Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Managed grafana behind application gateway doesn't work due to bad oauth redirect #12

Open
JoostLambregts opened this issue Apr 18, 2024 · 5 comments

Comments

@JoostLambregts
Copy link

JoostLambregts commented Apr 18, 2024

We have Azure Managed Grafana with public access disabled. Our user access Grafana through Azure Application Gateway. However, Grafana redirects the users to an oauth2 endpoint, and after login the user is redirected not to the application gateway, but directly to Grafana. Since Grafana is not public, this fails.

To be a bit more precise and technical:

Azure Application Gateway sets the x-forwarded-host request header. This header should be taken into consideration when building the oauth2 redirect. the redirect should look something like this: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=[some-client-id]&redirect_uri=https%3a%2f%2fsso.weu.grafana.azure.com%2flogin%2fazuread&state=[my-custom-grafana-domain.com]&[some-more-stuff]

@JoostLambregts JoostLambregts changed the title Managed grafana behind application gateway doesn't work due to bad redirect Managed grafana behind application gateway doesn't work due to bad oauth redirect Apr 18, 2024
@brahmnes
Copy link

Hi @JoostLambregts , unfortunately this is what we call the "custom domain name" scenario where you want to use a different DNS name to access Grafana. This is currently not a supported scenario. Even without the redirection problem, the certificate used for TLS on the server side will also not match the custom domain.

@JoostLambregts
Copy link
Author

JoostLambregts commented Apr 19, 2024

That is unfortunate. Thank you for the response.

edit:
@brahmnes after thinking about it some more, I realised the certificate problem doesn't apply in our case. We are using application gateway as a reverse proxy, The user is communicating with Application Gateway on our custom domain, with our own certificate. Application Gateway is communicating with Grafana on its original domain name, so Grafana can just keep using its original certificate. This means that to support this pattern, you only need to worry about redirects, not certificates.

If you were to support this pattern, this would offer a viable alternative for others looking to run Managed Grafana under a custom domain, using only Azure native components. I am not the only one who would like to have this feature (see https://learn.microsoft.com/en-us/answers/questions/1101743/custom-domain-for-azure-managed-grafana-instance) and the change should be relatively small since this configuration option is already available in Grafana (see https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#root_url)

@brahmnes
Copy link

That's probably true. Supporting custom domain name is not a small feature, we can take it into consideration.

@garretwyman
Copy link

I've run into this issue as well trying to secure public access to the Azure managed instance of Grafana. @brahmnes is there currently any way to implement network access control to the public endpoint? The problem is the private endpoint isn't routable outside of Azure. I don't want full private access, but want to limit the public access to just our VPN network.

@brahmnes
Copy link

brahmnes commented Jul 9, 2024

Hi @garretwyman , unfortunately I cannot think of a good solution. From a theoretical stand point, you can probably setup something where you put Grafana in private access mode, then you have a VNET that has a private endpoint to it. From that VNET, you setup the appropriate access control, or use Azure VPN Gateway if you want to access from outside of Azure. Having said that, I am not an expert in networking so this is theoretical. You may have to try it yourself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants