keyfil/教程/20250113-Grafana安装及SSO接入指南.md

<!-- Space: qifu -->
<!-- Parent: 后端技术&知识&规范 -->
<!-- Parent: 技术方案 -->
<!-- Parent: 基建 -->
<!-- Parent: 03-接入指南 -->
<!-- Title: 20250113-Grafana安装及SSO接入指南 -->

<!-- Macro: :anchor\((.*)\):
     Template: ac:anchor
     Anchor: ${1} -->
<!-- Macro: \!\[.*\]\((.+)\)\<\!\-\- width=(.*) \-\-\>
     Template: ac:image
     Url: ${1}
     Width: ${2} -->
<!-- Macro: \<\!\-\- :toc: \-\-\>
     Template: ac:toc
     Printable: 'false'
     MinLevel: 2 
     MaxLevel: 4 -->
<!-- Include: 杂项/声明文件.md -->

<!-- :toc: -->

# Grafana安装及SSO接入指南

## OIDC 配置
- 编辑 `defaults.ini`
```toml
#-################################### Generic OAuth #######################             
[auth.generic_oauth]
name = WeWork
icon = signin
enabled = true
allow_sign_up = true
auto_login = false
client_id = grafana
client_secret = P0GxgSpnG4u9jNDPHZur7NWdNNaNjTU0
scopes = openid profile email roles
empty_scopes = false
email_attribute_name = email
email_attribute_path = email
login_attribute_path = username
name_attribute_path = name
role_attribute_path = contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'edi
role_attribute_strict = false
org_attribute_path =
org_mapping =
groups_attribute_path =
id_token_attribute_name =
team_ids_attribute_path =
auth_url = http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/auth
token_url = http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/token
api_url = http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/userinfo
signout_redirect_url =
teams_url =
allowed_domains =
allowed_groups =
team_ids =
allowed_organizations =
tls_skip_verify_insecure = false
tls_client_cert =
tls_client_key =
tls_client_ca =
use_pkce = false
auth_style =
allow_assign_grafana_admin = false
skip_org_role_sync = false
use_refresh_token = false                    
```
----

## 参考

- [Grafana OIDC](https://grafana.org.cn/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/keycloak/)