Authentication on Grafana Labs

Auth Proxy

Tue, 14 Apr 2026 18:51:29 +0000

Auth Proxy Authentication

You can configure Grafana to let a http reverse proxy handling authentication. Popular web servers have a very extensive list of pluggable authentication modules, and any of them can be used with the AuthProxy feature. Below we detail the configuration options for auth proxy.

[auth.proxy]
# Defaults to false, but set to true to enable this feature
enabled = true
# HTTP Header name that will contain the username or email
header_name = X-WEBAUTH-USER
# HTTP Header property, defaults to `username` but can also be `email`
header_property = username
# Set to `true` to enable auto sign up of users who do not exist in Grafana DB. Defaults to `true`.
auto_sign_up = true
# If combined with Grafana LDAP integration define sync interval
ldap_sync_ttl = 60
# Limit where auth proxy requests come from by configuring a list of IP addresses.
# This can be used to prevent users spoofing the X-WEBAUTH-USER header.
# Example `whitelist = 192.168.1.1, 192.168.1.0/24, 2001::23, 2001::0/120`
whitelist =
# Optionally define more headers to sync other user attributes
# Example `headers = Name:X-WEBAUTH-NAME Email:X-WEBAUTH-EMAIL`
headers =

Interacting with Grafana’s AuthProxy via curl

curl -H "X-WEBAUTH-USER: admin"  http://localhost:3000/api/users
[
    {
        "id":1,
        "name":"",
        "login":"admin",
        "email":"admin@localhost",
        "isAdmin":true
    }
]

We can then send a second request to the /api/user method which will return the details of the logged in user. We will use this request to show how Grafana automatically adds the new user we specify to the system. Here we create a new user called “anthony”.

curl -H "X-WEBAUTH-USER: anthony" http://localhost:3000/api/user
{
    "email":"anthony",
    "name":"",
    "login":"anthony",
    "theme":"",
    "orgId":1,
    "isGrafanaAdmin":false
}

Making Apache’s auth work together with Grafana’s AuthProxy

I’ll demonstrate how to use Apache for authenticating users. In this example we use BasicAuth with Apache’s text file based authentication handler, i.e. htpasswd files. However, any available Apache authentication capabilities could be used.

Apache BasicAuth

In this example we use Apache as a reverse proxy in front of Grafana. Apache handles the Authentication of users before forwarding requests to the Grafana backend service.

Apache configuration

    <VirtualHost *:80>
        ServerAdmin webmaster@authproxy
        ServerName authproxy
        ErrorLog "logs/authproxy-error_log"
        CustomLog "logs/authproxy-access_log" common

        <Proxy *>
            AuthType Basic
            AuthName GrafanaAuthProxy
            AuthBasicProvider file
            AuthUserFile /etc/apache2/grafana_htpasswd
            Require valid-user

            RewriteEngine On
            RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
            RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
        </Proxy>

        RequestHeader unset Authorization

        ProxyRequests Off
        ProxyPass / http://localhost:3000/
        ProxyPassReverse / http://localhost:3000/
    </VirtualHost>

The first 4 lines of the virtualhost configuration are standard, so we won’t go into detail on what they do.
We use a <proxy> configuration block for applying our authentication rules to every proxied request. These rules include requiring basic authentication where user:password credentials are stored in the /etc/apache2/grafana_htpasswd file. This file can be created with the htpasswd command.
- The next part of the configuration is the tricky part. We use Apache’s rewrite engine to create our X-WEBAUTH-USER header, populated with the authenticated user.
  - RewriteRule . - [E=PROXY_USER:%{LA-U:REMOTE_USER}, NS]*: This line is a little bit of magic. What it does, is for every request use the rewriteEngines look-ahead (LA-U) feature to determine what the REMOTE_USER variable would be set to after processing the request. Then assign the result to the variable PROXY_USER. This is necessary as the REMOTE_USER variable is not available to the RequestHeader function.
  - RequestHeader set X-WEBAUTH-USER “%{PROXY_USER}e”: With the authenticated username now stored in the PROXY_USER variable, we create a new HTTP request header that will be sent to our backend Grafana containing the username.
The RequestHeader unset Authorization removes the Authorization header from the HTTP request before it is forwarded to Grafana. This ensures that Grafana does not try to authenticate the user using these credentials (BasicAuth is a supported authentication handler in Grafana).
The last 3 lines are then just standard reverse proxy configuration to direct all authenticated requests to our Grafana server running on port 3000.

Full walk through using Docker.

For this example, we use the official Grafana docker image available at Docker Hub

Create a file grafana.ini with the following contents

[users]
allow_sign_up = false
auto_assign_org = true
auto_assign_org_role = Editor

[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true

Launch the Grafana container, using our custom grafana.ini to replace /etc/grafana/grafana.ini. We don’t expose any ports for this container as it will only be connected to by our Apache container.

docker run -i -v $(pwd)/grafana.ini:/etc/grafana/grafana.ini --name grafana grafana/grafana

Apache Container

For this example we use the official Apache docker image available at Docker Hub

Create a file httpd.conf with the following contents

ServerRoot "/usr/local/apache2"
Listen 80
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<IfModule unixd_module>
User daemon
Group daemon
</IfModule>
ServerAdmin you@example.com
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/usr/local/apache2/htdocs"
ErrorLog /proc/self/fd/2
LogLevel error
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog /proc/self/fd/1 common
</IfModule>
<Proxy *>
    AuthType Basic
    AuthName GrafanaAuthProxy
    AuthBasicProvider file
    AuthUserFile /tmp/htpasswd
    Require valid-user
    RewriteEngine On
    RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
    RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>
RequestHeader unset Authorization
ProxyRequests Off
ProxyPass / http://grafana:3000/
ProxyPassReverse / http://grafana:3000/

Create a htpasswd file. We create a new user anthony with the password password
Bash
```
htpasswd -bc htpasswd anthony password
```
Launch the httpd container using our custom httpd.conf and our htpasswd file. The container will listen on port 80, and we create a link to the grafana container so that this container can resolve the hostname grafana to the grafana container’s ip address.
Bash
```
docker run -i -p 80:80 --link grafana:grafana -v $(pwd)/httpd.conf:/usr/local/apache2/conf/httpd.conf -v $(pwd)/htpasswd:/tmp/htpasswd httpd:2.4
```

Use grafana.

With our Grafana and Apache containers running, you can now connect to http://localhost/ and log in using the username/password we created in the htpasswd file.

Enhanced LDAP Integration

Tue, 14 Apr 2026 18:51:29 +0000

Enhanced LDAP Integration

Enhanced LDAP Integration is only available in Grafana Enterprise. Read more about Grafana Enterprise.

The enhanced LDAP integration adds additional functionality on top of the existing LDAP integration.

LDAP Group Synchronization for Teams

With the enhanced LDAP integration it’s possible to setup synchronization between LDAP groups and teams. This enables LDAP users which are members of certain LDAP groups to automatically be added/removed as members to certain teams in Grafana. Currently the synchronization will only happen every time a user logs in, but an active background synchronization is currently being developed.

Grafana keeps track of all synchronized users in teams and you can see which users have been synchronized from LDAP in the team members list, see LDAP label in screenshot. This mechanism allows Grafana to remove an existing synchronized user from a team when its LDAP group membership changes. This mechanism also enables you to manually add a user as member of a team and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.

Enable LDAP group synchronization for a team

Navigate to Configuration / Teams.
Select a team.
Select the External group sync tab and click on the Add group button.
Insert LDAP distinguished name (DN) of LDAP group you want to synchronize with the team.
Click on Add group button to save.

GitHub OAuth2 Authentication

Tue, 14 Apr 2026 18:51:29 +0000

GitHub OAuth2 Authentication

To enable the GitHub OAuth2 you must register your application with GitHub. GitHub will generate a client ID and secret key for you to use.

Configure GitHub OAuth application

You need to create a GitHub OAuth application (you find this under the GitHub settings page). When you create the application you will need to specify a callback URL. Specify this as callback:

http://<my_grafana_server_name_or_ip>:<grafana_server_port>/login/github

This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the prefix path of /login/github. When the GitHub OAuth application is created you will get a Client ID and a Client Secret. Specify these in the Grafana configuration file. For example:

Enable GitHub in Grafana

[auth.github]
enabled = true
allow_sign_up = true
client_id = YOUR_GITHUB_APP_CLIENT_ID
client_secret = YOUR_GITHUB_APP_CLIENT_SECRET
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
team_ids =
allowed_organizations =

You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.

Restart the Grafana back-end. You should now see a GitHub login button on the login page. You can now login or sign up with your GitHub accounts.

You may allow users to sign-up via GitHub authentication by setting the allow_sign_up option to true. When this option is set to true, any user successfully authenticating via GitHub authentication will be automatically signed up.

team_ids

Require an active team membership for at least one of the given teams on GitHub. If the authenticated user isn’t a member of at least one of the teams they will not be able to register or authenticate with your Grafana instance. For example:

[auth.github]
enabled = true
client_id = YOUR_GITHUB_APP_CLIENT_ID
client_secret = YOUR_GITHUB_APP_CLIENT_SECRET
scopes = user:email,read:org
team_ids = 150,300
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
allow_sign_up = true

allowed_organizations

Require an active organization membership for at least one of the given organizations on GitHub. If the authenticated user isn’t a member of at least one of the organizations they will not be able to register or authenticate with your Grafana instance. For example

[auth.github]
enabled = true
client_id = YOUR_GITHUB_APP_CLIENT_ID
client_secret = YOUR_GITHUB_APP_CLIENT_SECRET
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
allow_sign_up = true
# space-delimited organization names
allowed_organizations = github google

GitLab OAuth2 Authentication

Tue, 14 Apr 2026 18:51:29 +0000

GitLab OAuth2 Authentication

To enable the GitLab OAuth2 you must register an application in GitLab. GitLab will generate a client ID and secret key for you to use.

Create GitLab OAuth keys

You need to create a GitLab OAuth application. Choose a descriptive Name, and use the following Redirect URI:

https://grafana.example.com/login/gitlab

where https://grafana.example.com is the URL you use to connect to Grafana. Adjust it as needed if you don’t use HTTPS or if you use a different port; for instance, if you access Grafana at http://203.0.113.31:3000, you should use

http://203.0.113.31:3000/login/gitlab

Finally, select api as the Scope and submit the form. Note that if you’re not going to use GitLab groups for authorization (i.e. not setting allowed_groups, see below), you can select read_user instead of api as the Scope, thus giving a more restricted access to your GitLab API.

You’ll get an Application Id and a Secret in return; we’ll call them GITLAB_APPLICATION_ID and GITLAB_SECRET respectively for the rest of this section.

Enable GitLab in Grafana

Add the following to your Grafana configuration file to enable GitLab authentication:

[auth.gitlab]
enabled = true
allow_sign_up = false
client_id = GITLAB_APPLICATION_ID
client_secret = GITLAB_SECRET
scopes = api
auth_url = https://gitlab.com/oauth/authorize
token_url = https://gitlab.com/oauth/token
api_url = https://gitlab.com/api/v4
allowed_groups =

You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.

Restart the Grafana backend for your changes to take effect.

If you use your own instance of GitLab instead of gitlab.com, adjust auth_url, token_url and api_url accordingly by replacing the gitlab.com hostname with your own.

With allow_sign_up set to false, only existing users will be able to login using their GitLab account, but with allow_sign_up set to true, any user who can authenticate on GitLab will be able to login on your Grafana instance; if you use the public gitlab.com, it means anyone in the world would be able to login on your Grafana instance.

You can can however limit access to only members of a given group or list of groups by setting the allowed_groups option.

allowed_groups

To limit access to authenticated users that are members of one or more GitLab groups, set allowed_groups to a comma- or space-separated list of groups. For instance, if you want to only give access to members of the example group, set

allowed_groups = example

If you want to also give access to members of the subgroup bar, which is in the group foo, set

allowed_groups = example, foo/bar

Note that in GitLab, the group or subgroup name doesn’t always match its display name, especially if the display name contains spaces or special characters. Make sure you always use the group or subgroup name as it appears in the URL of the group or subgroup.

Here’s a complete example with allow_sign_up enabled, and access limited to the example and foo/bar groups:

[auth.gitlab]
enabled = true
allow_sign_up = true
client_id = GITLAB_APPLICATION_ID
client_secret = GITLAB_SECRET
scopes = api
auth_url = https://gitlab.com/oauth/authorize
token_url = https://gitlab.com/oauth/token
api_url = https://gitlab.com/api/v4
allowed_groups = example, foo/bar

Google OAuth2 Authentication

Tue, 14 Apr 2026 18:51:29 +0000

Google OAuth2 Authentication

To enable the Google OAuth2 you must register your application with Google. Google will generate a client ID and secret key for you to use.

Create Google OAuth keys

First, you need to create a Google OAuth Client:

Go to https://console.developers.google.com/apis/credentials
Click the ‘Create Credentials’ button, then click ‘OAuth Client ID’ in the menu that drops down
Enter the following:
- Application Type: Web Application
- Name: Grafana
- Authorized Javascript Origins: https://grafana.mycompany.com
- Authorized Redirect URLs: https://grafana.mycompany.com/login/google
- Replace https://grafana.mycompany.com with the URL of your Grafana instance.
Click Create
Copy the Client ID and Client Secret from the ‘OAuth Client’ modal

Enable Google OAuth in Grafana

Specify the Client ID and Secret in the Grafana configuration file. For example:

[auth.google]
enabled = true
client_id = CLIENT_ID
client_secret = CLIENT_SECRET
scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
auth_url = https://accounts.google.com/o/oauth2/auth
token_url = https://accounts.google.com/o/oauth2/token
allowed_domains = mycompany.com mycompany.org
allow_sign_up = true

You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.

Restart the Grafana back-end. You should now see a Google login button on the login page. You can now login or sign up with your Google accounts. The allowed_domains option is optional, and domains were separated by space.

You may allow users to sign-up via Google authentication by setting the allow_sign_up option to true. When this option is set to true, any user successfully authenticating via Google authentication will be automatically signed up.

LDAP Authentication

Tue, 14 Apr 2026 18:51:29 +0000

LDAP Authentication

The LDAP integration in Grafana allows your Grafana users to login with their LDAP credentials. You can also specify mappings between LDAP group memberships and Grafana Organization user roles.

Supported LDAP Servers

Grafana uses a third-party LDAP library under the hood that supports basic LDAP v3 functionality. This means that you should be able to configure LDAP integration using any compliant LDAPv3 server, for example OpenLDAP or Active Directory among others.

Enable LDAP

In order to use LDAP integration you’ll first need to enable LDAP in the main config file as well as specify the path to the LDAP specific configuration file (default: /etc/grafana/ldap.toml).

[auth.ldap]
# Set to `true` to enable LDAP integration (default: `false`)
enabled = true

# Path to the LDAP specific configuration file (default: `/etc/grafana/ldap.toml`)
config_file = /etc/grafana/ldap.toml

# Allow sign up should almost always be true (default) to allow new Grafana users to be created (if ldap authentication is ok). If set to
# false only pre-existing Grafana users will be able to login (if ldap authentication is ok).
allow_sign_up = true

Grafana LDAP Configuration

Depending on which LDAP server you’re using and how that’s configured your Grafana LDAP configuration may vary. See configuration examples for more information.

LDAP specific configuration file (ldap.toml) example:

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "127.0.0.1"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "cn=admin,dc=grafana,dc=org"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'grafana'

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
search_filter = "(cn=%s)"

# An array of base dns to search through
search_base_dns = ["dc=grafana,dc=org"]

# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
# group_search_filter_user_attribute = "distinguishedName"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email =  "email"

Bind

Bind & Bind Password

By default the configuration expects you to specify a bind DN and bind password. This should be a read only user that can perform LDAP searches. When the user DN is found a second bind is performed with the user provided username & password (in the normal Grafana login form).

bind_dn = "cn=admin,dc=grafana,dc=org"
bind_password = "grafana"

Single Bind Example

If you can provide a single bind expression that matches all possible users, you can skip the second bind and bind against the user DN directly. This allows you to not specify a bind_password in the configuration file.

bind_dn = "cn=%s,o=users,dc=grafana,dc=org"

In this case you skip providing a bind_password and instead provide a bind_dn value with a %s somewhere. This will be replaced with the username entered in on the Grafana login page. The search filter and search bases settings are still needed to perform the LDAP search to retrieve the other LDAP information (like LDAP groups and email).

POSIX schema

If your ldap server does not support the memberOf attribute add these options:

## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
## An array of the base DNs to search through for groups. Typically uses ou=groups
group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
## the %s in the search filter will be replaced with the attribute defined below
group_search_filter_user_attribute = "uid"

Also set member_of = "dn" in the [servers.attributes] section.

Group Mappings

In [[servers.group_mappings]] you can map an LDAP group to a Grafana organization and role. These will be synced every time the user logs in, with LDAP being the authoritative source. So, if you change a user’s role in the Grafana Org. Users page, this change will be reset the next time the user logs in. If you change the LDAP groups of a user, the change will take effect the next time the user logs in.

The first group mapping that an LDAP user is matched to will be used for the sync. If you have LDAP users that fit multiple mappings, the topmost mapping in the TOML config will be used.

LDAP specific configuration file (ldap.toml) example:

[[servers]]
# other settings omitted for clarity

[[servers.group_mappings]]
group_dn = "cn=superadmins,dc=grafana,dc=org"
org_role = "Admin"
grafana_admin = true # Available in Grafana v5.3 and above

[[servers.group_mappings]]
group_dn = "cn=admins,dc=grafana,dc=org"
org_role = "Admin"

[[servers.group_mappings]]
group_dn = "cn=users,dc=grafana,dc=org"
org_role = "Editor"

[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"

Setting	Required	Description	Default
`group_dn`	Yes	LDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard (`"*"`)
`org_role`	Yes	Assign users of `group_dn` the organization role `"Admin"`, `"Editor"` or `"Viewer"`
`org_id`	No	The Grafana organization database id. Setting this allows for multiple group_dn’s to be assigned to the same `org_role` provided the `org_id` differs	`1` (default org id)
`grafana_admin`	No	When `true` makes user of `group_dn` Grafana server admin. A Grafana server admin has admin access over all organizations and users. Available in Grafana v5.3 and above	`false`

Nested/recursive group membership

Users with nested/recursive group membership must have an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN and configure group_search_filter in a way that it returns the groups the submitted username is a member of.

Active Directory example:

Active Directory groups store the Distinguished Names (DNs) of members, so your filter will need to know the DN for the user based only on the submitted username. Multiple DN templates can be searched by combining filters with the LDAP OR-operator. Examples:

group_search_filter = "(member:1.2.840.113556.1.4.1941:=CN=%s,[user container/OU])"
group_search_filter = "(|(member:1.2.840.113556.1.4.1941:=CN=%s,[user container/OU])(member:1.2.840.113556.1.4.1941:=CN=%s,[another user container/OU]))"
group_search_filter_user_attribute = "cn"

For more information on AD searches see Microsoft’s Search Filter Syntax documentation.

For troubleshooting, by changing member_of in [servers.attributes] to “dn” it will show you more accurate group memberships when debug is enabled.

Configuration examples

OpenLDAP

OpenLDAP is an open source directory service.

LDAP specific configuration file (ldap.toml):

[[servers]]
host = "127.0.0.1"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false
bind_dn = "cn=admin,dc=grafana,dc=org"
bind_password = 'grafana'
search_filter = "(cn=%s)"
search_base_dns = ["dc=grafana,dc=org"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email =  "email"

# [[servers.group_mappings]] omitted for clarity

Active Directory

Active Directory is a directory service which is commonly used in Windows environments.

Assuming the following Active Directory server setup:

IP address: 10.0.0.1
Domain: CORP
DNS name: corp.local

LDAP specific configuration file (ldap.toml):

[[servers]]
host = "10.0.0.1"
port = 3269
use_ssl = true
start_tls = false
ssl_skip_verify = true
bind_dn = "CORP\\%s"
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["dc=corp,dc=local"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

# [[servers.group_mappings]] omitted for clarity

Port requirements

In above example SSL is enabled and an encrypted port have been configured. If your Active Directory don’t support SSL please change enable_ssl = false and port = 389. Please inspect your Active Directory configuration and documentation to find the correct settings. For more information about Active Directory and port requirements see link.

Troubleshooting

To troubleshoot and get more log info enable ldap debug logging in the main config file.

[log]
filters = ldap:debug

OAuth authentication

Tue, 14 Apr 2026 18:51:29 +0000

Generic OAuth Authentication

You can configure many different oauth2 authentication services with Grafana using the generic oauth2 feature. Below you can find examples using Okta, BitBucket, OneLogin and Azure.

This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the prefix path of /login/generic_oauth.

You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.

Example config:

[auth.generic_oauth]
enabled = true
client_id = YOUR_APP_CLIENT_ID
client_secret = YOUR_APP_CLIENT_SECRET
scopes =
auth_url =
token_url =
api_url =
allowed_domains = mycompany.com mycompany.org
allow_sign_up = true

Set api_url to the resource that returns OpenID UserInfo compatible information.

Grafana will attempt to determine the user’s e-mail address by querying the OAuth provider as described below in the following order until an e-mail address is found:

Check for the presence of an e-mail address via the email field encoded in the OAuth id_token parameter.
Check for the presence of an e-mail address in the attributes map encoded in the OAuth id_token parameter. By default Grafana will perform a lookup into the attributes map using the email:primary key, however, this is configurable and can be adjusted by using the email_attribute_name configuration option.
Query the /emails endpoint of the OAuth provider’s API (configured with api_url) and check for the presence of an e-mail address marked as a primary address.
If no e-mail address is found in steps (1-3), then the e-mail address of the user is set to the empty string.

Set up OAuth2 with Okta

First set up Grafana as an OpenId client “webapplication” in Okta. Then set the Base URIs to https://<grafana domain>/ and set the Login redirect URIs to https://<grafana domain>/login/generic_oauth.

Finally set up the generic oauth module like this:

[auth.generic_oauth]
name = Okta
enabled = true
scopes = openid profile email
client_id = <okta application Client ID>
client_secret = <okta application Client Secret>
auth_url = https://<okta domain>/oauth2/v1/authorize
token_url = https://<okta domain>/oauth2/v1/token
api_url = https://<okta domain>/oauth2/v1/userinfo

Set up OAuth2 with Bitbucket

[auth.generic_oauth]
name = BitBucket
enabled = true
allow_sign_up = true
client_id = <client id>
client_secret = <client secret>
scopes = account email
auth_url = https://bitbucket.org/site/oauth2/authorize
token_url = https://bitbucket.org/site/oauth2/access_token
api_url = https://api.bitbucket.org/2.0/user
team_ids =
allowed_organizations =

Set up OAuth2 with OneLogin

Create a new Custom Connector with the following settings:
- Name: Grafana
- Sign On Method: OpenID Connect
- Redirect URI: https://<grafana domain>/login/generic_oauth
- Signing Algorithm: RS256
- Login URL: https://<grafana domain>/login/generic_oauth
then:
Add an App to the Grafana Connector:
- Display Name: Grafana
then:

Under the SSO tab on the Grafana App details page you’ll find the Client ID and Client Secret.

Your OneLogin Domain will match the url you use to access OneLogin.

Configure Grafana as follows:

[auth.generic_oauth]
name = OneLogin
enabled = true
allow_sign_up = true
client_id = <client id>
client_secret = <client secret>
scopes = openid email name
auth_url = https://<onelogin domain>.onelogin.com/oidc/auth
token_url = https://<onelogin domain>.onelogin.com/oidc/token
api_url = https://<onelogin domain>.onelogin.com/oidc/me
team_ids =
allowed_organizations =

Set up OAuth2 with Auth0

Create a new Client in Auth0
- Name: Grafana
- Type: Regular Web Application
Go to the Settings tab and set:
- Allowed Callback URLs: https://<grafana domain>/login/generic_oauth

Click Save Changes, then use the values at the top of the page to configure Grafana:

[auth.generic_oauth]
enabled = true
allow_sign_up = true
team_ids =
allowed_organizations =
name = Auth0
client_id = <client id>
client_secret = <client secret>
scopes = openid profile email
auth_url = https://<domain>/authorize
token_url = https://<domain>/oauth/token
api_url = https://<domain>/userinfo

Set up OAuth2 with Azure Active Directory

Log in to portal.azure.com and click “Azure Active Directory” in the side menu, then click the “Properties” sub-menu item.
Copy the “Directory ID”, this is needed for setting URLs later
Click “App Registrations” and add a new application registration:
- Name: Grafana
- Application type: Web app / API
- Sign-on URL: https://<grafana domain>/login/generic_oauth
Click the name of the new application to open the application details page.
Note down the “Application ID”, this will be the OAuth client id.
Click “Settings”, then click “Keys” and add a new entry under Passwords
- Key Description: Grafana OAuth
- Duration: Never Expires
Click Save then copy the key value, this will be the OAuth client secret.

Configure Grafana as follows:

[auth.generic_oauth]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = <application id>
client_secret = <key value>
scopes = openid email name
auth_url = https://login.microsoftonline.com/<directory id>/oauth2/authorize
token_url = https://login.microsoftonline.com/<directory id>/oauth2/token
api_url =
team_ids =
allowed_organizations =

Note: It’s important to ensure that the root_url in Grafana is set in your Azure Application Reply URLs (App -> Settings -> Reply URLs)

Set up OAuth2 with Centrify

Create a new Custom OpenID Connect application configuration in the Centrify dashboard.
Create a memorable unique Application ID, e.g. “grafana”, “grafana_aws”, etc.
Put in other basic configuration (name, description, logo, category)
On the Trust tab, generate a long password and put it into the OpenID Connect Client Secret field.
Put the URL to the front page of your Grafana instance into the “Resource Application URL” field.
Add an authorized Redirect URI like https://your-grafana-server/login/generic_oauth
Set up permissions, policies, etc. just like any other Centrify app

Configure Grafana as follows:

[auth.generic_oauth]
name = Centrify
enabled = true
allow_sign_up = true
client_id = <OpenID Connect Client ID from Centrify>
client_secret = <your generated OpenID Connect Client Sercret"
scopes = openid email name
auth_url = https://<your domain>.my.centrify.com/OAuth2/Authorize/<Application ID>
token_url = https://<your domain>.my.centrify.com/OAuth2/Token/<Application ID>

Set up OAuth2 with non-compliant providers

Only available in Grafana v6.0 and above.

Some OAuth2 providers might not support client_id and client_secret passed via Basic Authentication HTTP header, which results in invalid_client error. To allow Grafana to authenticate via these type of providers, the client identifiers must be send via POST body, which can be enabled via the following settings:

[auth.generic_oauth]
send_client_credentials_via_post = true

Overview

Tue, 14 Apr 2026 18:51:29 +0000

User Authentication Overview

Grafana provides many ways to authenticate users. Some authentication integrations also enable syncing user permissions and org memberships.

OAuth Integrations

Google OAuth
GitHub OAuth
Gitlab OAuth
Generic OAuth (Okta2, BitBucket, Azure, OneLogin, Auth0)

LDAP integrations

LDAP Authentication (OpenLDAP, ActiveDirectory, etc)

Auth proxy

Auth Proxy If you want to handle authentication outside Grafana using a reverse proxy.

Grafana Auth

Grafana of course has a built in user authentication system with password authentication enabled by default. You can disable authentication by enabling anonymous access. You can also hide login form and only allow login through an auth provider (listed above). There is also options for allowing self sign up.

The following applies when using Grafana’s built in user authentication, LDAP (without Auth proxy) or OAuth integration.

Grafana are using short-lived tokens as a mechanism for verifying authenticated users. These short-lived tokens are rotated each token_rotation_interval_minutes for an active authenticated user.

An active authenticated user that gets it token rotated will extend the login_maximum_inactive_lifetime_days time from “now” that Grafana will remember the user. This means that a user can close its browser and come back before now + login_maximum_inactive_lifetime_days and still being authenticated. This is true as long as the time since user login is less than login_maximum_lifetime_days.

Example:

[auth]

# Login cookie name
login_cookie_name = grafana_session

# The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days.
login_maximum_inactive_lifetime_days = 7

# The maximum lifetime (days) an authenticated user can be logged in since login time before being required to login. Default is 30 days.
login_maximum_lifetime_days = 30

# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
token_rotation_interval_minutes = 10

Anonymous authentication

You can make Grafana accessible without any login required by enabling anonymous access in the configuration file.

Example:

[auth.anonymous]
enabled = true

# Organization name that should be used for unauthenticated users
org_name = Main Org.

# Role for unauthenticated users, other valid values are `Editor` and `Admin`
org_role = Viewer

If you change your organization name in the Grafana UI this setting needs to be updated to match the new name.

Basic authentication

Basic auth is enabled by default and works with the built in Grafana user password authentication system and LDAP authentication integration.

To disable basic auth:

[auth.basic]
enabled = false

You can hide the Grafana login form using the below configuration settings.

[auth]
disable_login_form = true

Set to true to attempt login with OAuth automatically, skipping the login screen. This setting is ignored if multiple OAuth providers are configured. Defaults to false.

[auth]
oauth_auto_login = true

Set to the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy.

[auth]
disable_signout_menu = true

URL redirect after signing out

URL to redirect the user to after signing out from Grafana. This can for example be used to enable signout from oauth provider.

[auth]
signout_redirect_url =

Authentication on Grafana Labs

Auth Proxy

Auth Proxy Authentication

Interacting with Grafana’s AuthProxy via curl

Making Apache’s auth work together with Grafana’s AuthProxy

Apache BasicAuth

Apache configuration

Full walk through using Docker.

Apache Container

Use grafana.

Enhanced LDAP Integration

Enhanced LDAP Integration

LDAP Group Synchronization for Teams

Enable LDAP group synchronization for a team

GitHub OAuth2 Authentication

GitHub OAuth2 Authentication

Configure GitHub OAuth application

Enable GitHub in Grafana

team_ids

allowed_organizations

GitLab OAuth2 Authentication

GitLab OAuth2 Authentication

Create GitLab OAuth keys

Enable GitLab in Grafana

allowed_groups

Google OAuth2 Authentication

Google OAuth2 Authentication

Create Google OAuth keys

Enable Google OAuth in Grafana

LDAP Authentication

LDAP Authentication

Supported LDAP Servers

Enable LDAP

Grafana LDAP Configuration

Bind

Bind & Bind Password

Single Bind Example

POSIX schema

Group Mappings

Nested/recursive group membership

Configuration examples

OpenLDAP

Active Directory

Port requirements

Troubleshooting

OAuth authentication

Generic OAuth Authentication

Set up OAuth2 with Okta

Set up OAuth2 with Bitbucket

Set up OAuth2 with OneLogin

Set up OAuth2 with Auth0

Set up OAuth2 with Azure Active Directory

Set up OAuth2 with Centrify

Set up OAuth2 with non-compliant providers

Overview

User Authentication Overview

OAuth Integrations

LDAP integrations

Auth proxy

Grafana Auth

Login and short-lived tokens

Anonymous authentication

Basic authentication

Disable login form

Automatic OAuth login

Hide sign-out menu

URL redirect after signing out