TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-12 11:04:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
3118a99c1e
zitadel/site/docs/integrate/07-products.en.md
Florian Forster 1de9d15690
docs(intergration): examples (#939) 
* rename to overview

* wip

* wip

* wip

* wip

* wip

* wip

* examples

* ts example

* wip with grafana

* add grafana tutorial

* screenshots and grafana

* figure out oauth proxy

* authz oauth proxy

* move img

* merge from master

* Apply suggestions from code review

Co-authored-by: Florian Forster <florian@caos.ch>

Co-authored-by: mffap <max@mffap.org>
2020-11-06 15:15:54 +01:00

4.4 KiB
Raw Blame History

title description
Products ...

Grafana Example

Grafana defines itself as "The open-source platform for monitoring and observability."

The source code is provided on Grafana's Github Repository

Authenticate Grafana with ZITADEL

To authenticate Grafana with ZITADEL you can use the provided Generic OAuth plugin.

We do not recommend that you rely on allowed_domain as means of authorizing subjects, but instead use ZITADEL's RBAC Assertion

  1. Create a new project or use an existing one
  2. Add OpenID Connect / OAuth 2.0 client to the project (See screenshot for settings)
  3. Add config to your Grafana instance and restart it
  4. Login to Grafana
[auth.generic_oauth]
enabled = true
name= ZITADEL
client_id = {ZITADEL_GENERATED_CLIENT_ID}
client_secret = {ZITADEL_GENERATED_CLIENT_SECRET}
scopes = openid profile email
auth_url = https://accounts.zitadel.ch/oauth/v2/authorize
token_url = https://api.zitadel.ch/oauth/v2/token
api_url = https://api.zitadel.ch/oauth/v2/userinfo
allow_sign_up = true

Grafanas's redirect is URI https://yourdomain.tld/login/generic_oauth

Client Settings for Grafana
Client Settings for Grafana

Authorizes Users with Roles in Grafana

ZITADEL provides projects with the option to provide Grafana with the users role.

  1. Create Roles (Admin, Editor, Viewer) in ZITADEL's project which contains Grafana
  2. Enable "Assert Roles on Authentication" so that the roles are asserted to the userinfo endpoint
  3. (Optional) Enable "Check roles on Authentication", this will prevent that someone without any role to login Grafana via ZITADEL
  4. Append the config below to your Grafana instance and reload
  5. Authorize the necessary users
[auth.generic_oauth]
...
role_attribute_path =  keys("urn:zitadel:iam:org:project:roles") | contains(@, 'Admin') && 'Admin' || contains(@, 'Editor') && 'Editor' || 'Viewer'
...
Project Settings for Grafana
Project Settings for Grafana
Authorization for Grafana Role in ZITADEL
Authorization for Grafana Role in ZITADEL
Grafana Login
Grafana Login
Grafana with Editor Role mapped from ZITADEL
Grafana with Editor Role mapped from ZITADEL

Grafana can not directly use ZITADEL delegation feature but normal RBAC works fine Additional infos can be found in the Grafana generic OAuth 2.0 documentation

ArgoCD Example

TODO

Kubernetes Example

TODO