Integrate OAuth

Integrate Grafana Enterprise Logs with an existing OAuth

Grafana Enterprise Logs (GEL) supports the OpenID Connect (OIDC) core standard to validate tokens. This allows you to integrate GEL with an existing OAuth token provider at your organization.

To support OIDC, provide a URL in the auth.admin.oidc.url setting. This corresponds to the jwks_uri field in the JSON object found at the OpenID Connect Discovery endpoints such as https://<example.com>/.well-known/openid-configuration.

A JWT is included as the password in HTTP basic authentication or as part of a bearer token in bearer authentication. The bearer token should have two parts separated by a :. The first part is the tenant ID. The second part is the JWT.

The JWT is validated against the URL specified above. If it is valid then an access policy name is extracted. The regular expression in auth.admin.oidc.access_policy_regex is run against the JWT claim field specified in auth.admin.oidc.access_policy_claim.

A sub-match has to be present to extract the access policy. Only the first sub-match is used. You can use the regular expression (.*) for the whole claim field.

The regular expression syntax is RE2.

Example OAuth configuration

To use OIDC specify the auth.type as enterprise. Here is an example auth section:

auth:
  type: enterprise
  admin:
    oidc:
      url: http://127.0.0.1:5556/dex/keys
      access_policy_claim: "sub"
      access_policy_regex: "pref-([0-9]+)-.*"

Here is an example payload section of a valid JWT:

{
  "sub": "pref-1234567890-abc",
  "name": "John Doe",
  "admin": true
}

The extracted access policy is 1234567890.

Related Enterprise Logs resources
Grafana Enterprise Logs: Logging with security and scale

Join us for this webinar, which will cover: Challenges with logging as organizations scale and the volume of logs explodes, how Grafana Enterprise Logs enables organizations to make logs available to any team members who need them, features available in GEL and how to get access, a live product demo so you can see GEL for the first time

VIDEO: Watch this first-look demo of the new Grafana Enterprise Logs

Based on Loki, Grafana Enterprise Logs is part of the Grafana Enterprise Stack for composing and scaling observability on your own infrastructure.

Introducing Grafana Enterprise Logs, a core part of the Grafana Enterprise Stack integrated observability solution

Powered by the Loki open source project, the Enterprise Logs offering joins metrics and dashboards in our enterprise-ready stack for self-managed observability.