Configure authorization and permissionsConfigure Open Authorization

Configure OAuth

You can configure Open Authorization (OAuth2) to allow users to login with their Google, GitHub, or Azure AD accounts. If you would like to use a provider that is not listed, contact Support.

Configure OAuth with Google

To configure OAuth2 using Google Cloud, you must register an application and create a Google OAuth client. You can then enable the client on your Grafana Cloud instance.

Create a Google OAuth client

  1. Go to the Google Cloud Platform API page.
  2. Agree to the Terms of Service.
  3. Create a project. Enter a project name. The Organization and Location fields should both be set to grafana.com.
  4. In OAuth consent screen select the External User Type. Click CREATE.
  5. Fill out the requested information using the URL of your Grafana Cloud instance.
  6. Accept the defaults, or customize the consent screen options.
  7. Click + CREATE CREDENTIALS and select OAuth client ID. Enter the following, substituting your instance URL where appropriate:
    • Application Type: Web application
    • Name: Grafana
    • Authorized JavaScript origins: https://<YOUR_GRAFANA_URL>
    • Authorized redirect URIs: https://<YOUR_GRAFANA_URL>/login/google

    The URL you enter is the one for your Grafana instance home page, not your Grafana Cloud portal URL.

  8. Click CREATE. Make a note of your OAuth client ID and client secret.

Enable the Google client on your Grafana instance

  1. From the Cloud Portal, select the Advanced Auth option in the Security section.
  2. Click the Google option and enter your client ID and client secret. List allowed domains, for example, grafana.com, and click Submit.

Configure OAuth with GitHub

To configure OAuth2 using GitHub, you must register an application and create a GitHub OAuth client. You can then enable the client on your Grafana Cloud instance.

Create a GitHub OAuth client

  1. Log in to your GitHub account. In Profile > Settings > Developer setttings, select OAuth Apps.
  2. Click Register a new application.
  3. Fill out the fields, using your Grafana homepage URL when appropriate. In the Authoirzation callback URL field, enter the following: https://<YOUR-GRAFANA-URL>/login/github .
  4. Note your client ID.
  5. Generate, then note, your client secret.

Enable the GitHub client on your Grafana instance

  1. From the Cloud Portal, select the Advanced Auth option in the Security section.
  2. Click the GitHub option and enter your client ID and client secret. List allowed GitHub organizations, for example, Grafana, add any Team IDs, and click Submit.

Configure OAuth with Microsoft Azure AD

To enable the Azure AD OAuth2 you must create a tenant or use an existing tenant and register an application with Azure AD.

Create a Azure AD OAuth client

  1. Log in to the Azure Portal and click View for the Manage Azure Active Directory tile. Select the Azure AD tenant you want to use if you have more than one.

  2. Go to App registrations in the Manage section and click + New registration.

  3. Fill in the following fields:

    • Name: Choose a name for the app.
    • Supported account types: Choose what kind of user accounts can be used to authorize users.
    • Redirect URI Select Web, then enter the following: https://<YOUR-GRAFANA-URL>/login/azuread.
    • Click Register.
  4. Make a note of your Application (client) ID.

  5. Click Save.

  6. In Certificates & secrets, click + New client secret.

  7. Enter a name and certificate expiration.

  8. Make a note of the Value. This is the OAuth client secret.

    Make sure that you copy the string in the Value field, rather than the one in the Secret field.

  9. Find your API endpoints. Click the Endpoints (globe) button. Make a note of the following endpoints:

    • OAuth 2.0 authorization endpoint (v2)
    • OAuth 2.0 token endpoint (v2)

    If you don’t see the Endpoints option, it is because you are using a personal account. You must use a tenant to create an OAuth client.

  10. Configure user permissions. Click Manifest. You must define the Application Role settings for Grafana for each user ID. If you don’t, all users will default to view mode only when accessing the Grafana instance.

    You can generate random identifiers on Linux or Mac by using the uuidgen command in a terminal, or on Windows through PowerShell using New-Guid.

  11. Assign a unique ID to each role.

    Add users and their roles to the appRoles field of the manifest.

     "appRoles": [
            {
                "allowedMemberTypes": [
                    "User"
                ],
                "description": "Grafana admin Users",
                "displayName": "Grafana Admin",
                "id": "<SOME_UNIQUE_ID_1>",
                "isEnabled": true,
                "lang": null,
                "origin": "Application",
                "value": "Admin"
            },
            {
                "allowedMemberTypes": [
                    "User"
                ],
                "description": "Grafana read only Users",
                "displayName": "Grafana Viewer",
                "id": "<SOME_UNIQUE_ID_2>",
                "isEnabled": true,
                "lang": null,
                "origin": "Application",
                "value": "Viewer"
            },
            {
                "allowedMemberTypes": [
                    "User"
                ],
                "description": "Grafana Editor Users",
                "displayName": "Grafana Editor",
                "id": "<SOME_UNIQUE_ID_3>",
                "isEnabled": true,
                "lang": null,
                "origin": "Application",
                "value": "Editor"
            }
        ],
    
  12. Find your application. In Azure Active Directory, click Enterprise Applications. Search for your application and click on it.

  13. Click on 1. Assign users and groups. Search for a user and assign them a Grafana role. Do this for every user that will need a role other than the default View role.

Enable the Azure client on your Grafana instance

  1. From the Cloud Portal, select the Advanced Auth option in the Security section.
  2. Click the Azure AD option and enter your client ID, client secret, and the authorization and token endpoints. List allowed Azure Groups and allowed domains for example, Grafana, add any Team IDs, and click Submit.