Trying to setup PMM with auth in Okta or Google OAuth2

Percona Monitoring and Management (PMM)
1

Setup Helm Chart percona-helm-charts/values.yaml at main · percona/percona-helm-charts · GitHub

I’ve tried different combinations but this is it pretty much, somehow or another I’m making sure the env vars make it to the pod and I log as admin and make sure they are recognized from the general setting page

Google Oauth2
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/google/

    GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
    GF_AUTH_GENERIC_OAUTH_SCOPES: "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
    GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://accounts.google.com/o/oauth2/auth"
    GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://accounts.google.com/o/oauth2/token"
    GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS: "pmm.mydomain.com mydomain.com"

    GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "XXXXxxxx.googleusercontent.com"
    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: <somebase64>

Authorized redirect URIs

https://pmm.mydomain.com/login/google
https://pmm.mydomain.com/login/generic_oauth

Error I get

Access blocked: This app’s request is invalid

You can’t sign in because this app sent an invalid request. You can try again later, or contact the developer about this issue. Learn more about this error
If you are a developer of this app, see error details.
Error 400: redirect_uri_mismatch

Okta
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/okta/

   GF_AUTH_OKTA_ALLOW_SIGN_UP: "true"
   GF_AUTH_OKTA_API_URL: "https://mydomain.okta.com/oauth2/v1/userinfo"
   GF_AUTH_OKTA_AUTH_URL: "https://mydomain.com/oauth2/v1/authorize"
   GF_AUTH_OKTA_ENABLED: "true"
   GF_AUTH_OKTA_SCOPES: "openid profile email groups"
   GF_AUTH_OKTA_TOKEN_URL: "https://mydomain.com/oauth2/v1/token"
   GF_AUTH_OKTA_CLIENT_ID: "<someid>"
   GF_AUTH_OKTA_CLIENT_SECRET: "<somesecret>"

Authorized redirect URIs
https://pmm.mydomain.com/login/okta

Error I get

400
Bad Request
Your request resulted in an error. The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: ...

Go to Homepage
Technical details ▾
Identity Provider: Unknown, Error Code: invalid_request

Error: The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: ...

I can’t find any documentation PMM specific on how to get get this working, I do see Grafana specific but since PMM with nginx is a modified version I’m wondering if is actually posible

2

This post can be mark as resolved.
Google SSO ended up working once I changed Authorized redirect URL to

https://pmm.mydomain.com/graph/login/generic_oauth

And add GF_ROOT

GF_SERVER_ROOT_URL: "https://pmm.mydomain.com/graph"
2 Likes
3

+1 for the answer above. For anyone coming here looking to enable oauth on their PMM instances.

  1. First decide what you wanna enable at Configure authentication | Grafana documentation. Since PMM uses grafana, you can use all oauth providers which grafana supports.
  2. Configure respective Oauth. First create all the config etc from your ouath provider. Then you need to set the created config on PMM side. You can do this by setting the config as env vars. So flow is
Create oauth config -> Add config to PMM (You need to use env vars for this) -> PMM oauth login

Since PMM doesnt provide direct way to add config (atleast through helm chart), you can use grafana env vars to do this.

Grafana gives a way to override every single config through env vars with format - GF_<SectionName>_<KeyName>

You can find more about this at Configure Grafana | Grafana documentation

NOTE - It is also very important to set the GF_SERVER_ROOT_URL: "https://pmm.mydomain.com/graph" env var since the grafana runs under sub path and not under the root directly.

So even your oauth callback url should have extra /graph uri, so finally it will be

https://<pmm_domain>/graph/login/<oauth_specific_slug>

You can find the oauth_specific_slug in the grafana config for respective oauth method at Configure authentication | Grafana documentation

few examples -

Github Oauth - https://<pmm_domain>/graph/login/github
Google Oauth - https://<pmm_domain>/graph/login/google
Gitlab - https://<pmm_domain>/graph/login/gitlab