GitHub OAuth2 Authentication

To enable the GitHub OAuth2 you must register your application with GitHub. GitHub will generate a client ID and secret key for you to use.

Configure GitHub OAuth application

You need to create a GitHub OAuth application (you will find this under the GitHub settings page). When you create the application you will need to specify a callback URL. Specify this as callback:

  1. http://<my_grafana_server_name_or_ip>:<grafana_server_port>/grafana/login/github

This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the suffix path of /login/github. When the GitHub OAuth application is created you will get a Client ID and a Client Secret. Specify these in the Grafana configuration file. For example:

Enable GitHub in Grafana

  1. [auth.github]
  2. enabled = true
  3. allow_sign_up = true
  4. client_id = YOUR_GITHUB_APP_CLIENT_ID
  5. client_secret = YOUR_GITHUB_APP_CLIENT_SECRET
  6. scopes = user:email,read:org
  7. auth_url = https://github.com/login/oauth/authorize
  8. token_url = https://github.com/login/oauth/access_token
  9. api_url = https://api.github.com/user
  10. team_ids =
  11. allowed_organizations =

You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.

Restart the Grafana back-end. You should now see a GitHub login button on the login page. You can now login or sign up with your GitHub accounts.

You may allow users to sign-up via GitHub authentication by setting the allow_sign_up option to true. When this option is set to true, any user successfully authenticating via GitHub authentication will be automatically signed up.

team_ids

Require an active team membership for at least one of the given teams on GitHub. If the authenticated user isn’t a member of at least one of the teams they will not be able to register or authenticate with your Grafana instance. For example:

  1. [auth.github]
  2. enabled = true
  3. client_id = YOUR_GITHUB_APP_CLIENT_ID
  4. client_secret = YOUR_GITHUB_APP_CLIENT_SECRET
  5. scopes = user:email,read:org
  6. team_ids = 150,300
  7. auth_url = https://github.com/login/oauth/authorize
  8. token_url = https://github.com/login/oauth/access_token
  9. api_url = https://api.github.com/user
  10. allow_sign_up = true

allowed_organizations

Require an active organization membership for at least one of the given organizations on GitHub. If the authenticated user isn’t a member of at least one of the organizations they will not be able to register or authenticate with your Grafana instance. For example

  1. [auth.github]
  2. enabled = true
  3. client_id = YOUR_GITHUB_APP_CLIENT_ID
  4. client_secret = YOUR_GITHUB_APP_CLIENT_SECRET
  5. scopes = user:email,read:org
  6. auth_url = https://github.com/login/oauth/authorize
  7. token_url = https://github.com/login/oauth/access_token
  8. api_url = https://api.github.com/user
  9. allow_sign_up = true
  10. # space-delimited organization names
  11. allowed_organizations = github google

Team Sync (Enterprise only)

Only available in Grafana Enterprise v6.3+

With Team Sync you can map your GitHub org teams to teams in Grafana so that your users will automatically be added to the correct teams.

Your GitHub teams can be referenced in two ways:

  • https://github.com/orgs/<org>/teams/<slug>
  • @<org>/<slug>

Example: @grafana/developers

Learn more about Team Sync