User Authentication Overview

    Here is a table showing all supported authentication providers and the features available for them. Team sync and are only available in Grafana Enterprise.

    Grafana of course has a built in user authentication system with password authentication enabled by default. You can disable authentication by enabling anonymous access. You can also hide login form and only allow login through an auth provider (listed above). There are also options for allowing self sign up.

    Grafana are using short-lived tokens as a mechanism for verifying authenticated users. These short-lived tokens are rotated each for an active authenticated user.

    An active authenticated user that gets it token rotated will extend the login_maximum_inactive_lifetime_duration time from “now” that Grafana will remember the user. This means that a user can close its browser and come back before now + login_maximum_inactive_lifetime_duration and still being authenticated. This is true as long as the time since user login is less than login_maximum_lifetime_duration.

    Remote logout

    Settings

    Example:

    Anonymous authentication

    You can make Grafana accessible without any login required by enabling anonymous access in the configuration file.

    Example:

    1. [auth.anonymous]
    2. enabled = true
    4. # Organization name that should be used for unauthenticated users
    6. # Role for unauthenticated users, other valid values are `Editor` and `Admin`
    7. org_role = Viewer

    If you change your organization name in the Grafana UI this setting needs to be updated to match the new name.

    Basic auth is enabled by default and works with the built in Grafana user password authentication system and LDAP authentication integration.

    Disable login form

    You can hide the Grafana login form using the below configuration settings.

    2. disable_login_form = true

    Set to true to attempt login with OAuth automatically, skipping the login screen. This setting is ignored if multiple OAuth providers are configured. Defaults to false.

    Avoid automatic OAuth login

    To sign in with a username and password and avoid automatic OAuth login, add the disableAutoLogin parameter to your login URL. For example: grafana.example.com/login?disableAutoLogin or grafana.example.com/login?disableAutoLogin=true

    Set the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy or JWT authentication.

    2. disable_signout_menu = true

    URL redirect after signing out

    URL to redirect the user to after signing out from Grafana. This can for example be used to enable signout from OAuth provider.