Introduction

Grafana's OAuth SSO integration requires the callback URL (redirect URI) registered with the identity provider (Google, GitHub, Okta, etc.) to exactly match Grafana's configured root_url plus the /login/generic_oauth path. A mismatch causes the identity provider to reject the authorization code exchange, blocking all SSO logins.

Symptoms

  • Users redirected to OAuth provider see redirect_uri_mismatch error
  • Grafana logs show OAuthLogin: failed to get token: 400 Bad Request
  • SSO login flow completes at the provider but fails when redirecting back to Grafana
  • Error message: The redirect URI in the request, https://grafana.example.com/login/generic_oauth, does not match the ones authorized for the OAuth client
  • Local Grafana login still works, confirming the issue is OAuth-specific

Common Causes

  • Grafana root_url changed without updating the OAuth provider's registered redirect URI
  • HTTP vs HTTPS mismatch between Grafana config and provider registration
  • Trailing slash difference: https://grafana.example.com/login/generic_oauth/ vs without trailing slash
  • Multiple Grafana instances (staging, production) sharing the same OAuth client registration
  • Load balancer terminating SSL but Grafana configured with HTTP root_url

Step-by-Step Fix

  1. 1.Check Grafana's configured root URL: Verify what callback URL Grafana is generating.
  2. 2.```ini
  3. 3.# grafana.ini
  4. 4.[server]
  5. 5.root_url = https://grafana.example.com/
  6. 6.`
  7. 7.Verify the OAuth provider's registered redirect URI: Check the provider configuration.
  8. 8.`
  9. 9.# For Google OAuth:
  10. 10.# Google Cloud Console > APIs & Services > Credentials > OAuth 2.0 Client IDs
  11. 11.# Check Authorized redirect URIs

# For GitHub OAuth: # GitHub Settings > Developer settings > OAuth Apps > select app # Check Authorization callback URL ```

  1. 1.Update the OAuth provider with the correct redirect URI: Ensure exact match.
  2. 2.`
  3. 3.# The callback URL must be exactly:
  4. 4.# https://grafana.example.com/login/generic_oauth
  5. 5.# No trailing slash, correct protocol
  6. 6.`
  7. 7.Update Grafana OAuth configuration if the root_url changed: Align Grafana config with the provider.
  8. 8.```ini
  9. 9.[auth.generic_oauth]
  10. 10.enabled = true
  11. 11.client_id = your-client-id
  12. 12.client_secret = your-client-secret
  13. 13.auth_url = https://provider.example.com/oauth/authorize
  14. 14.token_url = https://provider.example.com/oauth/token
  15. 15.api_url = https://provider.example.com/oauth/userinfo
  16. 16.`
  17. 17.Test the OAuth login flow: Verify the fix works end-to-end.
  18. 18.`
  19. 19.# Open an incognito browser window
  20. 20.# Navigate to Grafana login page
  21. 21.# Click "Sign in with OAuth"
  22. 22.# Verify successful login and redirect to Grafana dashboard
  23. 23.`

Prevention

  • Document the exact OAuth callback URL in the Grafana deployment runbook
  • Include OAuth callback URL verification in the Grafana deployment checklist
  • Use environment-specific OAuth client registrations for staging and production
  • Monitor OAuth login failure rate and alert on redirect_uri_mismatch errors
  • Test OAuth login after any URL, domain, or TLS configuration changes
  • Consider using OIDC discovery URL to auto-configure endpoints and reduce manual configuration