Migrating Grafana Users To Authentik
Overview
Authentik
Log in as admin and go to the admin interface.
From the menu go to Applications > Applications. Go through the Create With Wizard to setup a new application and provider.
Enter a name and slug. Slug will be used in the URL so change this if you do not want it to show up / shared with Grafana.
Select Oauth2/OIDC for the provider type.
Give the provider a name or edit the name given and the authentication flow should be explict. Leave the rest as the default.
Grafana
Follow the guide again.
I’m using Docker so used all of these environment variables:
environment:
GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
GF_AUTH_GENERIC_OAUTH_NAME: "authentik"
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "
GF_AUTH_GENERIC_OAUTH_SCOPES: "openid profile email"
GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://authentik.company/application/o/authorize/"
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://authentik.company/application/o/token/"
GF_AUTH_GENERIC_OAUTH_API_URL: "https://authentik.company/application/o/userinfo/"
GF_AUTH_SIGNOUT_REDIRECT_URL: "https://authentik.company/application/o/
Add the following variable:
GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP: "true"
This will allow existing users to log in via Authentik and and avoid the error where the user already exists. Get all existing users to log into their accounts. Once that is done, either remove the environment variable or set it to false:
GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP: "false"
A new login button appears at the bottom to use Authentik.
Summary
The road to centralised identity management is going well and I’m surprised how many products support the ability to do this.
