Package com.cloudforge.core.oidc

Class GrafanaOidcIntegration

java.lang.Object
com.cloudforge.core.oidc.GrafanaOidcIntegration
All Implemented Interfaces:
OidcIntegration
public class GrafanaOidcIntegration extends Object implements OidcIntegration
OIDC integration for Grafana using generic_oauth provider.

Grafana has excellent built-in OIDC support via the generic_oauth provider. Configuration is done entirely through environment variables.

Supported OIDC Providers:

  • Amazon Cognito
  • IAM Identity Center
  • Any OIDC-compliant provider

Features:

  • Auto-create users on first login
  • Group/role mapping from OIDC claims
  • Admin role assignment via group membership
  • PKCE support
See Also:

  • Constructor Details

    • GrafanaOidcIntegration

      public GrafanaOidcIntegration()

  • Method Details

    • isSupported

      public boolean isSupported()
      Description copied from interface: OidcIntegration
      Returns whether this application supports OIDC integration.
      Specified by:
      isSupported in interface OidcIntegration
      Returns:
      true if application has OIDC support

    • getIntegrationMethod

      public String getIntegrationMethod()
      Description copied from interface: OidcIntegration
      Returns the OIDC integration method for this application.

      Examples:

      • jenkins: OIDC Plugin
      • gitlab: Built-in OmniAuth
      • grafana: Built-in generic_oauth
      • sonarqube: OIDC Plugin
      Specified by:
      getIntegrationMethod in interface OidcIntegration
      Returns:
      integration method description

    • getEnvironmentVariables

      public Map<String,String> getEnvironmentVariables(OidcConfiguration config)
      Description copied from interface: OidcIntegration
      Returns environment variables needed for OIDC configuration.

      These are passed to the container or EC2 userdata script.

      Example for Grafana:

       GF_AUTH_GENERIC_OAUTH_ENABLED=true
 GF_AUTH_GENERIC_OAUTH_NAME=Cognito
 GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${clientId}
 GF_AUTH_GENERIC_OAUTH_AUTH_URL=${authUrl}
      Specified by:
      getEnvironmentVariables in interface OidcIntegration
      Parameters:
      config - OIDC configuration from provider
      Returns:
      map of environment variable name to value

    • getUserDataCommands

      public List<String> getUserDataCommands(OidcConfiguration config, Ec2Context context)
      Description copied from interface: OidcIntegration
      Returns UserData commands for setting up OIDC integration.

      These commands are added to the EC2 userdata script to configure OIDC integration during instance initialization.

      Specified by:
      getUserDataCommands in interface OidcIntegration
      Parameters:
      config - OIDC configuration from provider
      context - EC2 context with stack information
      Returns:
      list of shell commands

    • getContainerStartupCommand

      public String getContainerStartupCommand()
      Description copied from interface: OidcIntegration
      Returns the application startup command for Fargate containers.

      This command is used to start the application after the OIDC configuration file has been created. Each application has a different startup script.

      Examples:

      • Jenkins: /usr/local/bin/jenkins.sh
      • GitLab: /assets/wrapper
      • Grafana: /run.sh
      • Mattermost: /mattermost/bin/mattermost (distroless - Go binary)
      Specified by:
      getContainerStartupCommand in interface OidcIntegration
      Returns:
      startup command path

    • supportsCognito

      public boolean supportsCognito()
      Description copied from interface: OidcIntegration
      Returns whether this application supports Cognito as an identity provider.

      Cognito provides:

      • User pool with email/password authentication
      • MFA support (TOTP, SMS)
      • OAuth 2.0 / OIDC endpoints
      • Hosted UI for login
      Specified by:
      supportsCognito in interface OidcIntegration
      Returns:
      true if Cognito OIDC is supported (default: true)

    • supportsIdentityCenterSaml

      public boolean supportsIdentityCenterSaml()
      Description copied from interface: OidcIntegration
      Returns whether this application supports IAM Identity Center SAML.

      IAM Identity Center (formerly AWS SSO) provides:

      • SAML 2.0 authentication
      • Enterprise directory integration
      • Group-based access control
      • Centralized user management

      Applications that use SAML (Mattermost, Metabase) support this. Applications that only use OIDC may not.

      Specified by:
      supportsIdentityCenterSaml in interface OidcIntegration
      Returns:
      true if IAM Identity Center SAML is supported (default: false)

    • getAuthenticationType

      public String getAuthenticationType()
      Description copied from interface: OidcIntegration
      Returns the authentication type this integration uses.
      Specified by:
      getAuthenticationType in interface OidcIntegration
      Returns:
      "OIDC" or "SAML"

    • getPostDeploymentInstructions

      public String getPostDeploymentInstructions()
      Description copied from interface: OidcIntegration
      Returns post-deployment instructions for completing OIDC setup.

      Some applications require manual steps after deployment (e.g., installing plugins).

      Specified by:
      getPostDeploymentInstructions in interface OidcIntegration
      Returns:
      human-readable instructions (optional)