What's new from Grafana Labsbreadcrumb arrow Configure refresh token handling separately for OAuth providers
What's new from Grafana Labs
What's new from Grafana Labs
Grafana Cloud Generally Available Open source Enterprise Generally Available Authentication and authorization
Release date: 2023-10-24

Configure refresh token handling separately for OAuth providers

With Grafana v9.3, we introduced a feature toggle called accessTokenExpirationCheck. It improves the security of Grafana by checking the expiration of the access token and automatically refreshing the expired access token when a user is logged in using one of the OAuth providers.

With the current release, we’ve introduced a new configuration option for each OAuth provider called use_refresh_token that allows you to configure whether the particular OAuth integration should use refresh tokens to automatically refresh access tokens when they expire. In addition, to further improve security and provide secure defaults, use_refresh_token is enabled by default for providers that support either refreshing tokens automatically or client-controlled fetching of refresh tokens. It’s enabled by default for the following OAuth providers: AzureAD, GitLab, Google.

For more information on how to set up refresh token handling, please refer to the documentation of the particular OAuth provider.

Note

The use_refresh_token configuration must be used in conjunction with the accessTokenExpirationCheck feature toggle. If you disable the accessTokenExpirationCheck feature toggle, Grafana won’t check the expiration of the access token and won’t automatically refresh the expired access token, even if the use_refresh_token configuration is set to true.

The accessTokenExpirationCheck feature toggle will be removed in Grafana v10.3.

Related What's new posts
docs icon 2025-10-16
Changes to provisioned permissions
docs icon 2025-10-16
Change to creator permissions
docs icon 2025-10-14
SAML app in the Okta Integration Network