Grafana与使用openid connect和generic oauth的身份提供商集成
Grafana与使用openid connect和generic oauth的身份提供商集成
提问于 2017-12-31 15:18:32
我正在尝试使用通用的oauth将forgerock openAM (身份提供商)与grafana集成起来。我已经在配置中提到了端点和所有内容。
它重定向到openAM服务器并要求提供登录凭据,但在单击allow按钮后,它显示服务器端错误。
下面的grafana.log:
t=2017-12-31T12:26:52+0530 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=192.168.1.153 time_ms=0 size=338 referer=http://grafana.oneeight.com:3000/login
t=2017-12-31T12:27:26+0530 lvl=eror msg="login.OAuthLogin(get info from generic_oauth)" logger=context userId=0 orgId=0 uname= error="Error getting user info: {\"error_description\":\"The access token provided is expired, revoked, malformed, or invalid for other reasons.\",\"error\":\"invalid_token\"}"
t=2017-12-31T12:27:26+0530 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=192.168.1.153 time_ms=92 size=1147 referer="http://openam13.oneeight.com:8080/openam/oauth2/authorize?realm=Operators&access_type=online&client_id=operator_id&redirect_uri=http%3A%2F%2Fgrafana.oneeight.com%3A3000%2Flogin%2Fgeneric_oauth&response_type=code&scope=uid+openid+profile&state=OpiuNzehHEqm0hq93ogfKoSG1%2FMJXtcrhPgDz22Glc0%3D"
t=2017-12-31T12:27:26+0530 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/public/css/fonts.min.css status=404 remote_addr=192.168.1.153 time_ms=1 size=11374 referer="http://grafana.oneeight.com:3000/login/generic_oauth?code=ae93d8c7-3349-4618-88d3-c7f31645e6ff&scope=uid%20openid%20profile&state=OpiuNzehHEqm0hq93ogfKoSG1%2FMJXtcrhPgDz22Glc0%3D"
t=2017-12-31T12:27:26+0530 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/public/build/grafana.dark.min.css status=404 remote_addr=192.168.1.153 time_ms=2 size=11374 referer="http://grafana.oneeight.com:3000/login/generic_oauth?code=ae93d8c7-3349-4618-88d3-c7f31645e6ff&scope=uid%20openid%20profile&state=OpiuNzehHEqm0hq93ogfKoSG1%2FMJXtcrhPgDz22Glc0%3D"有没有人能帮我想出解决方案?
下面是grafana尝试访问用户详细信息时来自OpenAM的一组日志
b8efbd7-768a-4038-af7f-cd2de423d285-12480","2018-01-02T06:09:25.965Z","AM-ACCESS-OUTCOME","eb8efbd7-768a-4038-af7f-cd2de423d285-12478","id=vipin,ou=user,o=operators,ou=services,dc=oneeight,dc=com","[""444b699c238b89d301""]","192.168.1.77","8080","192.168.1.153","51058",,,,"false","GET","http://openam13.oneeight.com:8080/openam/oauth2/authorize","{""realm"":[""Operators""],""access_type"":[""online""],""client_id"":[""operator_id""],""response_type"":[""code""],""scope"":[""uid%20openid%20profile""],""state"":[""qbHM3cXul897yzIMeK5rQD4TZicEzw5N22F%2FrS3E8ls%3D""]}","{""accept"":[""text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8""],""host"":[""openam13.oneeight.com:8080""],""referer"":[""http://openam13.oneeight.com:8080/openam/XUI/""],""upgrade-insecure-requests"":[""1""],""user-agent"":[""Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36""]}","{""JSESSIONID"":""9C5CF9FDE026ECFF31BD51935CC8E45D"",""amlbcookie"":""01"",""i18next"":""en-US""}",,"SUCCESSFUL",,,"10","MILLISECONDS","OAuth","/Operators"
"eb8efbd7-768a-4038-af7f-cd2de423d285-12483","2018-01-02T06:09:32.981Z","AM-ACCESS-OUTCOME","eb8efbd7-768a-4038-af7f-cd2de423d285-12481","id=vipin,ou=user,o=operators,ou=services,dc=oneeight,dc=com","[""444b699c238b89d301""]","192.168.1.77","8080","192.168.1.153","51058",,,,"false","POST","http://openam13.oneeight.com:8080/openam/oauth2/authorize","{""realm"":[""Operators""],""access_type"":[""online""],""client_id"":[""operator_id""],""response_type"":[""code""],""scope"":[""uid%20openid%20profile""],""state"":[""qbHM3cXul897yzIMeK5rQD4TZicEzw5N22F%2FrS3E8ls%3D""]}","{""accept"":[""text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8""],""host"":[""openam13.oneeight.com:8080""],""origin"":[""http://openam13.oneeight.com:8080""],""referer"":[""http://openam13.oneeight.com:8080/openam/oauth2/authorize?realm=Operators&access_type=online&client_id=operator_id&redirect_uri=http%3A%2F%2Fgrafana.oneeight.com%3A3000%2Flogin%2Fgeneric_oauth&response_type=code&scope=uid%20openid%20profile&state=qbHM3cXul897yzIMeK5rQD4TZicEzw5N22F%2FrS3E8ls%3D""],""upgrade-insecure-requests"":[""1""],""user-agent"":[""Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36""]}","{""JSESSIONID"":""9C5CF9FDE026ECFF31BD51935CC8E45D"",""amlbcookie"":""01"",""i18next"":""en""}",,"SUCCESSFUL",,,"34","MILLISECONDS","OAuth","/Operators"
"eb8efbd7-768a-4038-af7f-cd2de423d285-12496","2018-01-02T06:09:33.221Z","AM-ACCESS-OUTCOME","eb8efbd7-768a-4038-af7f-cd2de423d285-12484","id=vipin,ou=user,o=operators,ou=services,dc=oneeight,dc=com","[""d02fa012-ddff-40a1-ba83-3de3de2e18d6"",""69b85d3a-7ee8-4f01-a259-0ae26bfec634""]","192.168.1.77","8080","192.168.1.148","57122",,,,"false","POST","http://openam13.oneeight.com:8080/openam/oauth2/access_token","{""realm"":[""Operators""]}","{""host"":[""openam13.oneeight.com:8080""],""user-agent"":[""Go-http-client/1.1""]}","{}",,"SUCCESSFUL",,"{""scope"":""uid openid profile"",""token_type"":""Bearer""}","216","MILLISECONDS","OAuth","/Operators"回答 1
Stack Overflow用户
回答已采纳
发布于 2018-01-01 02:42:50
该错误的关键部分是Error getting user info: {\"error_description\":\"The access token provided is expired, revoked, malformed, or invalid for other reasons.\",\"error\":\"invalid_token\"}。这表明grafana无法从OpenAM获取用户信息,因为它拒绝令牌。
我建议的第一件事是检查OpenAM日志,看看它是否提供了更多关于拒绝令牌的原因的信息。您可能需要验证的另一件事是您是否在grafana配置中正确设置了作用域,以及您的api_url设置是否正确。
查看文档,似乎配置应该是
scopes = openid email profile
auth_url = https://openam.example.com:8443/openam/oauth2/authorize
token_url = https://openam.example.com:8443/openam/oauth2/access_token
api_url = https://openam.example.com:8443/openam/oauth2/userinfo其中https://openam.example.com:8443是您的OpenAM服务器的地址。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/48040724
复制相关文章
相似问题
腾讯云开发者
