grafana/docs/sources/auth/overview.md

+++
title = "Overview"
description = "Overview for auth"
type = "docs"
[menu.docs]
name = "Overview"
identifier = "overview-auth"
parent = "authentication"
weight = 1
+++

# User Authentication Overview

Grafana provides many ways to authenticate users. Some authentication integrations also enable syncing user
permissions and org memberships.

## OAuth Integrations

- [Google OAuth]({{< relref "auth/google.md" >}})
- [GitHub OAuth]({{< relref "auth/github.md" >}})
- [Gitlab OAuth]({{< relref "auth/gitlab.md" >}})
- [Generic OAuth]({{< relref "auth/generic-oauth.md" >}}) (Okta2, BitBucket, Azure, OneLogin, Auth0)

## LDAP integrations

- [LDAP Authentication]({{< relref "auth/ldap.md" >}}) (OpenLDAP, ActiveDirectory, etc)

## Auth proxy

- [Auth Proxy]({{< relref "auth/auth-proxy.md" >}}) If you want to handle authentication outside Grafana using a reverse
    proxy.

## Grafana Auth

Grafana of course has a built in user authentication system with password authentication enabled by default. You can
disable authentication by enabling anonymous access. You can also hide login form and only allow login through an auth
provider (listed above). There is also options for allowing self sign up.

### Login and short-lived tokens

> The followung applies when using Grafana's built in user authentication, LDAP (without Auth proxy) or OAuth integration.

Grafana are using short-lived tokens as a mechanism for verifying authenticated users.
These short-lived tokens are rotated each `token_rotation_interval_minutes` for an active authenticated user.

An active authenticated user that gets it token rotated will extend the `login_maximum_inactive_lifetime_days` time from "now" that Grafana will remember the user.
This means that a user can close its browser and come back before `now + login_maximum_inactive_lifetime_days` and still being authenticated.
 This is true as long as the time since user login is less than `login_maximum_lifetime_days`.

Example:

```bash
[auth]

# Login cookie name
login_cookie_name = grafana_session

# The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days.
login_maximum_inactive_lifetime_days = 7

# The maximum lifetime (days) an autenticated user can be logged in since login time before being required to login. Default is 30 days.
login_maximum_lifetime_days = 30

# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
token_rotation_interval_minutes = 10

# How often should expired auth tokens be deleted from the database. The default is 7 days.
expired_tokens_cleanup_interval_days = 7
```

### Anonymous authentication

You can make Grafana accessible without any login required by enabling anonymous access in the configuration file.

Example:

```bash
[auth.anonymous]
enabled = true

# Organization name that should be used for unauthenticated users
org_name = Main Org.

# Role for unauthenticated users, other valid values are `Editor` and `Admin`
org_role = Viewer
```

If you change your organization name in the Grafana UI this setting needs to be updated to match the new name.

### Basic authentication

Basic auth is enabled by default and works with the built in Grafana user password authentication system and LDAP
authentication integration.

To disable basic auth:

```bash
[auth.basic]
enabled = false
```

### Disable login form

You can hide the Grafana login form using the below configuration settings.

```bash
[auth]
disable_login_form = true
```

### Automatic OAuth login

Set to true to attempt login with OAuth automatically, skipping the login screen.
This setting is ignored if multiple OAuth providers are configured.
Defaults to `false`.

```bash
[auth]
oauth_auto_login = true
```

### Hide sign-out menu

Set to the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy.

```bash
[auth]
disable_signout_menu = true
```

### URL redirect after signing out

URL to redirect the user to after signing out from Grafana. This can for example be used to enable signout from oauth provider.

```bash
[auth]
signout_redirect_url =
```
created a section under administration for authentication, moved ldap guide here, created pages for auth-proxy, oauth, anonymous auth, ldap sync with grafana ee, and overview, moved authentication guides from configuration to, added linksin configuration page to guides 2018-08-13 07:28:41 -05:00			`+++`
			`title = "Overview"`
			`description = "Overview for auth"`
			`type = "docs"`
			`[menu.docs]`
			`name = "Overview"`
			`identifier = "overview-auth"`
			`parent = "authentication"`
			`weight = 1`
			`+++`

docs: updated 2018-09-06 05:11:56 -05:00			`# User Authentication Overview`
created a section under administration for authentication, moved ldap guide here, created pages for auth-proxy, oauth, anonymous auth, ldap sync with grafana ee, and overview, moved authentication guides from configuration to, added linksin configuration page to guides 2018-08-13 07:28:41 -05:00
docs: updated 2018-09-06 05:11:56 -05:00			`Grafana provides many ways to authenticate users. Some authentication integrations also enable syncing user`
			`permissions and org memberships.`
docs: minor updates, more work to do 2018-08-31 00:15:07 -05:00
docs: Updated auth docs 2018-09-06 06:15:36 -05:00			`## OAuth Integrations`
docs: minor updates, more work to do 2018-08-31 00:15:07 -05:00
docs: updated 2018-09-06 05:11:56 -05:00			`- [Google OAuth]({{< relref "auth/google.md" >}})`
			`- [GitHub OAuth]({{< relref "auth/github.md" >}})`
			`- [Gitlab OAuth]({{< relref "auth/gitlab.md" >}})`
docs: minor fixes 2018-09-06 06:21:11 -05:00			`- [Generic OAuth]({{< relref "auth/generic-oauth.md" >}}) (Okta2, BitBucket, Azure, OneLogin, Auth0)`
docs: minor updates, more work to do 2018-08-31 00:15:07 -05:00
docs: updated 2018-09-06 05:11:56 -05:00			`## LDAP integrations`
docs: minor updates, more work to do 2018-08-31 00:15:07 -05:00
docs: updated 2018-09-06 05:11:56 -05:00			`- [LDAP Authentication]({{< relref "auth/ldap.md" >}}) (OpenLDAP, ActiveDirectory, etc)`
created a section under administration for authentication, moved ldap guide here, created pages for auth-proxy, oauth, anonymous auth, ldap sync with grafana ee, and overview, moved authentication guides from configuration to, added linksin configuration page to guides 2018-08-13 07:28:41 -05:00
docs: updated 2018-09-06 05:11:56 -05:00			`## Auth proxy`
created a section under administration for authentication, moved ldap guide here, created pages for auth-proxy, oauth, anonymous auth, ldap sync with grafana ee, and overview, moved authentication guides from configuration to, added linksin configuration page to guides 2018-08-13 07:28:41 -05:00
docs: updated 2018-09-06 05:11:56 -05:00			`- [Auth Proxy]({{< relref "auth/auth-proxy.md" >}}) If you want to handle authentication outside Grafana using a reverse`
			`proxy.`
created a section under administration for authentication, moved ldap guide here, created pages for auth-proxy, oauth, anonymous auth, ldap sync with grafana ee, and overview, moved authentication guides from configuration to, added linksin configuration page to guides 2018-08-13 07:28:41 -05:00
docs: updated 2018-09-06 05:11:56 -05:00			`## Grafana Auth`
created a section under administration for authentication, moved ldap guide here, created pages for auth-proxy, oauth, anonymous auth, ldap sync with grafana ee, and overview, moved authentication guides from configuration to, added linksin configuration page to guides 2018-08-13 07:28:41 -05:00
Fix misspelled authentication in Auth overview doc 2018-09-20 08:16:43 -05:00			`Grafana of course has a built in user authentication system with password authentication enabled by default. You can`
docs: updated 2018-09-06 05:11:56 -05:00			`disable authentication by enabling anonymous access. You can also hide login form and only allow login through an auth`
			`provider (listed above). There is also options for allowing self sign up.`
created a section under administration for authentication, moved ldap guide here, created pages for auth-proxy, oauth, anonymous auth, ldap sync with grafana ee, and overview, moved authentication guides from configuration to, added linksin configuration page to guides 2018-08-13 07:28:41 -05:00
document login, short-lived tokens and secure cookie configurations 2019-02-05 14:10:56 -06:00			`### Login and short-lived tokens`

			`> The followung applies when using Grafana's built in user authentication, LDAP (without Auth proxy) or OAuth integration.`

			`Grafana are using short-lived tokens as a mechanism for verifying authenticated users.`
			These short-lived tokens are rotated each `token_rotation_interval_minutes` for an active authenticated user.

			An active authenticated user that gets it token rotated will extend the `login_maximum_inactive_lifetime_days` time from "now" that Grafana will remember the user.
			This means that a user can close its browser and come back before `now + login_maximum_inactive_lifetime_days` and still being authenticated.
			This is true as long as the time since user login is less than `login_maximum_lifetime_days`.

			`Example:`

			```bash
			`[auth]`

			`# Login cookie name`
			`login_cookie_name = grafana_session`

			`# The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days.`
			`login_maximum_inactive_lifetime_days = 7`

			`# The maximum lifetime (days) an autenticated user can be logged in since login time before being required to login. Default is 30 days.`
			`login_maximum_lifetime_days = 30`

			`# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.`
			`token_rotation_interval_minutes = 10`

			`# How often should expired auth tokens be deleted from the database. The default is 7 days.`
			`expired_tokens_cleanup_interval_days = 7`
			```

Fix misspelled authentication in Auth overview doc 2018-09-20 08:16:43 -05:00			`### Anonymous authentication`
docs: updated 2018-09-06 05:11:56 -05:00
			`You can make Grafana accessible without any login required by enabling anonymous access in the configuration file.`

			`Example:`

			```bash
			`[auth.anonymous]`
			`enabled = true`

			`# Organization name that should be used for unauthenticated users`
			`org_name = Main Org.`

			# Role for unauthenticated users, other valid values are `Editor` and `Admin`
			`org_role = Viewer`
			```

			`If you change your organization name in the Grafana UI this setting needs to be updated to match the new name.`

			`### Basic authentication`

			`Basic auth is enabled by default and works with the built in Grafana user password authentication system and LDAP`
docs: fix minor typos 2018-10-06 10:09:41 -05:00			`authentication integration.`
docs: updated 2018-09-06 05:11:56 -05:00
			`To disable basic auth:`

			```bash
			`[auth.basic]`
			`enabled = false`
			```

			`### Disable login form`

			`You can hide the Grafana login form using the below configuration settings.`

			```bash
			`[auth]`
Document oauth_auto_login setting 2018-05-28 09:15:31 -05:00			`disable_login_form = true`
			```

			`### Automatic OAuth login`

docs: signout_redirect_url description in auth overview 2018-11-22 08:59:15 -06:00			`Set to true to attempt login with OAuth automatically, skipping the login screen.`
			`This setting is ignored if multiple OAuth providers are configured.`
Document oauth_auto_login setting 2018-05-28 09:15:31 -05:00			Defaults to `false`.

			```bash
			`[auth]`
			`oauth_auto_login = true`
docs: updated 2018-09-06 05:11:56 -05:00			```

			`### Hide sign-out menu`

			`Set to the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy.`

			```bash
			`[auth]`
			`disable_signout_menu = true`
			```
docs: signout_redirect_url description in auth overview 2018-11-22 08:59:15 -06:00
			`### URL redirect after signing out`

			`URL to redirect the user to after signing out from Grafana. This can for example be used to enable signout from oauth provider.`

			```bash
			`[auth]`
			`signout_redirect_url =`
			```