Trying to setup PMM with auth in Okta or Google OAuth2

Setup Helm Chart percona-helm-charts/values.yaml at main · percona/percona-helm-charts · GitHub

I’ve tried different combinations but this is it pretty much, somehow or another I’m making sure the env vars make it to the pod and I log as admin and make sure they are recognized from the general setting page

Google Oauth2
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/google/

    GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
    GF_AUTH_GENERIC_OAUTH_SCOPES: "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
    GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://accounts.google.com/o/oauth2/auth"
    GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://accounts.google.com/o/oauth2/token"
    GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS: "pmm.mydomain.com mydomain.com"

    GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "XXXXxxxx.googleusercontent.com"
    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: <somebase64>

Authorized redirect URIs

https://pmm.mydomain.com/login/google
https://pmm.mydomain.com/login/generic_oauth

Error I get

Access blocked: This app’s request is invalid

You can’t sign in because this app sent an invalid request. You can try again later, or contact the developer about this issue. Learn more about this error
If you are a developer of this app, see error details.
Error 400: redirect_uri_mismatch

Okta
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/okta/

   GF_AUTH_OKTA_ALLOW_SIGN_UP: "true"
   GF_AUTH_OKTA_API_URL: "https://mydomain.okta.com/oauth2/v1/userinfo"
   GF_AUTH_OKTA_AUTH_URL: "https://mydomain.com/oauth2/v1/authorize"
   GF_AUTH_OKTA_ENABLED: "true"
   GF_AUTH_OKTA_SCOPES: "openid profile email groups"
   GF_AUTH_OKTA_TOKEN_URL: "https://mydomain.com/oauth2/v1/token"
   GF_AUTH_OKTA_CLIENT_ID: "<someid>"
   GF_AUTH_OKTA_CLIENT_SECRET: "<somesecret>"

Authorized redirect URIs
https://pmm.mydomain.com/login/okta

Error I get

400
Bad Request
Your request resulted in an error. The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: ...

Go to Homepage
Technical details ▾
Identity Provider: Unknown, Error Code: invalid_request

Error: The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: ...

I can’t find any documentation PMM specific on how to get get this working, I do see Grafana specific but since PMM with nginx is a modified version I’m wondering if is actually posible

This post can be mark as resolved.
Google SSO ended up working once I changed Authorized redirect URL to

https://pmm.mydomain.com/graph/login/generic_oauth

And add GF_ROOT

GF_SERVER_ROOT_URL: "https://pmm.mydomain.com/graph"
1 Like