Skip to content

Feature Request: OAuth/SSO Authentication Support (Okta, Google, etc.) #284

New issue
New issue
Open
Open
Feature Request: OAuth/SSO Authentication Support (Okta, Google, etc.)#284
@felipeneuwald

Description

@felipeneuwald
felipeneuwald
opened on Sep 10, 2025

Problem Statement

Currently, the Grafana MCP server only supports authentication via:

  • Service Account Tokens
  • Basic authentication (username/password)

Many organizations use SSO providers like Okta, Google OAuth, Azure AD, etc. for Grafana authentication and have disabled basic auth for security reasons. While service accounts are a viable workaround, native OAuth support would provide a more seamless experience for users already authenticated via SSO.

Proposed Solution

Add OAuth 2.0 authentication support to the Grafana MCP server, allowing users to authenticate using their existing SSO credentials.

Implementation Options

  1. Browser-based OAuth flow

    • On first run, open a browser for OAuth authentication
    • Store refresh tokens securely for subsequent runs
    • Similar to how gcloud auth login or gh auth login work

  2. Personal Access Token generation via OAuth

    • Use OAuth to authenticate, then automatically create/retrieve a personal access token
    • Store this token for future use
    • Provides a bridge between OAuth and the existing token-based system

  3. Direct OAuth token usage

    • Allow users to provide OAuth access tokens directly
    • Support token refresh automatically

Example Configuration

{
  "mcpServers": {
    "grafana": {
      "command": "mcp-grafana",
      "args": ["--auth-type", "oauth"],
      "env": {
        "GRAFANA_URL": "https://myinstance.grafana.net",
        "GRAFANA_AUTH_PROVIDER": "okta",  // or "google", "azuread", etc.
        "GRAFANA_OAUTH_CLIENT_ID": "your-client-id",
        "GRAFANA_OAUTH_CLIENT_SECRET": "your-client-secret"
      }
    }
  }
}

Benefits

  1. Enhanced Security: No need to store long-lived service account tokens
  2. Better User Experience: Seamless authentication for users already using SSO
  3. Compliance: Aligns with organizations' SSO-only policies
  4. Simplified Management: No need to manage separate service accounts for MCP

Additional Context

  • Many enterprises mandate SSO-only authentication
  • Other MCP servers (like GitHub) already support OAuth
  • This would make the Grafana MCP server more accessible to enterprise users

Would love to hear thoughts on this feature request and whether it aligns with the project's roadmap!

Thank you!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions