From 0d044285a9c646d4317f9f9da8694b70e7f9fc73 Mon Sep 17 00:00:00 2001
From: jvoeller <48791711+jvoeller@users.noreply.github.com>
Date: Mon, 10 May 2021 19:07:30 +0200
Subject: [PATCH] OAuth: Add support for empty scopes (#32129)

* add parameter empty_scopes to override scope parameter with empty value and thus be able to authenticate against IdPs without scopes. Issue #27503

Update docs/sources/auth/generic-oauth.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* updated check according to feedback

* Update generic-oauth.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
---
 conf/defaults.ini                  | 1 +
 conf/sample.ini                    | 1 +
 docs/sources/auth/generic-oauth.md | 3 +++
 pkg/login/social/social.go         | 6 ++++++
 4 files changed, 11 insertions(+)

diff --git a/conf/defaults.ini b/conf/defaults.ini
index 6bd3ed06a09..3209651dd43 100644
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -474,6 +474,7 @@ allow_sign_up = true
 client_id = some_id
 client_secret =
 scopes = user:email
+empty_scopes = false
 email_attribute_name = email:primary
 email_attribute_path =
 login_attribute_path =
diff --git a/conf/sample.ini b/conf/sample.ini
index 50cbfc4f0f7..e547b8f5422 100644
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -465,6 +465,7 @@
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = user:email,read:org
+;empty_scopes = false
 ;email_attribute_name = email:primary
 ;email_attribute_path =
 ;login_attribute_path =
diff --git a/docs/sources/auth/generic-oauth.md b/docs/sources/auth/generic-oauth.md
index 8d9eecb6be9..2386cbf0265 100755
--- a/docs/sources/auth/generic-oauth.md
+++ b/docs/sources/auth/generic-oauth.md
@@ -29,6 +29,7 @@ enabled = true
 client_id = YOUR_APP_CLIENT_ID
 client_secret = YOUR_APP_CLIENT_SECRET
 scopes =
+empty_scopes = false
 auth_url =
 token_url =
 api_url =
@@ -49,6 +50,8 @@ You can also specify the SSL/TLS configuration used by the client.
 
 `tls_skip_verify_insecure` controls whether a client verifies the server's certificate chain and host name. If it is true, then SSL/TLS accepts any certificate presented by the server and any host name in that certificate. _You should only use this for testing_, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
 
+Set `empty_scopes` to true to use an empty scope during authentication. By default, Grafana will use `user:email` as scope.
+
 Grafana will attempt to determine the user's e-mail address by querying the OAuth provider as described below in the following order until an e-mail address is found:
 
 1. Check for the presence of an e-mail address via the `email` field encoded in the OAuth `id_token` parameter.
diff --git a/pkg/login/social/social.go b/pkg/login/social/social.go
index 20b5920386e..4c45ef22fbc 100644
--- a/pkg/login/social/social.go
+++ b/pkg/login/social/social.go
@@ -85,6 +85,7 @@ func NewOAuthService() {
 
 	for _, name := range allOauthes {
 		sec := setting.Raw.Section("auth." + name)
+
 		info := &setting.OAuthInfo{
 			ClientId:            sec.Key("client_id").String(),
 			ClientSecret:        sec.Key("client_secret").String(),
@@ -107,6 +108,11 @@ func NewOAuthService() {
 			TlsSkipVerify:       sec.Key("tls_skip_verify_insecure").MustBool(),
 		}
 
+		// when empty_scopes parameter exists and is true, overwrite scope with empty value
+		if sec.Key("empty_scopes").MustBool() {
+			info.Scopes = []string{}
+		}
+
 		if !info.Enabled {
 			continue
 		}