goauthentik · dewi-tik · Jun 18, 2026 · Jun 16, 2026 · Jun 18, 2026 · Jun 18, 2026
@@ -5,12 +5,14 @@ support_level: authentik
 ---
 
 import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 ## What is Grafana?
 
-> Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources, Grafana Enterprise version with additional capabilities is also available. It is expandable through a plug-in system.
+> Grafana is an open source observability platform for visualizing, monitoring, and alerting on data from many different sources.
 >
-> -- https://en.wikipedia.org/wiki/Grafana
+> -- https://grafana.com/
 
 ## Preparation
 
@@ -32,19 +34,17 @@ To support the integration of Grafana with authentik, you need to create an appl
 ### Create an application and provider in authentik
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
-
-- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
-- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
-- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://grafana.company/login/generic_oauth`.
-    - Set the Logout URI to `https://grafana.company/logout`.
-    - Set the Logout Method to `Front-channel`.
-    - Select any available signing key.
-    - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`.
-- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the display and access to applications on a user's **Application Dashboard** page.
-
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the **slug** value because it will be required later.
+    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Note the **Client ID** and **Client Secret** values because they will be required later.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://grafana.company/login/generic_oauth`.
+        - Set the **Logout URI** to `https://grafana.company/logout`.
+        - Set the **Logout Method** to `Front-channel`.
+        - Select any available **Signing Key**.
+        - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: Application Entitlements`.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 3. Click **Submit** to save the new application and provider.
 
 ### Create application entitlements for Grafana roles
@@ -60,71 +60,8 @@ Use [application entitlements](/docs/add-secure-apps/applications/manage_apps/#a
 For this integration, the entitlement names should exactly match the values referenced in Grafana's `role_attribute_path`. This keeps Grafana-specific authorization scoped to the Grafana application instead of relying on global authentik group names.
 :::
 
-<details>
-<summary>Configure with Terraform</summary>
-
-```hcl
-data "authentik_flow" "default-provider-authorization-implicit-consent" {
-  slug = "default-provider-authorization-implicit-consent"
-}
-
-data "authentik_property_mapping_provider_scope" "scope-email" {
-  name = "authentik default OAuth Mapping: OpenID 'email'"
-}
-
-data "authentik_property_mapping_provider_scope" "scope-profile" {
-  name = "authentik default OAuth Mapping: OpenID 'profile'"
-}
-
-data "authentik_property_mapping_provider_scope" "scope-openid" {
-  name = "authentik default OAuth Mapping: OpenID 'openid'"
-}
-
-data "authentik_property_mapping_provider_scope" "scope-entitlements" {
-  name = "authentik default OAuth Mapping: OpenID 'entitlements'"
-}
-
-resource "authentik_provider_oauth2" "grafana" {
-  name          = "Grafana"
-  #  Required. You can use the output of:
-  #     $ openssl rand -hex 16
-  client_id     = "my_client_id"
-
-  # Optional: will be generated if not provided
-  # client_secret = "my_client_secret"
-
-  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
-
-  allowed_redirect_uris = [
-    {
-      matching_mode = "strict",
-      url           = "https://grafana.company/login/generic_oauth",
-    }
-  ]
-
-  property_mappings = [
-    data.authentik_property_mapping_provider_scope.scope-email.id,
-    data.authentik_property_mapping_provider_scope.scope-profile.id,
-    data.authentik_property_mapping_provider_scope.scope-openid.id,
-    data.authentik_property_mapping_provider_scope.scope-entitlements.id,
-  ]
-}
-
-resource "authentik_application" "grafana" {
-  name              = "Grafana"
-  slug              = "grafana"
-  protocol_provider = authentik_provider_oauth2.grafana.id
-}
-
-```
-
-</details>
-
 ## Grafana configuration
 
-import TabItem from "@theme/TabItem";
-import Tabs from "@theme/Tabs";
-
 <Tabs
   defaultValue="docker"
   values={[
@@ -174,7 +111,7 @@ auth_url = https://authentik.company/application/o/authorize/
 token_url = https://authentik.company/application/o/token/
 api_url = https://authentik.company/application/o/userinfo/
 # Optionally map user entitlements to Grafana roles
-role_attribute_path = contains(entitlements, 'Grafana Admins') && 'Admin' || contains(entitlements, 'Grafana Editors') && 'Editor' || 'Viewer'
+role_attribute_path = contains(entitlements[*], 'Grafana Admins') && 'Admin' || contains(entitlements[*], 'Grafana Editors') && 'Editor' || 'Viewer'
 ```
 
   </TabItem>
@@ -196,11 +133,11 @@ grafana.ini:
         token_url: "https://authentik.company/application/o/token/"
         api_url: "https://authentik.company/application/o/userinfo/"
         # Optionally map user entitlements to Grafana roles
-        role_attribute_path: contains(entitlements, 'Grafana Admins') && 'Admin' || contains(entitlements, 'Grafana Editors') && 'Editor' || 'Viewer'
+        role_attribute_path: contains(entitlements[*], 'Grafana Admins') && 'Admin' || contains(entitlements[*], 'Grafana Editors') && 'Editor' || 'Viewer'
 ```
 
-:::info
-For security reasons you shouldn't inline the client_secret in the values, but use a secret instead. For more information, see https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#how-to-securely-reference-secrets-in-grafanaini
+:::info Helm secrets
+For security reasons, do not inline the client secret in Helm values. Reference the secret from `grafana.ini` instead.
 :::
 
   </TabItem>
@@ -213,7 +150,7 @@ In the configuration above you can see an example of a role mapping. Upon login,
 In the example shown above, one of the specified entitlement names is `Grafana Admins`. If that entitlement is present, the user will be granted the `Admin` role in Grafana.
 If `Grafana Admins` is not present, Grafana checks for `Grafana Editors`. If that entitlement is present, the user is granted the `Editor` role. Finally, if neither entitlement is present, it falls back to granting the `Viewer` role.
 
-For more information on role mappings, see [Grafana's docs](https://grafana.com/docs/grafana/latest/auth/generic-oauth/#role-mapping).
+For more information on role mappings, see [Grafana's docs](https://grafana.com/docs/grafana/latest/setup-grafana/configure-access/configure-authentication/generic-oauth/#configure-role-mapping).
 
 ### Grafana configuration considerations
 
@@ -234,3 +171,13 @@ For OSS Grafana, the simplest workaround is to create a separate OAuth-backed us
 If you are configuring Generic OAuth from the Grafana UI instead of a config file, the `Allow assign Grafana admin` toggle is under **Administration** > **Authentication** > **Generic OAuth**.
 
 Its config-file equivalent is `allow_assign_grafana_admin`, or `GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN` in Docker-based deployments. This setting is only required if your `role_attribute_path` can return `GrafanaAdmin`; the example role mapping on this page returns `Admin`, `Editor`, or `Viewer`.
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Grafana, open Grafana and click **Sign in with authentik**. You should be redirected to authentik, and after successfully signing in you should be redirected back to Grafana.
+
+## Resources
+
+- [Grafana documentation - Generic OAuth authentication](https://grafana.com/docs/grafana/latest/setup-grafana/configure-access/configure-authentication/generic-oauth/)
+- [Grafana documentation - Configure Grafana](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/)
+- [Grafana Helm chart - Securely reference secrets in grafana.ini](https://github.com/grafana-community/helm-charts/blob/main/charts/grafana/README.md#how-to-securely-reference-secrets-in-grafanaini)