Configuring OAuth2 for Authentication

[marcanio]

Describe the bug
OAuth2 proxy set up and using Okta OIDC as provider. Grafana is also using the same application in Okta for authentication. Oauth2 does not work for authentication.

To Reproduce
Steps to reproduce the behavior:

1. Deploy Grafana and Loki through helm charts
2. Deploy Oauth2 proxy and configure to use Okta OIDC
3. Deploy an Ingress through Loki helm chart and connect to OAuth2 via annotations in the ingress (auth-url & auth-siginin)

Expected behavior

When connecting to the Loki datasource via Grafana provide the ingress and set authentication as forward Oauth

Environment:

• Infrastructure: Kubernetes
• Deployment tool: helm

I have got this working with basic Oauth through Nginx but have not been able to get it working with Oauth2 and have not found anything on the internet supporting that anyone has completed this before.
Below is the configuration of the Loki ingress in the helm chart -

ingress:
  enabled: true
  ingressClassName: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/proxy-body-size: "1024m"
    nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.DOMAIN_NAME/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.DOMAIN_NAME/oauth2/start?rd=$escaped_request_uri"
    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-proxy-set-headers: ingress-nginx-loki-controller
  hosts:
    - loki.DOMAIN_NAME
  tls:
    - hosts:
      - loki.DOMAIN_NAME
      secretName: loki-tls

Below is the configuration of the OAuth2 helm chart and the secret has the client_id, secret and cookie

namespaceOverride: "oauth2"

image:
  repository: IMAGE_REPO/oauth2-proxy/oauth2-proxy
  tag: latest

config:
  existingSecret: SECRET_OKTA_OAUTH_SECRET_NAME
  configFile: |-
    provider = "oidc"
    redirect_url = "http://grafana.DOMAIN_NAME/oauth2/callback"
    oidc_issuer_url = "https://OKTA_AUTH_URL"
    email_domains = ["*"]
    upstreams = [ "https://loki.DOMAIN_NAME" ]
    pass_access_token = true
    skip_provider_button = true
    pass_authorization_header = true
    
ingress:
  enabled: true
  className: nginx
  path: /oauth2
  pathType: ImplementationSpecific
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    ingress.kubernetes.io/force-ssl-redirect: "true"
    ingress.kubernetes.io/proxy-body-size: "1024m"
    nginx.ingress.kubernetes.io/proxy-body-size: "1024m"
  hosts:
    - oauth2-proxy.DOMAIN_NAME
  tls:
    - hosts:
        - oauth2-proxy.DOMAIN_NAME
      secretName: oauth2-tls

When trying to connect to the datasource via Grafana using the Ingress created and authentication set to forward Oauth Grafana pods throw an error - 503 Loki service unavailable

I can supply additional configuration if needed

[marcanio]

Versions -
Grafana - 11.1.0
Loki - 3.1.1
Oauth2 - 7.7.9

[alextricity25]

I have got this working with basic Oauth through Nginx but have not been able to get it working with Oauth2 and have not found anything on the internet supporting that anyone has completed this before.

@marcanio Do you mean you got it working with basic authentication? As described here?

I'm also looking into more secure authentication methods for Loki, so I'm curious to know what you landed on.

[d4rkfella]

Why is your redirect url pointing to grafana tho ? You also need to add "skip_jwt_bearer_tokens = true" in your oauth proxy config so that oauth2 proxy would authorize valid JWT tokens from the configured issuer. And also set "upstreams = [ "file:///dev/null" ]" when using nginx auth method.