Azure/azure-managed-grafana

Managed grafana behind application gateway doesn't work due to bad oauth redirect

JoostLambregts opened this issue · 5 comments

We have Azure Managed Grafana with public access disabled. Our user access Grafana through Azure Application Gateway. However, Grafana redirects the users to an oauth2 endpoint, and after login the user is redirected not to the application gateway, but directly to Grafana. Since Grafana is not public, this fails.

To be a bit more precise and technical:

Azure Application Gateway sets the x-forwarded-host request header. This header should be taken into consideration when building the oauth2 redirect. the redirect should look something like this: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=[some-client-id]&redirect_uri=https%3a%2f%2fsso.weu.grafana.azure.com%2flogin%2fazuread&state=[my-custom-grafana-domain.com]&[some-more-stuff]

Hi @JoostLambregts , unfortunately this is what we call the "custom domain name" scenario where you want to use a different DNS name to access Grafana. This is currently not a supported scenario. Even without the redirection problem, the certificate used for TLS on the server side will also not match the custom domain.

That is unfortunate. Thank you for the response.

edit:
@brahmnes after thinking about it some more, I realised the certificate problem doesn't apply in our case. We are using application gateway as a reverse proxy, The user is communicating with Application Gateway on our custom domain, with our own certificate. Application Gateway is communicating with Grafana on its original domain name, so Grafana can just keep using its original certificate. This means that to support this pattern, you only need to worry about redirects, not certificates.

If you were to support this pattern, this would offer a viable alternative for others looking to run Managed Grafana under a custom domain, using only Azure native components. I am not the only one who would like to have this feature (see https://learn.microsoft.com/en-us/answers/questions/1101743/custom-domain-for-azure-managed-grafana-instance) and the change should be relatively small since this configuration option is already available in Grafana (see https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#root_url)

That's probably true. Supporting custom domain name is not a small feature, we can take it into consideration.

I've run into this issue as well trying to secure public access to the Azure managed instance of Grafana. @brahmnes is there currently any way to implement network access control to the public endpoint? The problem is the private endpoint isn't routable outside of Azure. I don't want full private access, but want to limit the public access to just our VPN network.

Hi @garretwyman , unfortunately I cannot think of a good solution. From a theoretical stand point, you can probably setup something where you put Grafana in private access mode, then you have a VNET that has a private endpoint to it. From that VNET, you setup the appropriate access control, or use Azure VPN Gateway if you want to access from outside of Azure. Having said that, I am not an expert in networking so this is theoretical. You may have to try it yourself.