diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md index ca7ab147626..48de62a6c9a 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md @@ -15,12 +15,21 @@ weight: 600 The Azure AD authentication allows you to use an Azure Active Directory tenant as an identity provider for Grafana. You can use Azure AD Application Roles to assign users and groups to Grafana roles from the Azure Portal. This topic has the following sections: -- [Azure AD OAuth2 authentication](#configure-azure-ad-oauth2-authentication) +- [Configure Azure AD OAuth2 authentication](#configure-azure-ad-oauth2-authentication) - [Create the Azure AD application](#create-the-azure-ad-application) + - [Assign server administrator privileges](#assign-server-administrator-privileges) - [Enable Azure AD OAuth in Grafana](#enable-azure-ad-oauth-in-grafana) + - [Configure refresh token](#configure-refresh-token) - [Configure allowed groups](#configure-allowed-groups) - [Configure allowed domains](#configure-allowed-domains) + - [PKCE](#pkce) + - [Configure automatic login](#configure-automatic-login) - [Team Sync (Enterprise only)](#team-sync-enterprise-only) + - [Common troubleshooting](#common-troubleshooting) + - [Users with over 200 Group assignments](#users-with-over-200-group-assignments) + - [Force fetching groups from Microsoft graph API](#force-fetching-groups-from-microsoft-graph-api) + - [Map roles](#map-roles) + - [Skip organization role sync](#skip-organization-role-sync) ## Create the Azure AD application @@ -143,6 +152,7 @@ allowed_groups = role_attribute_strict = false allow_assign_grafana_admin = false skip_org_role_sync = false +use_pkce = true ``` You can also use these environment variables to configure **client_id** and **client_secret**: @@ -191,9 +201,18 @@ The `allowed_domains` option limits access to users who belong to specific domai allowed_domains = mycompany.com mycompany.org ``` +### PKCE + +IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) +introduces "proof key for code exchange" (PKCE) which provides +additional protection against some forms of authorization code +interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). + +> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.azuread]` section. + ### Configure automatic login -Set `auto_login` option to true to attempt login automatically, skipping the login screen. +To bypass the login screen and log in automatically, enable the "auto_login" feature. This setting is ignored if multiple auth providers are configured to use auto login. ``` diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md index 09d1eb36d4e..b0b8d38794a 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md @@ -15,13 +15,23 @@ weight: 200 You can configure many different OAuth2 authentication services with Grafana using the generic OAuth2 feature. Examples: -- [Generic OAuth authentication](#configure-generic-oauth-authentication) +- [Configure generic OAuth authentication](#configure-generic-oauth-authentication) + - [Email address](#email-address) + - [Groups / Teams](#groups--teams) + - [Login](#login) + - [PKCE](#pkce) + - [Configure refresh token](#configure-refresh-token) + - [Configure automatic login](#configure-automatic-login) - [Set up OAuth2 with Auth0](#set-up-oauth2-with-auth0) - [Set up OAuth2 with Bitbucket](#set-up-oauth2-with-bitbucket) - [Set up OAuth2 with Centrify](#set-up-oauth2-with-centrify) - [Set up OAuth2 with OneLogin](#set-up-oauth2-with-onelogin) - - [Role mapping](#role-mapping) + - [Role Mapping](#role-mapping) + - [JMESPath examples](#jmespath-examples) + - [Map user organization role](#map-user-organization-role) + - [Map server administrator privileges](#map-server-administrator-privileges) - [Team synchronization](#team-synchronization) + - [Skip organization role sync](#skip-organization-role-sync) This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the suffixed path of `/login/generic_oauth`. @@ -103,7 +113,7 @@ You can set the user's display name with JMESPath using the `name_attribute_path > Available in Grafana v8.3 and later versions. IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) -introduces "proof key for code exchange" (PKCE) which introduces +introduces "proof key for code exchange" (PKCE) which provides additional protection against some forms of authorization code interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md index 4e473c04979..e754cc1620e 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md @@ -61,6 +61,11 @@ allowed_groups = role_attribute_path = role_attribute_strict = false allow_assign_grafana_admin = false +tls_skip_verify_insecure = false +tls_client_cert = +tls_client_key = +tls_client_ca = +use_pkce = true ``` You may have to set the `root_url` option of `[server]` for the callback URL to be @@ -81,6 +86,14 @@ to login on your Grafana instance. You can limit access to only members of a given group or list of groups by setting the `allowed_groups` option. +You can also specify the SSL/TLS configuration used by the client. + +- Set `tls_client_cert` to the path of the certificate. +- Set `tls_client_key` to the path containing the key. +- Set `tls_client_ca` to the path containing a trusted certificate authority list. + +`tls_skip_verify_insecure` controls whether a client verifies the server's certificate chain and host name. If it is true, then SSL/TLS accepts any certificate presented by the server and any host name in that certificate. _You should only use this for testing_, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks. + ### Configure refresh token > Available in Grafana v9.3 and later versions. @@ -140,8 +153,28 @@ allowed_groups = example, foo/bar role_attribute_path = is_admin && 'Admin' || 'Viewer' role_attribute_strict = true allow_assign_grafana_admin = false +tls_skip_verify_insecure = false +tls_client_cert = +tls_client_key = +tls_client_ca = +use_pkce = true ``` +### PKCE + +IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) +introduces "proof key for code exchange" (PKCE) which provides +additional protection against some forms of authorization code +interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). + +> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.gitlab]` section. + +``` +use_pkce = true +``` + +Grafana always uses the SHA256 based `S256` challenge method and a 128 bytes (base64url encoded) code verifier. + ### Configure automatic login Set `auto_login` option to true to attempt login automatically, skipping the login screen. diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md index e56eea304f5..722408a3158 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md @@ -41,6 +41,7 @@ auth_url = https://accounts.google.com/o/oauth2/auth token_url = https://accounts.google.com/o/oauth2/token allowed_domains = mycompany.com mycompany.org hosted_domain = mycompany.com +use_pkce = true ``` You may have to set the `root_url` option of `[server]` for the callback URL to be @@ -58,6 +59,15 @@ automatically signed up. You may specify a domain to be passed as `hd` query parameter accepted by Google's OAuth 2.0 authentication API. Refer to Google's OAuth [documentation](https://developers.google.com/identity/openid-connect/openid-connect#hd-param). +### PKCE + +IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) +introduces "proof key for code exchange" (PKCE) which provides +additional protection against some forms of authorization code +interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). + +> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.google]` section. + ### Configure refresh token > Available in Grafana v9.3 and later versions. diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md index a453d461a7e..1e48e276342 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md @@ -51,8 +51,18 @@ api_url = https://.okta.com/oauth2/v1/userinfo allowed_domains = allowed_groups = role_attribute_path = +use_pkce = true ``` +### PKCE + +IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) +introduces "proof key for code exchange" (PKCE) which provides +additional protection against some forms of authorization code +interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). + +> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.okta]` section. + ### Configure refresh token > Available in Grafana v9.3 and later versions.