英文:
Grafana configure Cognito Authentication
问题
我在AWS上有两个Grafana EC2实例,后面是一个ALB。
现在我想要使用AWS Cognito配置访问。
我尝试将grafana.ini设置如下:
[server]
protocol = http
#domain = grafana.mydomain.com
root_url = https://grafana.mydomain.com
serve_from_sub_path = true
[auth.generic_oauth]
enabled = true
allow_sign_up = true
auto_login = false
client_id = xxxxxxxxxxxxxxxxxxxxxxxxxxx
client_secret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
user_pool_id = eu-west-1_xxxxxxxxx
auth_url = https://myapp.auth.eu-west-1.amazoncognito.com/auth2/authorize
token_url = https://myapp.auth.eu-west-1.amazoncognito.com/oauth2/token
region = eu-west-1
allow_sign_up = false
allowed_groups = "arn:aws:cognito:eu-west-1:000000000000:userpool/eu-west-1_xxxxxxxx:group/grafana-read", "arn:aws:cognito:eu-west-1:000000000000:userpool/eu-west-1_xxxxxxxx:group/grafana-admin"
role_attribute_path = contains(info.roles[*], 'grafana-admin') && 'Admin' || contains(info.roles[*], 'grafana-read') && 'Editor' || 'Viewer'
当我尝试通过浏览器连接到ALB时:
https://grafana.mydomain.com/generic_oauth/login 我收到以下错误:
https://myapp.auth.eu-west-1.amazoncognito.com/error?error=redirect_mismatch&client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxx
英文:
I have on AWS two Grafana EC2 instances back an ALB.
Now I would configure access using AWS Cognito.
I'm trying to set grafana.ini as below:
[server]
protocol = http
#domain = grafana.mydomain.com
root_url = https://grafana.mydomain.com
serve_from_sub_path = true
[auth.generic_oauth]
enabled = true
allow_sign_up = true
auto_login = false
client_id = xxxxxxxxxxxxxxxxxxxxxxxxxxx
client_secret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
user_pool_id = eu-west-1_xxxxxxxxx
auth_url = https://myapp.auth.eu-west-1.amazoncognito.com/auth2/authorize
token_url = https://myapp.auth.eu-west-1.amazoncognito.com/oauth2/token
region = eu-west-1
allow_sign_up = false
allowed_groups = "arn:aws:cognito:eu-west-1:000000000000:userpool/eu-west-1_xxxxxxxx:group/grafana-read", "arn:aws:cognito:eu-west-1:000000000000:userpool/eu-west-1_xxxxxxxx:group/grafana-admin"
role_attribute_path = contains(info.roles[*], 'grafana-admin') && 'Admin' || contains(info.roles[*], 'grafana-read') && 'Editor' || 'Viewer'
When I try to connect to ALB by browser on:
https://grafana.mydomain.com/generic_oauth/login I receive the error:
https://myapp.auth.eu-west-1.amazoncognito.com/error?error=redirect_mismatch&client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxx
答案1
得分: 1
你遇到了Cognito的redirect_mismatch错误。这意味着你没有正确配置Cognito客户端。我猜问题出在回调URL的错误配置上。你会在向Cognito发出的授权请求中看到请求的URI(在重定向的GET参数中 - 这是由Grafana生成的)。
英文:
You have Cognito redirect_mismatch error. That means you didn't configure Cognito client correctly. I bet problem is misconfigured callback URLs. You will see requested URI in the auth request to Cognito (there is redirect get parameter - it is generated by Grafana).
答案2
得分: 1
尝试此回调URL:
https://grafana.mydomain.com/login/generic_oauth
而不是:
https://grafana.mydomain.com/generic_oauth/login
还要在grafana.ini中添加auth_uri参数:
auth_url:https://{domain}.auth.${region}.amazoncognito.com/oauth2/authorize
希望这对你有帮助。
英文:
try this callback url
https://grafana.mydomain.com/login/generic_oauth
Instead of:
https://grafana.mydomain.com/generic_oauth/login
Also add auth_uri parameter to grafana.ini:
auth_url:https://{domain}.auth.${region}.amazoncognito.com/oauth2/authorize
Hope this would help you.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论