grafana

Commit Graph

Author	SHA1	Message	Date
Mihai Doarna	8dfb4cdfc9	SSO: Add prompt param to SSO settings (#107969 ) * add prompt param to AzureAD oauth config * yarn i18n-extract * validate auth prompt value * make login_prompt available for all SSO providers * use base authCodeURL for azure and google * add docs for the new field for azure and generic oauth * fix typo * fix frontend unit test * add prompt parameter to docs for the other providers * remove prompt from okta * add unit tests for the other providers * address feedback * add back translations for prompt labels	4 days ago
Jo	1e1fd3db38	OAuth: Add access token as third source for user info extraction (#107636 ) * Add access token as third source for user info extraction - Add extractFromAccessToken method to extract user info from JWT access tokens - Mutualize code by creating parseUserInfoFromJSON helper method - Rename methods for clarity: extractFromToken -> extractFromIDToken, retrieveRawIDToken -> retrieveRawJWTPayload - Update test suite to include comprehensive access token retrieval scenarios - Support three sources in priority order: ID token, API response, access token - Maintain backward compatibility while adding new functionality * Update Generic OAuth documentation to reflect access token support - Add access token as a third source for user information extraction - Update configuration sections to mention access tokens alongside ID tokens and UserInfo endpoint - Document the priority order: ID token → UserInfo endpoint → access token - Update configuration option descriptions to reflect new functionality - Maintain consistency with implementation changes * Refactor access token test cases to use parameter instead of hardcoded logic - Add AccessToken field to test case struct for explicit access token specification - Remove hardcoded string matching logic that determined access token based on test name - Update all access token test cases to include the AccessToken field with appropriate JWT values - Improve test maintainability and clarity by making access tokens explicit parameters - Remove unused strings import that was only needed for the hardcoded logic * fix doc lint * reduce cyclomatic complexity	2 weeks ago
Misi	a7bfd8e351	Auth: Remove ssoSettingsApi feature toggle (#107528 ) * Remove ssoSettingsApi feature toggle * Clean up * lint * Fix tests	3 weeks ago
Mihai Doarna	dc5602bad9	SSO: Fix team_ids validation for Generic OAuth (#100732 ) fix team_ids validation in the API	5 months ago
Agni Bhattacharyya	be32630de5	Auth: Skip email extraction when api url is not present (#91699 ) * Auth: Skip email extraction when api url is not present * fix lint: reduce cyclomatic complexity	12 months ago
Ryan McKinley	99d8025829	Chore: Move identity and errutil to apimachinery module (#89116 )	1 year ago
Mihai Doarna	e1aedb65b3	SSO: Add oldSettings param to the Validate function from SSO settings (#88245 ) * add oldSettings param to the Validate function from SSO settings * update unit tests adding the missing param to Validate	1 year ago
Mathieu Parent	b8c9ae0eb7	OIDC: Support Generic OAuth org to role mappings (#87394 ) * Social: link to OrgRoleMapper * OIDC: support Generic Oauth org to role mappings Fixes: #73448 Signed-off-by: Mathieu Parent <math.parent@gmail.com> * Handle when getAllOrgs fails in the org_role_mapper * Add more tests * OIDC: ensure orgs are evaluated from API when not from token Signed-off-by: Mathieu Parent <math.parent@gmail.com> * OIDC: ensure AutoAssignOrg is applied with OrgMapping without RoleAttributeStrict Signed-off-by: Mathieu Parent <math.parent@gmail.com> * Extend docs * Fix test, lint --------- Signed-off-by: Mathieu Parent <math.parent@gmail.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>	1 year ago
Misi	12b1170631	Auth: Validation fixes for SSO Settings (#82252 ) * Validation fixes * Add URL validations + tests * Add ApiUrl validation * Refactor validators * lint * Clean up * Improvements	1 year ago
Jo	6f62d970e3	JWT Authentication: Add support for specifying groups in auth.jwt for teamsync (#82175 ) * merge JSON search logic * document public methods * improve test coverage * use separate JWT setting struct * correct use of cfg.JWTAuth * add group tests * fix DynMap typing * add settings to default ini * add groups option to devenv path * fix test * lint * revert jwt-proxy change * remove redundant check * fix parallel test	1 year ago
Misi	b1dc505a2b	Auth: Validate admin assignment in SSO Settings (#82233 ) * Add validation for allowAssignGrafanaAdmin * Update default values * Do not render hidden fields * Change error message * Improve tests --------- Co-authored-by: Clarity-89 <homes89@ukr.net>	1 year ago
Misi	bcc2409564	Auth: Add validation to Generic OAuth API and UI (#81345 ) * wip * Update validation * Chore: Remove InputControl usage * Fixes, validation * Remove empty option * Validation changes * Add tests, rename * lint --------- Co-authored-by: Clarity-89 <homes89@ukr.net>	1 year ago
Misi	20bb0a3ab1	AuthN: Support reloading SSO config after the sso settings have changed (#80734 ) * Add AuthNSvc reload handling * Working, need to add test * Remove commented out code * Add Reload implementation to connectors * Align and add tests, refactor * Add more tests, linting * Add extra checks + tests to oauth client * Clean up based on reviews * Move config instantiation into newSocialBase * Use specific error	2 years ago
Mihai Doarna	1807435d9e	Auth: Implement the reload functionality from OAuth social connectors (#79795 ) * implement Reload() func for azuread provider * add unit test for failure * use mutex when updating the info field * implement the Reload() func for the other providers * use mutex when reading info * retrieve info using GetOAuthInfo() in common file * move Reload() to SocialBase	2 years ago
Mihai Doarna	6465d87afd	Auth: Add basic validation for SSO settings (#79696 ) * add basic validation for sso settings * remove validation for the client secret	2 years ago
Misi	db81216240	Chore: Cleanup SocialBase + connectors and use the OAuthInfo (#79453 ) * Clean up SocialBase * Cleanup other connectors	2 years ago
Misi	ce1450d4d3	Chore: Configure SkipOrgRoleSync from OAuthInfo for OAuth connectors (#79443 ) * Configure SkipOrgRoleSync from OAuthInfo * Remove skipOrgRoleSync from socialbase and connectors * Add test to socialimpl.ProvideService * Deprecate AuthSettings' fields * clean up misleading init of frontendsettings.Auth	2 years ago
Misi	50f4e78a39	Auth: Use SSO settings service to load social connectors + refactor (#79005 ) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError	2 years ago
Misi	437ae8e8c5	Auth: Refactor OAuth connectors' initialization (#77919 ) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>	2 years ago
Ryan McKinley	025b2f3011	Chore: use any rather than interface{} (#74066 )	2 years ago
Jo	0ffd359801	Auth: Enforce role sync except if skip org role sync is enabled (#70766 ) * enforce role sync except if skip org role sync is enabled * move errors to errors file and set codes * fix docs and defaults * remove legacy parameter * support fall through token-api in generic oauth * fix error handling for generic_oauth * Update pkg/login/social/generic_oauth.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/login/social/gitlab_oauth_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/login/social/gitlab_oauth_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Jo	914daef0fd	Auth: Add request context to UserInfo calls (#70007 ) * use context for UserInfo requests * set timeouts for oauth http client * Update pkg/login/social/common.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Eric Leijonmarck	8ff19bd901	Auth: Add Generic oauth skip org role sync setting (#62418 ) * add: generic oauth skip org role sync * add: docs * add: backend login skip sync * fix: docs typo * add: tests * remove public key * fix markdown for generic oauth * add: generic oauth to the configuration * refactor: change debug to warn	3 years ago
Serge Zaitsev	7dbd2cd139	Chore: Fix goimports grouping (#62426 ) fix goimports ordering	3 years ago
Jo	00e7324bf6	Auth: Restore legacy behavior and add deprecation notice for empty org role in oauth (#55118 ) * Auth: Add deprecation notice for empty org role Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix recasts * fix azure tests missing logger * Adding test to gitlab oauth * Covering more cases * Cover more options * Add role attributestrict check fail * Adding one more edge case test * Using legacy for gitlab * Yet another edge case YAEC * Reverting github oauth to legacy Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Not using token Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Adding warning in docs Co-authored-by: Jguer <joao.guerreiro@grafana.com> * add warning to generic oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Be more precise Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to github oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to gitlab oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to okta oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add docs about mapping to AzureAD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Clarify oauth_skip_org_role_update_sync Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Nit on Azure AD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Reorder docs index Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Fix typo Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: gamab <gabi.mabs@gmail.com>	3 years ago
Jo	ef245874da	OAuth: Allow assigning Server Admin (#54780 ) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback	3 years ago
ying-jeanne	56f3f3fe69	Chore: Remove the old log format (#51526 ) * remove the old log format * fix CI Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>	3 years ago
Marcus Efraimsson	05ea825c76	Chore: Logging improvements (#44925 ) Fixing a couple bugs, adds some tests and hopefully decrease lock contention when logging. Switching from using sync.RWMutex to go-kit SwapLogger. Fixes bug when creating a new logger from an existing one that screwed up the keyvals and/or lost the logger name. Ref #44681	3 years ago
Marcus Efraimsson	bc7e55d99b	Chore: Fix log filters (#44681 )	4 years ago
Marcus Efraimsson	9ab9fd802b	OAuth: Fix parsing of ID token if header contains non-string value (#44159 ) Fixes #41111	4 years ago
Yuriy Tseretyan	8114f6b065	Use stack trace context in XORM trace logger (#43780 ) * add caller and stack Valuer functions * Add WithPrefix and WithSuffix similar to what go-kit offers * replace New with just `with`. Remove filter wrapper because the first argument of the context argument is not logger but additional context. * update Xorm logger to use custom depth to display the datastore code instead of xorm	4 years ago
ying-jeanne	a8eef45a44	Logger migration from log15 to gokit/log (#41636 ) * migrate log15 to gokit/log * fix console log * update some unittest * fix all unittest * fix the build * Update pkg/infra/log/log.go Co-authored-by: Yuriy Tseretyan <tceretian@gmail.com> * general type vector * correct the level key Co-authored-by: Yuriy Tseretyan <tceretian@gmail.com>	4 years ago
Selene	25ad916473	OAuth: Fix group mapping when use generic OAuth (#41418 ) * Fix group mapping when use generic OAuth * Fix lint * Fix lint	4 years ago
David Lamb	89878dae1b	OAuth: clarify role & group paths prefer id_token over userinfo api (#39066 ) * OAuth: clarify role & group paths prefer id_token over userinfo api (#39066) Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> Co-authored-by: Kevin Minehart <kmineh0151@gmail.com>	4 years ago
Ward Bekker	b255f3db3f	Team Sync: Add group mapping to support team sync in the Generic OAuth provider (#36307 ) Added group mapping to support team sync in the Generic OAuth provider. Co-authored-by: Leonard Gram <leo@xlson.com> Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> Co-authored-by: Dan Cech <dan@aussiedan.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>	4 years ago
Arve Knudsen	dff84f6a31	Chore: Remove dead code (#28664 ) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Alexander Zobnin	8032b43838	OAuth: configurable user name attribute (#28286 ) * OAuth: more user-frienly logging * OAuth: custom user name attribute * OAuth: remove deprecated nameAttributeName option * OAuth: nameAttributePath tests * OAuth: add name_attribute_path config option * OAuth: docs for name_attribute_path option * move docs to the separate branch	5 years ago
Bill Oley	b70fefe642	OAuth2: Handle DEFLATE compressed JWT payloads for generic OAuth (#26969 )	5 years ago
Arve Knudsen	e6e5cc6e80	Chore: Simplify generic OAuth code (#26779 ) * Generic OAuth: Simplify Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Rename test variables for consistency Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Alexander Zobnin	df11cdad62	Generic OAuth: customize login and id_token attributes (#26577 ) * OAuth: add login_attribute_path to generic oauth * OAuth: remove default client_secret values (able to use empty client_secret) * OAuth: allow to customize id_token attribute name * Docs: describe how login_attribute_path and id_token_attribute_name params work * Docs: review fixes * Docs: review fixes * Chore: fix go linter error * Tests: fix test code style	5 years ago
Arve Knudsen	e08972d567	login/social: Simplify test (#26679 ) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Arve Knudsen	3651a8e976	Chore: Disable scopelint for tests (#25923 ) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Arve Knudsen	d1e6214a4a	Chore: Enable scopelint Go linter (#25896 ) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Arve Knudsen	07582a8e85	Chore: Fix various spelling errors in back-end code (#25241 ) * Chore: Fix various spelling errors in back-end code Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>>	5 years ago
Alexander Zobnin	7afdfd2ef4	Okta OAuth provider (team sync support) (#22972 ) * Okta OAuth support * Chore: fix linter error * Chore: move IsEmailAllowed to SocialBase * Chore: move IsSignupAllowed to SocialBase * Chore: review fixes * Okta: support allowed_groups * Okta: default config * Chore: move extractEmail() to OktaClaims struct * Chore: review fixes * generic_oauth_test: Handle error cases Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * generic_oauth_test: Handle error cases Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Docs: Okta OAuth * Chore: don't return expected errors from searchJSONForAttr * Docs: role mapping * Chore: review fixes (searchJSONForAttr) * Docs: review fixes * Update docs/sources/auth/okta.md Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> * Update docs/sources/auth/okta.md Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> * Chore: log error if searchJSONForAttr failed * Docs: add Okta login link * Docs: review fixes * Docs: add reference to the org roles Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Sean Johnson	7cbf3d8dab	OAuth: Fix role mapping from id token (#20300 ) As part of the new improvements to JMESPath in #17149 a commit ensuring Role and Email data could be queried from id_token was lost. This refactors and fixes extracting from both token and user info api consistently where before only either token or either user info api was used for extracting data/attributes. Fixes #20243 Co-authored-by: Timo Wendt <timo@tjwendt.de> Co-authored-by: twendt <timo@tjwendt.de> Co-authored-by: henninge <henning@eggers.name> Co-Authored-by: Henning Eggers <henning.eggers@inovex.de> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>	6 years ago
Martin Reinhardt	7a3d1c0e4b	OAuth: Generic OAuth role mapping support (#17149 ) Adds support for Generic OAuth role mapping. A new configuration setting for generic oauth is added named role_attribute_path which accepts a JMESPath expression. Only Grafana roles named Viewer, Editor or Admin are accepted. Closes #9766	6 years ago
Bob Shannon	056dbc7012	OAuth: Support JMES path lookup when retrieving user email (#14683 ) Add support for fetching e-mail with JMES path Signed-off-by: Bob Shannon <bobs@dropbox.com>	6 years ago

18 Commits (8dfb4cdfc94c7dcecc23e166157db1adf6f84148)