mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 12:24:03 +00:00
1de9d15690
* rename to overview * wip * wip * wip * wip * wip * wip * examples * ts example * wip with grafana * add grafana tutorial * screenshots and grafana * figure out oauth proxy * authz oauth proxy * move img * merge from master * Apply suggestions from code review Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: mffap <max@mffap.org>
4.4 KiB
4.4 KiB
title | description |
---|---|
Products | ... |
Grafana Example
Grafana defines itself as "The open-source platform for monitoring and observability."
The source code is provided on Grafana's Github Repository
Authenticate Grafana with ZITADEL
To authenticate Grafana with ZITADEL you can use the provided Generic OAuth plugin.
We do not recommend that you rely on
allowed_domain
as means of authorizing subjects, but instead use ZITADEL's RBAC Assertion
- Create a new project or use an existing one
- Add OpenID Connect / OAuth 2.0 client to the project (See screenshot for settings)
- Add config to your Grafana instance and restart it
- Login to Grafana
[auth.generic_oauth]
enabled = true
name= ZITADEL
client_id = {ZITADEL_GENERATED_CLIENT_ID}
client_secret = {ZITADEL_GENERATED_CLIENT_SECRET}
scopes = openid profile email
auth_url = https://accounts.zitadel.ch/oauth/v2/authorize
token_url = https://api.zitadel.ch/oauth/v2/token
api_url = https://api.zitadel.ch/oauth/v2/userinfo
allow_sign_up = true
Grafanas's redirect is URI https://yourdomain.tld/login/generic_oauth
Authorizes Users with Roles in Grafana
ZITADEL provides projects with the option to provide Grafana with the users role.
- Create Roles (Admin, Editor, Viewer) in ZITADEL's project which contains Grafana
- Enable "Assert Roles on Authentication" so that the roles are asserted to the userinfo endpoint
- (Optional) Enable "Check roles on Authentication", this will prevent that someone without any role to login Grafana via ZITADEL
- Append the config below to your Grafana instance and reload
- Authorize the necessary users
[auth.generic_oauth]
...
role_attribute_path = keys("urn:zitadel:iam:org:project:roles") | contains(@, 'Admin') && 'Admin' || contains(@, 'Editor') && 'Editor' || 'Viewer'
...
Grafana can not directly use ZITADEL delegation feature but normal RBAC works fine Additional infos can be found in the Grafana generic OAuth 2.0 documentation
ArgoCD Example
TODO
Kubernetes Example
TODO