

[server]
protocol = http
#domain = grafana.mydomain.com
root_url = https://grafana.mydomain.com
serve_from_sub_path = true

[auth.generic_oauth]
enabled = true
allow_sign_up = true
auto_login = false
client_id = xxxxxxxxxxxxxxxxxxxxxxxxxxx
client_secret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
user_pool_id = eu-west-1_xxxxxxxxx
auth_url = https://myapp.auth.eu-west-1.amazoncognito.com/auth2/authorize
token_url = https://myapp.auth.eu-west-1.amazoncognito.com/oauth2/token
region = eu-west-1
allow_sign_up = false
allowed_groups = "arn:aws:cognito:eu-west-1:000000000000:userpool/eu-west-1_xxxxxxxx:group/grafana-read", "arn:aws:cognito:eu-west-1:000000000000:userpool/eu-west-1_xxxxxxxx:group/grafana-admin"
role_attribute_path = contains(info.roles[*], 'grafana-admin') && 'Admin' || contains(info.roles[*], 'grafana-read') && 'Editor' || 'Viewer'

当我尝试通过浏览器连接到ALB时:
https://grafana.mydomain.com/generic_oauth/login 我收到以下错误:

https://myapp.auth.eu-west-1.amazoncognito.com/error?error=redirect_mismatch&client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxx
英文:

I have on AWS two Grafana EC2 instances back an ALB.
Now I would configure access using AWS Cognito.

I'm trying to set grafana.ini as below:

[server]
protocol = http
#domain = grafana.mydomain.com
root_url = https://grafana.mydomain.com
serve_from_sub_path = true

[auth.generic_oauth]
enabled = true
allow_sign_up = true
auto_login = false
client_id = xxxxxxxxxxxxxxxxxxxxxxxxxxx
client_secret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
user_pool_id = eu-west-1_xxxxxxxxx
auth_url = https://myapp.auth.eu-west-1.amazoncognito.com/auth2/authorize
token_url = https://myapp.auth.eu-west-1.amazoncognito.com/oauth2/token
region = eu-west-1
allow_sign_up = false
allowed_groups = "arn:aws:cognito:eu-west-1:000000000000:userpool/eu-west-1_xxxxxxxx:group/grafana-read", "arn:aws:cognito:eu-west-1:000000000000:userpool/eu-west-1_xxxxxxxx:group/grafana-admin"
role_attribute_path = contains(info.roles[*], 'grafana-admin') && 'Admin' || contains(info.roles[*], 'grafana-read') && 'Editor' || 'Viewer'

When I try to connect to ALB by browser on:
https://grafana.mydomain.com/generic_oauth/login I receive the error:

https://myapp.auth.eu-west-1.amazoncognito.com/error?error=redirect_mismatch&client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxx

答案1

得分: 1

你遇到了Cognito的redirect_mismatch错误。这意味着你没有正确配置Cognito客户端。我猜问题出在回调URL的错误配置上。你会在向Cognito发出的授权请求中看到请求的URI(在重定向的GET参数中 - 这是由Grafana生成的)。

英文:

You have Cognito redirect_mismatch error. That means you didn't configure Cognito client correctly. I bet problem is misconfigured callback URLs. You will see requested URI in the auth request to Cognito (there is redirect get parameter - it is generated by Grafana).

答案2

得分: 1

尝试此回调URL:

https://grafana.mydomain.com/login/generic_oauth

而不是:

https://grafana.mydomain.com/generic_oauth/login 

还要在grafana.ini中添加auth_uri参数:

auth_url:https://{domain}.auth.${region}.amazoncognito.com/oauth2/authorize

希望这对你有帮助。

英文:

try this callback url

https://grafana.mydomain.com/login/generic_oauth

Instead of:

https://grafana.mydomain.com/generic_oauth/login 

Also add auth_uri parameter to grafana.ini:

 auth_url:https://{domain}.auth.${region}.amazoncognito.com/oauth2/authorize

Hope this would help you.

huangapple
  • 本文由 发表于 2023年7月4日 20:17:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/76612526.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定