Trying to setup PMM with auth in Okta or Google OAuth2

orivera · March 1, 2023, 12:12am

Setup Helm Chart percona-helm-charts/values.yaml at main · percona/percona-helm-charts · GitHub

I’ve tried different combinations but this is it pretty much, somehow or another I’m making sure the env vars make it to the pod and I log as admin and make sure they are recognized from the general setting page

Google Oauth2
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/google/

    GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
    GF_AUTH_GENERIC_OAUTH_SCOPES: "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
    GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://accounts.google.com/o/oauth2/auth"
    GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://accounts.google.com/o/oauth2/token"
    GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS: "pmm.mydomain.com mydomain.com"

    GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "XXXXxxxx.googleusercontent.com"
    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: <somebase64>

Authorized redirect URIs

https://pmm.mydomain.com/login/google
https://pmm.mydomain.com/login/generic_oauth

Error I get

Access blocked: This app’s request is invalid

You can’t sign in because this app sent an invalid request. You can try again later, or contact the developer about this issue. Learn more about this error
If you are a developer of this app, see error details.
Error 400: redirect_uri_mismatch

Okta
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/okta/

   GF_AUTH_OKTA_ALLOW_SIGN_UP: "true"
   GF_AUTH_OKTA_API_URL: "https://mydomain.okta.com/oauth2/v1/userinfo"
   GF_AUTH_OKTA_AUTH_URL: "https://mydomain.com/oauth2/v1/authorize"
   GF_AUTH_OKTA_ENABLED: "true"
   GF_AUTH_OKTA_SCOPES: "openid profile email groups"
   GF_AUTH_OKTA_TOKEN_URL: "https://mydomain.com/oauth2/v1/token"
   GF_AUTH_OKTA_CLIENT_ID: "<someid>"
   GF_AUTH_OKTA_CLIENT_SECRET: "<somesecret>"

Authorized redirect URIs
https://pmm.mydomain.com/login/okta

Error I get

400
Bad Request
Your request resulted in an error. The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: ...

Go to Homepage
Technical details ▾
Identity Provider: Unknown, Error Code: invalid_request

Error: The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: ...

I can’t find any documentation PMM specific on how to get get this working, I do see Grafana specific but since PMM with nginx is a modified version I’m wondering if is actually posible

orivera · March 24, 2023, 5:15am

This post can be mark as resolved.
Google SSO ended up working once I changed Authorized redirect URL to

https://pmm.mydomain.com/graph/login/generic_oauth

And add GF_ROOT

GF_SERVER_ROOT_URL: "https://pmm.mydomain.com/graph"

Chinthakunta_Sumanth · September 12, 2023, 7:00am

+1 for the answer above. For anyone coming here looking to enable oauth on their PMM instances.

First decide what you wanna enable at Configure authentication | Grafana documentation. Since PMM uses grafana, you can use all oauth providers which grafana supports.
Configure respective Oauth. First create all the config etc from your ouath provider. Then you need to set the created config on PMM side. You can do this by setting the config as env vars. So flow is

Create oauth config -> Add config to PMM (You need to use env vars for this) -> PMM oauth login

Since PMM doesnt provide direct way to add config (atleast through helm chart), you can use grafana env vars to do this.

Grafana gives a way to override every single config through env vars with format - GF_<SectionName>_<KeyName>

You can find more about this at Configure Grafana | Grafana documentation

NOTE - It is also very important to set the GF_SERVER_ROOT_URL: "https://pmm.mydomain.com/graph" env var since the grafana runs under sub path and not under the root directly.

So even your oauth callback url should have extra /graph uri, so finally it will be

https://<pmm_domain>/graph/login/<oauth_specific_slug>

You can find the oauth_specific_slug in the grafana config for respective oauth method at Configure authentication | Grafana documentation

few examples -

Github Oauth - https://<pmm_domain>/graph/login/github
Google Oauth - https://<pmm_domain>/graph/login/google
Gitlab - https://<pmm_domain>/graph/login/gitlab

Wali_Hasan · April 3, 2024, 6:33pm

Hello,
i’m trying to implement google sign in but not able to achieve it,i’m getting error401…can please help out in configuring the setup.

Topic		Replies	Views
Google authentication for pmm server , Getting redirect_url mismatch error	3	1203	April 24, 2022
Declare secrets while integrating okta w/ Percona	1	205	April 10, 2024
Cannot update the password of PMM via Secret PMM 2.x closed-no-reply	0	530	October 27, 2023
PMM using Helm on Minikube gives Invalid Username/Password Percona Monitoring and Management (PMM)	3	350	May 10, 2024
Refused to connect when we try with Embed HTML Percona Monitoring and Management (PMM)	3	714	June 8, 2023

Trying to setup PMM with auth in Okta or Google OAuth2

Related topics