Grafana Oauth Proxy still displaying native login form

So the issue is that although the user is authenticated as far a Google (as OAuth Provider), and Oauth-Proxy is concerned this is not reflected in the user experience as far a Grafana (being the upstream application) is concerned.

So both Oauth-Proxy and Google (the Oauth Provider) were both configured correctly. Namely:

1. Oauth-Proxy requires --set-xauthrequest as part of the commandline options.
2. Google's redirect url to be https://<host>/oauth2/callback. Note this is different than when using Grafana's built in proxy.

Problem is that the authenticated user's details where either not getting back to Grafana or they weren't being acknowledged. There is a great deal is inadequate documentation on this, partly from Grafana, partly from the Ingress Nginx Controller. This had nothing to do with Oauth-proxy as has been speculated.

My solution is as follows:

  grafana.ini:    auth:      oauth_auto_login: true      signout_redirect_url: "https://<host>/oauth2/sign_out"    auth.proxy:      enabled: true      header_name: X-Email      header_property: email      auto_sign_up: true    users:      allow_sign_up: false      auto_assign_org: true      auto_assign_org_role: Viewer

This is not intended to be complete but it covers the main options regarding authentication and user profiles.

Grafana Ingress also requires the following annotations:

  kubernetes.io/ingress.class: "nginx"  nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"  nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"  nginx.ingress.kubernetes.io/configuration-snippet: |    auth_request_set $user   $upstream_http_x_auth_request_user;    auth_request_set $email  $upstream_http_x_auth_request_email;    proxy_set_header X-User  $user;    proxy_set_header X-Email $email;

There may be a way of specifying the 4 snippet lines with a single annotation, but I was not able to find it.

The above has a number of advantages over Grafana's built in proxy:

1. It enables multiple applications to be configured with the commonAuthentication backend. This gives a single source of truth for the secrets.
2. Bad actors are stopped at the Reverse Proxy, not the application.
3. This solution works with Prometheus Operator without the need to place secrets within your code, there currently being an issue with the prometheus operator not working correctly with environment variables (set by secrets).