---
title: "Integrate OAuth | Grafana Enterprise Traces documentation"
description: "Integrate GET with an existing OAuth Grafana Enterprise Traces (GET) supports the OpenID Connect (OIDC) core standard to validate tokens. This allows you to integrate GET with an existing OAuth token provider at your organization."
---

# Integrate GET with an existing OAuth

Grafana Enterprise Traces (GET) supports the [**OpenID Connect (OIDC)**](https://openid.net/specs/openid-connect-core-1_0.html) core standard to validate tokens. This allows you to integrate GET with an existing OAuth token provider at your organization.

> Note
> 
> If you have existing access policies and enable OAuth integration, only the OIDC tokens will be supported. You may need to make adjustments in the clients that are sending the traces.

To support OIDC, provide a URL in the `auth.admin.oidc.url` setting. This corresponds to the `jwks_uri` field in the JSON object found at the [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) endpoints such as `https://<example.com>/.well-known/openid-configuration`.

A JWT is included as the password in HTTP basic authentication or as part of a bearer token in bearer authentication. The bearer token should have two parts separated by a `:`. The first part is the tenant ID. The second part is the JWT.

The JWT is validated against the URL specified above. If it’s valid, then an access policy name is extracted. The regular expression in `auth.admin.oidc.access_policy_regex` is run against the JWT claim field specified in `auth.admin.oidc.access_policy_claim`.

A sub-match has to be present to extract the access policy. Only the first sub-match is used. You can use the regular expression `(.*)` for the whole claim field.

The regular expression syntax is [RE2](https://github.com/google/re2/wiki/Syntax).

## Example OAuth configuration

To use OIDC specify the `auth.type` as `enterprise`. Here is an example auth section:

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
auth:
  type: enterprise
  admin:
    oidc:
      url: http://127.0.0.1:5556/dex/keys
      access_policy_claim: "sub"
      access_policy_regex: "pref-([0-9]+)-.*"
```

Here is an example payload section of a valid JWT:

JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```json
{
  "sub": "pref-1234567890-abc",
  "name": "John Doe",
  "admin": true
}
```

The extracted access policy is `1234567890`.