Introduction

OAuth authentication allows users to log in to Grafana using external identity providers like Google, GitHub, Azure AD, or Okta. When OAuth fails, users see errors like "OAuth login failed," "invalid redirect URI," or "token validation error." These errors typically stem from misconfigured redirect URIs, expired client secrets, or claims mapping issues.

Symptoms

  • Users see "OAuth login failed" or "authentication failed" after provider login
  • Error: "redirect_uri_mismatch" when redirecting back to Grafana
  • Error: "invalid_client" or "unauthorized_client"
  • Users authenticate with the provider but are not logged into Grafana
  • Error: "state parameter mismatch" or "CSRF detected"
  • Login works for some users but fails for others (email/claims issues)

Common Causes

  • Redirect URI does not match what is registered with the OAuth provider
  • Client ID or client secret is incorrect or has expired
  • OAuth provider endpoints changed or are unreachable
  • Required scopes are not configured in the provider
  • Email domain restrictions reject valid users
  • User claims mapping does not extract required attributes

Step-by-Step Fix

Verify Redirect URI Configuration

  1. 1.The redirect URI must exactly match what is registered with your OAuth provider. Find the correct format:
  2. 2.`
  3. 3.https://your-grafana-domain.com/login/generic_oauth
  4. 4.https://your-grafana-domain.com/login/google
  5. 5.https://your-grafana-domain.com/login/github
  6. 6.https://your-grafana-domain.com/login/azuread
  7. 7.`
  8. 8.Check Grafana's configured root URL:
  9. 9.```ini
  10. 10.# In grafana.ini
  11. 11.[server]
  12. 12.root_url = https://grafana.example.com/
  13. 13.protocol = https
  14. 14.domain = grafana.example.com
  15. 15.`
  16. 16.Verify the redirect URI is registered correctly in your OAuth provider:

For Google Cloud Console: - Navigate to APIs & Services > Credentials - Add authorized redirect URI: https://grafana.example.com/login/google

For GitHub OAuth Apps: - Settings > Developer settings > OAuth Apps - Authorization callback URL: https://grafana.example.com/login/github

For Azure AD: - Azure Portal > App registrations > Authentication - Add redirect URI: https://grafana.example.com/login/azuread

Fix Client Credentials

  1. 1.Verify client ID and secret are correct:
  2. 2.```ini
  3. 3.# For generic OAuth (example)
  4. 4.[auth.generic_oauth]
  5. 5.enabled = true
  6. 6.client_id = your-client-id
  7. 7.client_secret = your-client-secret
  8. 8.`
  9. 9.Test the client credentials against the provider's token endpoint:
  10. 10.```bash
  11. 11.curl -X POST https://oauth-provider.com/oauth/token \
  12. 12.-d "grant_type=client_credentials" \
  13. 13.-d "client_id=your-client-id" \
  14. 14.-d "client_secret=your-client-secret"
  15. 15.`
  16. 16.If the secret was rotated, update Grafana configuration:
  17. 17.```ini
  18. 18.[auth.generic_oauth]
  19. 19.client_secret = new-client-secret
  20. 20.`

Fix Provider Endpoint Configuration

  1. 1.Verify OAuth endpoints are reachable:
  2. 2.```bash
  3. 3.curl -v https://oauth-provider.com/.well-known/openid-configuration
  4. 4.`
  5. 5.Configure correct endpoints in grafana.ini:
  6. 6.```ini
  7. 7.[auth.generic_oauth]
  8. 8.enabled = true
  9. 9.auth_url = https://oauth-provider.com/oauth/authorize
  10. 10.token_url = https://oauth-provider.com/oauth/token
  11. 11.api_url = https://oauth-provider.com/api/user
  12. 12.`

Fix Scopes and Claims

  1. 1.Configure required scopes for user information:
  2. 2.```ini
  3. 3.[auth.generic_oauth]
  4. 4.scopes = openid email profile
  5. 5.`
  6. 6.Configure claims mapping for email and name:
  7. 7.```ini
  8. 8.[auth.generic_oauth]
  9. 9.email_attribute_path = email
  10. 10.name_attribute_path = name
  11. 11.login_attribute_path = preferred_username
  12. 12.`
  13. 13.For Azure AD, use the correct configuration:
  14. 14.```ini
  15. 15.[auth.azuread]
  16. 16.enabled = true
  17. 17.client_id = your-client-id
  18. 18.client_secret = your-client-secret
  19. 19.scopes = openid email profile
  20. 20.auth_url = https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize
  21. 21.token_url = https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token
  22. 22.`

Fix Email Domain Restrictions

  1. 1.If only some users can log in, check email domain allowlist:
  2. 2.```ini
  3. 3.[auth.generic_oauth]
  4. 4.allowed_domains = example.com company.com
  5. 5.`
  6. 6.Disable domain restrictions temporarily to test:
  7. 7.```ini
  8. 8.[auth.generic_oauth]
  9. 9.# allowed_domains = (commented out or empty)
  10. 10.`

Enable Debug Logging

  1. 1.Enable OAuth debug logging:
  2. 2.```ini
  3. 3.[log]
  4. 4.level = debug

[log.filters] oauth = debug ```

  1. 1.Check logs for detailed OAuth flow errors:
  2. 2.```bash
  3. 3.journalctl -u grafana-server -f | grep -i "oauth|auth"
  4. 4.`

Verification

  1. 1.Test the OAuth flow end-to-end:
  2. 2.- Navigate to Grafana login page
  3. 3.- Click "Sign in with [Provider]"
  4. 4.- Complete authentication at provider
  5. 5.- Verify successful redirect back to Grafana
  6. 6.- Check user is created with correct email and role
  7. 7.Verify user attributes are correctly mapped:
  8. 8.- Check Configuration > Users
  9. 9.- Verify email, name, and organizational role
  10. 10.Monitor logs during authentication to catch any remaining issues.