I am trying to configure Google Oauth2 for a grafana instance.
My grafana runs in a Amazon EC2 instance which is behind an ALB. The ALB is using SSL, but not the grafana instance.
I setup Oauth2 on Grafana and I can see the "Login using google" button. However, when I press it and choose my google account, I am getting the following error:
Error 400: redirect_uri_mismatch
http://grafana.acme-live.co.uk:3000/login/google
The configuration on the google side is straight forward, I entered my "authorized javascript origins":
https://grafana.acme-live.co.uk
and the "authorised redirect URL":
https://grafana.acme-live.co.uk:3000/login/google
my grafana.ini file:
protocol = http
http_port = 3000
domain = grafana.acme-live.co.uk
root_url = %(protocol)s://%(domain)s:%(http_port)s/
enabled = true
client_id = acme.apps.googleusercontent.com
client_secret = acme-ACME
scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
auth_url = https://accounts.google.com/o/oauth2/auth
token_url = https://accounts.google.com/o/oauth2/token
allowed_domains = grafana.acme-live.co.uk
allow_sign_up = true
It seems to me that GoogleOauth is confused because it's expecting a auth request via SSL but the grafana server sends a request in plain HTTP.
After the AUTH process, Google tries to contact the grafana server back on port 3000, but it's hitting the LB on that port and the LB does not listen on that port :
How do I configure grafana to use Oauth2 when it's behind an Application Load Balancer ?
Thank you
https://grafana.com/docs/grafana/latest/auth/google/
You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.
That's your problem. So try (I guess you want to expose it on http://grafana.acme-live.co.uk, not on the port 3000):
[server]
root_url = https://grafana.acme.co.uk/
"authorised redirect URL" in the Google client config:
https://grafana.acme-live.co.uk/login/google