Automatic login by token url #3752
Comments
|
would be pretty insecure as anyone can see the token, you can create a snapshot of the visible data and embedd that, it would be more secure |
|
Yes but using snapshots you don't have the permission to edit it, or is there any way to edit dashboard thru snapshots ? |
|
This is pretty important for interoperability with SaaS. Providing a url+token authentication method is par-for-the-course. Without this functionality, users must encounter a second login screen, where they will be confused as to what username / password to enter. This is a big blocker for us. |
|
Sounds like a good feature to have in Grafana. Would like help with PR as there is so much other stuff that is really high priority right now |
torkelo
added
area/auth
type/feature-request
prio/medium
|
Nice explanation @adamlwgriffiths the same thing happens to me. Right now We solved this issue with a little hack, adding a javascript that automatic login to grafana, but is a temporal solution |
|
+10 for this!! If I get some time I'll seriously consider working on this |
|
If you're storing the date of the token's creation so you can expire it, then you're also storing the hash and the associated account, so I don't think the hash needs to be generated from any particular data. It just needs to be a sufficiently large enough search space to make guessing infeasible. |
|
@adamlwgriffiths, this should support some basic roles aswell.. such as viewer, editor.. etc, similar to what is done with the API keys.. Perhaps we could just extend that so we could pass an api key in via url? |
|
I think - in the long term - the user / org / api token needs to be consolidated, rather than a new method added. IMO API tokens should work the same as normal users. There's an arbitrary segregation that isn't documented and I find to be counter-intuitive. Enabling all the login checks to also check for API keys would be the best I think. |
|
Has this feature been implemented? I was trying to have a user automatically get redirected to the grafana dashboard from my site.. |
|
@comcomservices As a follow-up on the token itself, you definitely could encrypt information inside the token with the user id, and the token expiring time. That way you can just read the token itself and get the information without requiring tokens to be stored in the db and running 'sweep and clear' over old tokens. I am hesitant to recommend such a thing, I firmly believe that cryptography is hard, and without a full understanding of what you are doing, it's not a good idea to attempt to do it. The other issue with encrypted tokens, is that they are rather large, and the more information the larger they become. |
|
@adamlwgriffiths as far as cryptography goes, I have a formal background in it and enjoy it but for this case I'm in full agreement that a token would be best.. Just trying to figure out this go stuff, been doing c++ and asm for way too long... I'll get it though and this is first on my list |
|
I'm looking forward to this feature! Regarding @adamlwgriffiths comment above with respect to embedding the token on a site, I believe the way to mitigate that is associating that token with a domain that should be requesting it; that way that token only works when the origin matches. An example of this -- again, if I understand the issue correctly -- is Sentry's raven-js; it will make a public URL and then restrict it by origin (see below). Would this mitigate the security concern?
|
|
@Germanaz0 is your auto-login JS publicly available? I'm looking to implement something similar against the master branch and it appears that the backend redirects to the login screen prior to hitting the dashboard page. I'm not super familiar with the project structure yet, so I may not be plugging into the right section in the JS code. |
|
@rca yes, but my solution is super simple https://gist.github.com/german-bortoli/d41b5f60dd8097405b6b You receive an input parameter like ?t=base64 of a json with {user: USERNAME, pass: PASS, redirect_to: _URL_TO_REDIRECT } You shall include that script into the login page. |
|
@Germanaz0, thanks for sharing! After sending my comment I started taking a look and, as you pointed out, I found that I needed to update the login page. I took a slightly different approach and updated the login controller instead of making a stand-alone script; my change is here: https://github.com/zymbit/grafana/tree/auto-login-by-cookie-redirect Is this worthy of a pull request? I'd be happy to make the mods necessary to get this into a merge'able state. |
|
Any update on this? |
|
+1 for a PR from @rca |
|
@Germanaz0, which file are you including your .js file in? |
|
@rca do you have any instructions on how to use your login controller mod? i am new to grafana and trying to get this working for an unattended kiosk. |
|
BTW if anyone else needs a way to accomplish this for kiosk's, etc., chek out Grafana's authproxy. I was able to accomplish what I needed to with this and apache. |
|
@scottfuhrman Nothing formally written, however, here's my usecase and implementation: I wasn't looking for kiosk mode, but rather a way to embed a dashboard as an iframe on an external page. The charts are embedded pretty clean, for example:
On the page you're looking to embed the dashboard, you need the following markup: <div id='grafana-dashboard' class="col-lg-12"></div>
<script type="text/javascript">
GrafanaEmbed = {
grafanaUrl: 'https://your.grafana.example.com',
dashboard: 'dashboad-name',
queryParams: {
dashnav: 0,
// this is a base64-encoded string of username:password
// for example on a *NIX machine (and Mac OS X):
// $ echo "kiosk1:supersecret" | base64
// a2lvc2sxOnN1cGVyc2VjcmV0Cg==
auth: 'a2lvc2sxOnN1cGVyc2VjcmV0Cg==',
theme: 'light'
}
};
(function() {
var d = document.createElement('script'); d.type = 'text/javascript'; d.async = true;
d.src = GrafanaEmbed.grafanaUrl + '/public/app/features/dashboard/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(d);
})();
</script>Hope this helps. |
|
+1 I don't have the staffing resources for this, but I'd be happy to crowdfund the effort for this. |
|
Is there any possible in future this feature will be officially support natively by Grafana? Or if there are some consideration the team is not desired to have this feature for some reason, and definitely will not implement, |
|
so ... how to share an iframe without a user/password request page? No way ? |
I think this link is not accessible now. |
|
Sorry, the actual link is this one https://gist.github.com/german-bortoli/d41b5f60dd8097405b6b (my username was changed) |
|
any updates on this? its a good feature, i wonder why its taking ages for this feature. |
|
Our use-case: We want to show our boards on our signage screens. Security is not an issue in this case because the url will not be shown on the screens. This missing feature keeps us from using Grafana more widely. In the past we used https://:@grafanaurl.com but this stopped working ages ago. Other problem is that we are using the hosted version of Grafana where we cannot proxy anything to or do other nasty tricks. |
hi sir, i am new to grafana and i have tried nginx method of auto-login that you have mentioned above but it is not working for me can you please help me in this. |
I tried this and have KeyCloak as my OAuth provider for both my app and Grafana (same client id) with my grafana.ini [server] [auth] [security] [auth.generic_oauth] But that doesnt work with embedded iframe loading Grafana |
|
@prateeksarda this js just a complete shot in the dark: can you see if the oauth cookies are set when visiting grafana? this method seems to reoy on cookies, and its possible that somehow your oauth provider doesn't set them in a way they stick around inside iframes? |
@laundmo Grafana individually sets the oauth_state cookie and grafana_session cookie but somehow in iframe when it loads Grafana it only creates it has oauth_state cookie but not grafana_session |
|
This is my nginx config and it successfully authenticates automatically. But the issue here is there is no restriction, meaning, anyone with a link to the grafana endpoint will be authenticated. How is that different from opening up anonymous auth ? |
|
@rezab777 you found any solution? I'm trying and stopped in the same point... |
|
@tiagorg-cit To enable HTTP basic auth in NGINX |
Nice @rezab777 , this grafana/nginx is open to the internet with ip restriction, or this infrastructure is private? |
|
Hi All, grafana.ini httpd.conf |
|
I was just wanting to embed a dashboard from Grafana into an iframe, with either an API-key or username:password-combination being supplied within the URL and... well, after tussling around with it for a while, I ended up here! My Grafana-server is publicly accessible, but I do not want random people being able to access the dashboards and I obviously don't want a login-screen in the iframe and yet it looks like Grafana doesn't have support for such a basic feature? One has to tussle around with setting up a reverse proxy with e.g. Nginx and set that up to do authentication? Seriously? |
|
I have the same requirement. I have a web app in which I want to embed some Grafana dashboards, but I only want them to be available for users with certain roles in my app. I don't think an auth-proxy solution will work well in this case, and I don't see any other feasible options available from Grafana to achieve this. Am I missing something? |
No, it does not look like you are. So far the only reasonable workaround I've found is to use Nginx with HTTP basic authentication, but that means having to duplicate usernames and passwords in .htpasswd and that quickly becomes entirely unreasonable, if one has a lot of users and/or churn. |
|
@WereCatf, thanks for the response. Yeah, that's exactly what I thought as well, didn't want to go down that route... |
|
My solution at moment: session hijacking (Tested on chromecast) To do that, I created a read only user and make a local authentication, after that, I copied the cookie value (grafana_session). I added this config to my nginx server to allow to set a cookie from url: And finally, I open the link with session cookie, like: For chromecast, I used this tool: https://demille.github.io/url-cast-receiver/ with location method. |
|
6 YEARS! |
|
Closing this issue as implemented (release notes) Using JWT authentication made sense as it's already available in Grafana, does not rely on arbitrary header values, it's signed and allows to uniquely identify a user based on an dedicated identity provider. The URL embedding option was added as an alternative for scenarios where using a reverse proxy is not a possibility or convenient (although security wise, it might be the best option). Official docs will follow (awaiting review here) and a sample repository is available here. I'm sure this doesn't implement every use case presented in this thread as we focused on applications embedding grafana in iframes wanting to pass existing authentication context into grafana. Feedback on the new feature is welcome (specially on small tweaks and documentation necessary) but if your use case is not covered by the above description, the best way to have it supported is to create a new issue and exposing the specific use case and why this approach does not work for it. |
|
Apologies for bringing this up; however, based on my understanding, the support for JWT does not mean that I can use API keys for authentication? |
|
Hey @mateuszdrab , no atm we only support using jwt authentication through url. As mentioned here #3752 (comment), we would prefer a new issue describing your use case for using e.g. api keys through the url :) |
and others
Should be nice to have an automatic login passing an user token thru url, this could be a partial solution to embed iframes on sites.
The text was updated successfully, but these errors were encountered: