[网络协议]grafana接入oauth2

grafana接入oauth2

grafana配置

安装grafana之后，配置文件grafana.ini默认会在/etc/grafana路径下

修改grafana.ini配置

vim grafana.ini 

要修改部分

[server]
# Protocol (http, https, h2, socket)
;protocol = http

# The ip address to bind to, empty will bind to all interfaces
;http_addr =

# The http port  to use
;http_port = 3000

# The public facing domain name used to access grafana from a browser
;domain = localhost

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false

# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
;root_url = %(protocol)s://%(domain)s:%(http_port)s/
root_url = http://192.168.146.18:3000 #grafana访问地址 用于授权回调

[auth.generic_oauth]
enabled = true # 默认是false，改为true。打开oauth认证
name = OAuth
allow_sign_up = true
client_id = some_id #自研平台唯一client_id
client_secret = some_secret #自研平台唯一client_secret
scopes = user:email,read:org
auth_url = http://192.168.208.97:8080/login/oauth/authorize #自研平台授权认证接口
token_url = http://192.168.208.97:8080/login/oauth/token #自研平台生成token接口
api_url = http://192.168.208.97:8080/login/oauth/userinfo #自研平台验证token并返回用户信息

接口开发

注意：这些接口都是grafana静默调用

授权认证接口

请求方式：get

请求路径：/login/oauth/authorize

请求参数

接口内部实现client_id验证和用户信息查询验证之后将用户id和参数state用做重定向参数

重定向地址：http://192.168.146.18:3000/login/generic_oauth?state={state}&code=xxx

代码示例

@RestController
@Slf4j
@RequestMapping("/login/oauth")
public class AuthApi {

    @GetMapping("/authorize")
    public void authorize(@RequestParam Map<String, String> params, HttpServletResponse response, HttpServletRequest request) throws IOException {
        for (Map.Entry<String, String> entry : params.entrySet()) {
            System.out.println(entry.getKey() + "-------------" + entry.getValue());
        }

        /* 核心业务逻辑 验证client_id 和用户信息 获取用户id*/
        String userId = "xxx";
        builder.append("state=").append(params.get("state")).append("&code=").append(JWTUtil.createToken(userId, "jwt".getBytes(StandardCharsets.UTF_8)));
        
        String url = "http://192.168.146.18:3000/login/generic_oauth?" + builder.toString();
        System.out.println(url);
        response.sendRedirect(url);
    }
}

生成token接口

请求方式：post

请求路径：/login/oauth/token

请求参数

返回参数

代码示例

 @PostMapping("/token")
    public TokenResponse token(TokenParam tokenParam){
        System.out.println(tokenParam);
		
        /* 核心业务逻辑 生成token */
        String token = xxx;
        TokenResponse response = new TokenResponse();
        response.setAccess_token(xxx);
        response.setToken_type("Bearer");
        response.setExpiry_in("1");
        response.setRefresh_token("123456");

        return response;
    }

验证token接口

请求方式：get

请求路径：/login/oauth/userinfo

请求头信息

请求参数：无

返回参数

代码示例

@GetMapping("/userinfo")
    public User userInfo(HttpServletRequest request){
        System.out.println(2222);

        String authorization = request.getHeader("authorization");
        System.out.println(authorization);

        /* 核心业务逻辑，验证token并设置用户信息*/
        
        User user = new User();
        user.setEmail("liuzhuzheng@talkweb.com.cn");
        user.setName("lzz");

        return user;
    }

测试

访问http://192.168.146.18:3000/login/generic_oauth便可实现用户注册登录grafana

其他代码

TokenParam类

@Data
public class TokenParam {
    private String code;

    private String grant_type;

    private String redirect_uri;
}

TokenResponse类

@Data
public class TokenResponse {
    private String access_token;
    
    private String token_type;
    
    private String expiry_in;
    
    private String refresh_token;
}

User类

@Data
public class User {
    private String id;

    private String email;

    private String name;
}