If you followed my previous guide to secure your Grafana access behind a Nginx SSL reverse Proxy; you are now ready to setup a much more robust authentication for your Cardano stakepool monitoring dashboards than the default one provided by Grafana (local users account).

We are going to use Google Oath to secure the access. This way, you are going to allow a specific domain name to log in to your Grafana server, through Google.

Prerequisite : for this to work, you need to have your own domain mail address (and of course a secure mail server), and create a Google account with it. For example, you could have grafana@yourdomain.com, and create a new Google account with this address.

Once you have created it :

1- Go to  https://console.developers.google.com/apis/credentials and log in with your new account

2- Click on Create Credentials on top of the page, and then click OAuth Client ID . (You may have to setup a “Consent page” first. Use defaults, it’s not very important in our case)

3- Then you’ll have to enter theses settings :

  • Application Type: Web Application
  • Name: Grafana
  • Authorized JavaScript Origins: https://<your FQDN used to access your grafana server>
  • Authorized Redirect URLs: https://<your FQDN used to access your grafana server>/login/google

4- Click on Create

5- You’ll get a Client ID and Client Secret. Copy them.

Now we are going to configure Grafana in order to use our Google Oauth.

On your Grafana server edit, the grafana.ini config file

sudo nano /etc/grafana/grafana.ini

In the Server section, find this setting, and modify it :

root_url = https://<your FQDN>/

Go to the Google Auth section :

[auth.google] enabled = true
client_id = <copy your client id>
client_secret = <copy your clien secret>
scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
auth_url = https://accounts.google.com/o/oauth2/auth
token_url = https://accounts.google.com/o/oauth2/token
allowed_domains = <your domain, like "yourdomain.com">
allow_sign_up =false

Save and close the file

Restart grafana server

sudo systemctl restart grafana-server.service

Access to your Grafana FQDN : https://<your FQDN>

You should now have a “Sign-in with Google” option on the login page.

Grafana Google Oauth

You can now use the account you created with your own domain name to access your Grafana Cardano dashboards. Note that the admin account is still local to your server, but you should not use it often (only if you want to modify your dashboard). Another thing you should really do is enable 2FA on the Google account you created, to ensure only you can use it !