Grafana使用openid connect和generic oauth与Identity Provider集成

时间:2017-12-31 07:18:32

标签: oauth-2.0 openid grafana openam forgerock

我正在尝试使用泛型oauth将forgerock openAM(身份提供程序)与grafana集成。我已经在配置中提到了端点和所有端点。

它重定向到openAM服务器并要求登录凭据,但在单击允许按钮后,它显示服务器端错误。

下面的grafana.log:

t=2017-12-31T12:26:52+0530 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=192.168.1.153 time_ms=0 size=338 referer=http://grafana.oneeight.com:3000/login
t=2017-12-31T12:27:26+0530 lvl=eror msg="login.OAuthLogin(get info from generic_oauth)" logger=context userId=0 orgId=0 uname= error="Error getting user info: {\"error_description\":\"The access token provided is expired, revoked, malformed, or invalid for other reasons.\",\"error\":\"invalid_token\"}"
t=2017-12-31T12:27:26+0530 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=192.168.1.153 time_ms=92 size=1147 referer="http://openam13.oneeight.com:8080/openam/oauth2/authorize?realm=Operators&access_type=online&client_id=operator_id&redirect_uri=http%3A%2F%2Fgrafana.oneeight.com%3A3000%2Flogin%2Fgeneric_oauth&response_type=code&scope=uid+openid+profile&state=OpiuNzehHEqm0hq93ogfKoSG1%2FMJXtcrhPgDz22Glc0%3D"
t=2017-12-31T12:27:26+0530 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/public/css/fonts.min.css status=404 remote_addr=192.168.1.153 time_ms=1 size=11374 referer="http://grafana.oneeight.com:3000/login/generic_oauth?code=ae93d8c7-3349-4618-88d3-c7f31645e6ff&scope=uid%20openid%20profile&state=OpiuNzehHEqm0hq93ogfKoSG1%2FMJXtcrhPgDz22Glc0%3D"
t=2017-12-31T12:27:26+0530 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/public/build/grafana.dark.min.css status=404 remote_addr=192.168.1.153 time_ms=2 size=11374 referer="http://grafana.oneeight.com:3000/login/generic_oauth?code=ae93d8c7-3349-4618-88d3-c7f31645e6ff&scope=uid%20openid%20profile&state=OpiuNzehHEqm0hq93ogfKoSG1%2FMJXtcrhPgDz22Glc0%3D"

任何人都可以帮忙找出解决方案吗?

以下是grafana尝试访问用户详细信息时来自OpenAM的日志集

b8efbd7-768a-4038-af7f-cd2de423d285-12480","2018-01-02T06:09:25.965Z","AM-ACCESS-OUTCOME","eb8efbd7-768a-4038-af7f-cd2de423d285-12478","id=vipin,ou=user,o=operators,ou=services,dc=oneeight,dc=com","[""444b699c238b89d301""]","192.168.1.77","8080","192.168.1.153","51058",,,,"false","GET","http://openam13.oneeight.com:8080/openam/oauth2/authorize","{""realm"":[""Operators""],""access_type"":[""online""],""client_id"":[""operator_id""],""response_type"":[""code""],""scope"":[""uid%20openid%20profile""],""state"":[""qbHM3cXul897yzIMeK5rQD4TZicEzw5N22F%2FrS3E8ls%3D""]}","{""accept"":[""text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8""],""host"":[""openam13.oneeight.com:8080""],""referer"":[""http://openam13.oneeight.com:8080/openam/XUI/""],""upgrade-insecure-requests"":[""1""],""user-agent"":[""Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36""]}","{""JSESSIONID"":""9C5CF9FDE026ECFF31BD51935CC8E45D"",""amlbcookie"":""01"",""i18next"":""en-US""}",,"SUCCESSFUL",,,"10","MILLISECONDS","OAuth","/Operators"
"eb8efbd7-768a-4038-af7f-cd2de423d285-12483","2018-01-02T06:09:32.981Z","AM-ACCESS-OUTCOME","eb8efbd7-768a-4038-af7f-cd2de423d285-12481","id=vipin,ou=user,o=operators,ou=services,dc=oneeight,dc=com","[""444b699c238b89d301""]","192.168.1.77","8080","192.168.1.153","51058",,,,"false","POST","http://openam13.oneeight.com:8080/openam/oauth2/authorize","{""realm"":[""Operators""],""access_type"":[""online""],""client_id"":[""operator_id""],""response_type"":[""code""],""scope"":[""uid%20openid%20profile""],""state"":[""qbHM3cXul897yzIMeK5rQD4TZicEzw5N22F%2FrS3E8ls%3D""]}","{""accept"":[""text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8""],""host"":[""openam13.oneeight.com:8080""],""origin"":[""http://openam13.oneeight.com:8080""],""referer"":[""http://openam13.oneeight.com:8080/openam/oauth2/authorize?realm=Operators&access_type=online&client_id=operator_id&redirect_uri=http%3A%2F%2Fgrafana.oneeight.com%3A3000%2Flogin%2Fgeneric_oauth&response_type=code&scope=uid%20openid%20profile&state=qbHM3cXul897yzIMeK5rQD4TZicEzw5N22F%2FrS3E8ls%3D""],""upgrade-insecure-requests"":[""1""],""user-agent"":[""Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36""]}","{""JSESSIONID"":""9C5CF9FDE026ECFF31BD51935CC8E45D"",""amlbcookie"":""01"",""i18next"":""en""}",,"SUCCESSFUL",,,"34","MILLISECONDS","OAuth","/Operators"
"eb8efbd7-768a-4038-af7f-cd2de423d285-12496","2018-01-02T06:09:33.221Z","AM-ACCESS-OUTCOME","eb8efbd7-768a-4038-af7f-cd2de423d285-12484","id=vipin,ou=user,o=operators,ou=services,dc=oneeight,dc=com","[""d02fa012-ddff-40a1-ba83-3de3de2e18d6"",""69b85d3a-7ee8-4f01-a259-0ae26bfec634""]","192.168.1.77","8080","192.168.1.148","57122",,,,"false","POST","http://openam13.oneeight.com:8080/openam/oauth2/access_token","{""realm"":[""Operators""]}","{""host"":[""openam13.oneeight.com:8080""],""user-agent"":[""Go-http-client/1.1""]}","{}",,"SUCCESSFUL",,"{""scope"":""uid openid profile"",""token_type"":""Bearer""}","216","MILLISECONDS","OAuth","/Operators"

1 个答案:

答案 0 :(得分:0)

该错误的关键部分是Error getting user info: {\"error_description\":\"The access token provided is expired, revoked, malformed, or invalid for other reasons.\",\"error\":\"invalid_token\"}。这表明grafana无法从OpenAM获取用户信息,因为它拒绝令牌。

我建议的第一件事就是检查OpenAM日志,看看它是否为您提供了有关拒绝令牌的原因的更多信息。您可能需要验证的另一件事是您在grafana配置中正确设置了范围,并且您的api_url设置是正确的。

查看文档,似乎配置应该是

scopes = openid email profile
auth_url = https://openam.example.com:8443/openam/oauth2/authorize
token_url = https://openam.example.com:8443/openam/oauth2/access_token
api_url = https://openam.example.com:8443/openam/oauth2/userinfo

其中https://openam.example.com:8443是您的OpenAM服务器的地址。