Skip to content

OAuth2 Configuration

With Canaille

First, follow the bootstrapping guide.

Then, connect to Canaille using your admin user.

Canaille - Grafana

With GitLab

For each service that should be accessed using LDAP, we create a Group application in group settings Use the configuration provided by this this guide for Grafana.

Gitlab - Ralph

Important

Ralph is intended to work with Keycloak. Gitlab OIDC as an identity provider does not work with Ralph. We could add support for it in Ralph, but since the Gitlab OIDC implementation is partial and non-standard, we had better switch to Keycloak.

Gitlab - Grafana

We then add a GitLab OAuth2 authentication method in Grafana. We have to edit the grafana.ini file manually, since the Web UI does not allow use to set a custom auth_url for our GitLab self-managed instance.

The [auth.gitlab] part of the configuration should look like this:

grafana.ini
# ...
[auth.gitlab]
enabled = true
allow_sign_up = true
auto_login = false
client_id = YOUR_CLIENT_ID
client_secret = YOUR_CLIENT_SECRET
scopes = openid email profile
auth_url = https://gitlab.lip6.fr/oauth/authorize
token_url = https://gitlab.lip6.fr/oauth/token
api_url = https://gitlab.lip6.fr/api/v4
role_attribute_path = contains(groups[*], 'example-group') && 'Editor' || 'Viewer'
role_attribute_strict = false
allow_assign_grafana_admin = false
allowed_groups = ["admins", "software engineers", "developers/frontend"]
tls_skip_verify_insecure = false
use_pkce = true
use_refresh_token = true