xavi
684fbc089e
[release-11.5.4] [IAM] Prepend AppSubURL to redirectURI before validating it ( #103771 )
...
[IAM] Prepend AppSubURL to redirectURI before validating it (#103475 )
(cherry picked from commit 5053aa576d
2025-04-11 14:00:33 +02:00
grafana-delivery-bot[bot]
3881a173fe
[release-11.5.2] AuthN: Refetch user on "ErrUserAlreadyExists" ( #100582 )
...
AuthN: Refetch user on "ErrUserAlreadyExists" (#100346 )
* AuthN: Refetch user on "ErrUserAlreadyExists"
(cherry picked from commit 0b4c622df823356117+kalleep@users.noreply.github.com >
2025-02-13 12:03:29 +01:00
xavi
345757c3ae
Auth: Fix SAML user IsExternallySynced not being set correctly ( #98487 )
2025-01-10 17:37:37 +01:00
colin-stuart
4581a82ac4
Auth: disable passwordless auth if any SAML/OAuth is enabled ( #98227 )
...
* Auth: disable passwordless auth if any SAML/OAuth is enabled
* Update pkg/services/authn/authnimpl/registration.go
Co-authored-by: Victor Cinaglia <victor@grafana.com >
* simplify check if any auth providers are enabled
* add accidentally removed break statement, use IsEnabled with empty context to check if PasswordlessMagicLinkAuth enabled
* use IsClientEnabled
* Update pkg/api/frontendsettings.go
Co-authored-by: Misi <mgyongyosi@users.noreply.github.com >
---------
Co-authored-by: Victor Cinaglia <victor@grafana.com >
Co-authored-by: Misi <mgyongyosi@users.noreply.github.com >
2025-01-09 11:44:16 -05:00
Georges Chaudy
3fe2227c82
[auth] make id-token optional ( #97831 )
...
make idtoken optional
enure there is always an identity in the context
fix: update token
fix: now it should work
fix: now it should work
2024-12-17 13:28:00 +02:00
Misi
6cd3a5458e
Auth: Return error when retries have been exhausted for OAuth token refresh ( #98034 )
...
Return error when retries for DB lock have been exhausted in oauth_token.go
2024-12-16 17:03:39 +01:00
Jo
40d3b02648
Auth: Separate anonymous settings to its own struct ( #97791 )
...
separate anonymous settings to its own struct
2024-12-13 10:46:27 +01:00
Karl Persson
3a17d0c927
IAM: align AuthInfo interface ( #97228 )
...
* Update to use updated interface
2024-12-03 15:11:17 +01:00
Georges Chaudy
f6124344ba
authnz: Fix panic in the authenticator and rename metric ( #97150 )
...
* Fix: panic
* suggestion
2024-11-28 14:03:54 +02:00
Misi
84b8296ffb
OAuth: Use the attached external session data in OAuthToken and OAuthTokenSync ( #96655 )
...
* wip
* wip + tests
* wip
* wip opt2
* Use authn.Identity struct's SessionToken
* Merge fixes
* Handle disabling the feature flag correctly
* Fix test
* Cleanup
* Remove HasOAuthEntry from the OAuthTokenService interface
* Remove unused function
2024-11-27 11:06:39 +01:00
Gabriel MABILLE
6e2d3cae5e
AuthN: Register flags for grpc_server_authentication configuration ( #97063 )
...
* AuthZServer: Add authenticator
* Add flags
2024-11-27 10:35:35 +01:00
Karl Persson
76f052e8de
Requester: Remove duplicated function ( #97038 )
...
* Remove duplicated function
* Remove GetDisplayName from interface
* Use GetName
2024-11-26 15:29:31 +01:00
Karl Persson
3990637af9
IAM: remove duplicated functions ( #96989 )
...
* Remove duplicated function and use the one provided by claims package
2024-11-26 09:22:45 +01:00
Misi
1061e4712f
OAuth: Refactor OAuthToken service to make it easier to use the new external sessions ( #96667 )
...
* Refactor OAuthToken service
* introduce user.SessionAwareIdentityRequester
* replace login.UserAuth parameters with user.SessionAwareIdentityRequester
* Add nosec G101 to fake ID tokens
* Opt 2, min changes
* Revert a change to the current version
2024-11-21 15:36:28 +02:00
Prem Saraswat
ca2c874161
authn: grpcutils: Mark ID Tokens optional in cloud mode in gRPC Authenticator ( #96824 )
...
This patch marks ID tokens as not required when initalising a gRPC
Authenticator to be used in `cloud` mode. ID Tokens are still enabled in
`cloud` mode, but the `Required` option is set to `false`.
This is needed for MT services like Cloud API Server to authenticate
against gRPC services like Resource Store with only an Access Token.
Signed-off-by: Prem Kumar <prem.saraswat@grafana.com >
2024-11-21 18:41:49 +05:30
Georges Chaudy
8bb59c64f0
unistore: handle auth when fallback is used ( #96772 )
...
* handle auth when fallback is used
* handle auth when fallback is used
* add traces
2024-11-21 12:21:22 +02:00
colin-stuart
6abe99efd6
Auth: Passwordless Login Option Using Magic Links ( #95436 )
...
* initial passwordless client
* passwordless login page
* Working basic e2e flow
* Add todo comments
* Improve the passwordless login flow
* improved passwordless login, backend for passwordless signup
* add expiration to emails
* update email templates & render username & name fields on signup
* improve email templates
* change login page text while awaiting passwordless code
* fix merge conflicts
* use claims.TypeUser
* add initial passwordless tests
* better error messages
* simplified error name
* remove completed TODOs
* linting & minor test improvements & rename passwordless routes
* more linting fixes
* move code generation to its own func, use locationService to get query params
* fix ampersand in email templates & use passwordless api routes in LoginCtrl
* txt emails more closely match html email copy
* move passwordless auth behind experimental feature toggle
* fix PasswordlessLogin property failing typecheck
* make update-workspace
* user correct placeholder
* Update emails/templates/passwordless_verify_existing_user.txt
Co-authored-by: Dan Cech <dcech@grafana.com >
* Update emails/templates/passwordless_verify_existing_user.mjml
Co-authored-by: Dan Cech <dcech@grafana.com >
* Update emails/templates/passwordless_verify_new_user.txt
Co-authored-by: Dan Cech <dcech@grafana.com >
* Update emails/templates/passwordless_verify_new_user.txt
Co-authored-by: Dan Cech <dcech@grafana.com >
* Update emails/templates/passwordless_verify_new_user.mjml
Co-authored-by: Dan Cech <dcech@grafana.com >
* use & in email templates
* Update emails/templates/passwordless_verify_existing_user.txt
Co-authored-by: Dan Cech <dcech@grafana.com >
* remove IP address validation
* struct for passwordless settings
* revert go.work.sum changes
* mock locationService.getSearch in failing test
---------
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com >
Co-authored-by: Dan Cech <dcech@grafana.com >
2024-11-14 08:50:55 -05:00
Karl Persson
8d74296b6c
Authn: Always set namespace ( #96230 )
...
* Rename from AllowedKubernetesNamespace to Namespace
* Use a sync hook to always set namespace for Identity.
* format
* Don't set uid when authenticating as user
2024-11-12 10:12:47 +01:00
Gabriel MABILLE
df8b6e6862
Fix: Close grpc_authenticator fallback trace ( #96009 )
...
Fix: Close grpc_authenticator trace
2024-11-07 11:29:25 +01:00
Gabriel MABILLE
5a0ef46280
Add tracing to the gRPC Authentication flow ( #94466 )
...
commit ad4df4b3f63bdf3e16423ac8c3fdb1a7fae5582e
Author: gamab <gabriel.mabille@grafana.com >
Date: Thu Oct 24 10:24:04 2024 +0200
nit
commit eb8b9cf2f3e27cae258b3ae310f1584da5ba36b5
Author: gamab <gabriel.mabille@grafana.com >
Date: Thu Oct 24 10:23:25 2024 +0200
miss
commit aab1aed204a5dedcc6dd187b2f636995bbe2c5c6
Merge: 5aafdec9233 7fe710b141gabriel.mabille@grafana.com >
Date: Thu Oct 24 10:22:05 2024 +0200
Merge remote-tracking branch 'origin/main' into gamab/resourcestore/tracing
commit 5aafdec9233d6824cba977b069d71eabc3d21a8d
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 16 18:03:56 2024 +0200
Did not fix the issue
commit 20522a7f64222fad27268ac640d4b4fb9259c748
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 16 17:42:35 2024 +0200
Test
commit b45199a341b6a57e93927c9eb7de8d7758ed7619
Merge: c0fbbdb95d4 e9e2b11ba2gabriel.mabille@grafana.com >
Date: Wed Oct 16 17:31:59 2024 +0200
Merge remote-tracking branch 'origin/drclau/unistor/replace-authenticators-3' into gamab/resourcestore/tracing
commit e9e2b11ba2claudiu.dragalina@grafana.com >
Date: Wed Oct 16 18:28:31 2024 +0300
PR feedback: simplified fallback implementation
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit b5209dba64drclau@users.noreply.github.com >
Date: Wed Oct 16 18:03:06 2024 +0300
Update pkg/services/authn/grpcutils/grpc_authenticator.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
commit c0fbbdb95d4605f349b902ca8698e7b560433867
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 16 10:32:52 2024 +0200
Add traces to fallback
commit 75aa8dcbd49288f1dca53cdf6e9a7b41688dff38
Merge: d92fafcaf0d 562d499e85gabriel.mabille@grafana.com >
Date: Wed Oct 16 10:29:41 2024 +0200
Merge remote-tracking branch 'origin/drclau/unistor/replace-authenticators-3' into gamab/resourcestore/tracing
commit 562d499e85claudiu.dragalina@grafana.com >
Date: Wed Oct 16 11:05:01 2024 +0300
switched to features.IsEnabledGlobally()
commit addc6aaca4claudiu.dragalina@grafana.com >
Date: Wed Oct 16 10:21:31 2024 +0300
imports cleanup
commit 7c6d80f6aa64a5e55d619dc2ccdbfdclaudiu.dragalina@grafana.com >
Date: Wed Oct 16 10:18:54 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 64a5e55d61claudiu.dragalina@grafana.com >
Date: Tue Oct 15 11:01:54 2024 +0300
cleanup
commit 4fe2c03457claudiu.dragalina@grafana.com >
Date: Tue Oct 15 10:31:06 2024 +0300
always enable FlagAppPlatformGrpcClientAuth for k8s int tests
commit c7e36759cdclaudiu.dragalina@grafana.com >
Date: Tue Oct 15 10:30:43 2024 +0300
use sync.Once as it's more idiomatic
commit f5c2c79981claudiu.dragalina@grafana.com >
Date: Mon Oct 14 20:43:48 2024 +0300
remove client side namespace extractor
commit 742295c89aclaudiu.dragalina@grafana.com >
Date: Mon Oct 14 20:04:11 2024 +0300
avoid double registration of metrics (fallbackCounter)
commit a45998c8d3claudiu.dragalina@grafana.com >
Date: Mon Oct 14 19:03:41 2024 +0300
use FlagAppPlatformGrpcClientAuth to enable new behavior, instead of legacy
commit ffdc301718claudiu.dragalina@grafana.com >
Date: Mon Oct 14 18:37:22 2024 +0300
remove the NamespaceAuthorizer
The NamespaceAuthorizer would fail in legacy mode. It will be added back in the future.
commit 4a03ed7d7dclaudiu.dragalina@grafana.com >
Date: Mon Oct 14 15:59:08 2024 +0300
allow using the legacy resource client via
commit a2c30f5328ead390f6082f3c539d9bclaudiu.dragalina@grafana.com >
Date: Mon Oct 14 14:08:32 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit ead390f608claudiu.dragalina@grafana.com >
Date: Fri Oct 11 09:38:49 2024 +0300
added server side gRPC authn fallback-to-legacy mechanism
- brought back the old gRPC authenticator
- added `grpc_server_authentication.legacy_fallback` config option
- introduced `AuthenticatorWithFallback`
- added telemetry to track fallbacks
commit d92fafcaf0db9c8d97a5d071759fc21ede7d8848
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 14:58:25 2024 +0200
Fix test
commit 54f05ff0fecf3d696a0e98621db6991282503917
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 14:42:18 2024 +0200
Forgot the tracer 😁
commit 3948048880c7a0eb2360a35b0cc9f3686f2edfef
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 14:02:41 2024 +0200
Add traces to NamespaceAuthorizer
commit cc695bb77c37a097174556303721fbc48b9464a0
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 13:56:48 2024 +0200
Add traces to authentication flow
commit 8686c46be508c3d237dc4a3ce66193gabriel.mabille@grafana.com >
Date: Wed Oct 9 13:56:26 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 08c3d237dc33fd104cfd84d580179dgabriel.mabille@grafana.com >
Date: Wed Oct 9 12:41:57 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 33fd104cfd68af25fbc338f57d270agabriel.mabille@grafana.com >
Date: Wed Oct 9 12:13:25 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 68af25fbc3gamab@users.noreply.github.com >
Date: Mon Oct 7 16:31:09 2024 +0200
Update pkg/services/authz/config.go
commit 4fba5c9b32gabriel.mabille@grafana.com >
Date: Fri Oct 4 15:17:41 2024 +0200
PR Feedback
commit 86867a14cagamab@users.noreply.github.com >
Date: Fri Oct 4 15:13:06 2024 +0200
Update pkg/services/authn/grpcutils/config.go
Co-authored-by: Dan Cech <dcech@grafana.com >
commit c591631135c80c46ca6ae37b43117bgabriel.mabille@grafana.com >
Date: Fri Oct 4 13:07:48 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit c80c46ca6a3acada9d474224d05934gabriel.mabille@grafana.com >
Date: Thu Oct 3 14:58:51 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 3acada9d47claudiu.dragalina@grafana.com >
Date: Fri Sep 27 17:39:59 2024 +0300
introducing `mode` config for gRPC auth server & client side
commit 914ca237e2claudiu.dragalina@grafana.com >
Date: Thu Sep 26 20:47:57 2024 +0300
Fixed integration tests
commit 71c33dcbe352f248eebb920d79680dclaudiu.dragalina@grafana.com >
Date: Thu Sep 26 19:25:33 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 52f248eebbclaudiu.dragalina@grafana.com >
Date: Tue Sep 24 18:44:38 2024 +0300
updated namespace extractor usage
commit a6c977ba4dfb7bbf743b8da1d78c92claudiu.dragalina@grafana.com >
Date: Tue Sep 24 17:35:03 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit fb7bbf743bclaudiu.dragalina@grafana.com >
Date: Tue Sep 24 17:34:36 2024 +0300
unistor client side updates
commit a28440c40b79d9969aa8a8b07b0c81claudiu.dragalina@grafana.com >
Date: Tue Sep 24 10:45:09 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 79d9969aa8gabriel.mabille@grafana.com >
Date: Mon Sep 9 16:14:02 2024 +0200
Rename NewResourceClient funcs
commit 36b37524908ce354bb06b89f3f8115gabriel.mabille@grafana.com >
Date: Mon Sep 9 16:00:54 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 8ce354bb06gabriel.mabille@grafana.com >
Date: Mon Sep 9 10:40:06 2024 +0200
Align
commit bdf79f3b2f8f4df8973d8eb7e55f8fgabriel.mabille@grafana.com >
Date: Mon Sep 9 10:38:45 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 8f4df8973d2441cd8d539338e40dc3gabriel.mabille@grafana.com >
Date: Thu Sep 5 11:26:39 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 2441cd8d532904074a2f2bbce8a7f7claudiu.dragalina@grafana.com >
Date: Tue Sep 3 17:31:36 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 2904074a2fclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 16:35:25 2024 +0300
refactoring
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 125cb3c834claudiu.dragalina@grafana.com >
Date: Tue Sep 3 16:34:18 2024 +0300
refactoring (aesthetics)
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 499a31df53claudiu.dragalina@grafana.com >
Date: Tue Sep 3 15:59:09 2024 +0300
update usage of ReadGprcServerConfig()
commit f5d383644dclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 15:44:09 2024 +0300
make update-workspace
commit 755485751egabriel.mabille@grafana.com >
Date: Tue Sep 3 14:43:22 2024 +0200
Fix trace
commit d09e14c26aclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 15:42:50 2024 +0300
removed WithIDTokenExtractorOption, and other PR feedback
commit 21220c2ccagabriel.mabille@grafana.com >
Date: Tue Sep 3 14:36:59 2024 +0200
Else statement
commit 6cf1efdcc4gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:35:02 2024 +0200
Mod update
commit 4b73a93883gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:32:20 2024 +0200
Add Auth func overrides
commit 6032ab3ae1gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:26:18 2024 +0200
Use NamespaceAuthorizer
commit 601beb5327gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:20:47 2024 +0200
Update authlib
commit a1b64081270d70225c1a1128c417d8gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:18:49 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 0d70225c1adrclau@users.noreply.github.com >
Date: Tue Sep 3 15:15:54 2024 +0300
Update pkg/services/authn/grpcutils/grpc_authenticator.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 62f165f6f9claudiu.dragalina@grafana.com >
Date: Tue Sep 3 10:55:45 2024 +0300
refactoring NamespaceAccessChecker usage and use CloudNamespaceFormatter in Cloud
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit bb5ee88d4fclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 10:39:11 2024 +0300
added stackIdExtractor for cloud mode
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 84866a8a51claudiu.dragalina@grafana.com >
Date: Tue Sep 3 10:38:19 2024 +0300
authz client cfg changes
- removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud
- reusing settings from "grpc_client_authentication", instead of duplicating in "authorization" section
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 14a1021605claudiu.dragalina@grafana.com >
Date: Mon Sep 2 21:44:35 2024 +0300
make update-workspace
commit 84f8c9be94claudiu.dragalina@grafana.com >
Date: Mon Sep 2 21:36:10 2024 +0300
cleanup: refactoring leftover
commit 7fe8d62304claudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:30:51 2024 +0300
update authlib version (small fix)
commit 7c2353ae25claudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:17:11 2024 +0300
cleanup: remove unused `GrpcServerConfig.Mode`
commit 52b7cf8550claudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:06:59 2024 +0300
make update-workspace
commit 14ddfbd8fbclaudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:02:40 2024 +0300
finalize authlib grpc interceptors usage
commit 884c4a8c240fd1988beda1190b165bclaudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:00:07 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 0fd1988bedb766bfb24fe0950a1283claudiu.dragalina@grafana.com >
Date: Fri Aug 30 10:45:51 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit b766bfb24f6993f108a268751ed310claudiu.dragalina@grafana.com >
Date: Wed Aug 28 15:46:04 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 6993f108a25f073b04d0f1ba609b34claudiu.dragalina@grafana.com >
Date: Tue Aug 27 12:51:07 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 5f073b04d00620891d45ac5ebe6e4dclaudiu.dragalina@grafana.com >
Date: Mon Aug 19 21:09:44 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 0620891d456a272e8e2a15f2b08f00claudiu.dragalina@grafana.com >
Date: Mon Aug 12 14:14:44 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 6a272e8e2aclaudiu.dragalina@grafana.com >
Date: Thu Aug 8 18:53:43 2024 +0300
allow insecure conns in dev mode + refactoring
commit 31c7b030baclaudiu.dragalina@grafana.com >
Date: Thu Aug 8 10:31:13 2024 +0300
allow insecure connections (for testing purposes); remove audience checks
audience checks will still need to be done for Access tokens, but not for ID tokens
commit 0fdd2ff802763961210cf384759ad1claudiu.dragalina@grafana.com >
Date: Wed Aug 7 14:42:39 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 763961210cclaudiu.dragalina@grafana.com >
Date: Fri Aug 2 18:54:29 2024 +0300
wip
commit c46b42a59592aba937a90145b0fe70claudiu.dragalina@grafana.com >
Date: Fri Aug 2 14:44:06 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 92aba937a9claudiu.dragalina@grafana.com >
Date: Thu Aug 1 18:32:19 2024 +0300
authn: client side updates
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
2024-10-28 14:35:30 +02:00
Claudiu Dragalina-Paraipan
830600dab0
AuthN: Optionally use tokens for unified storage client authentication ( #91665 )
...
* extracted in-proc mode to #93124
* allow insecure conns in dev mode + refactoring
* removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud
* remove the NamespaceAuthorizer would fail in legacy mode. It will be added back in the future.
* use FlagAppPlatformGrpcClientAuth to enable new behavior, instead of legacy
* extracted authz package changes in #95120
* extracted server side changes in #95086
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
Co-authored-by: gamab <gabriel.mabille@grafana.com >
Co-authored-by: Dan Cech <dcech@grafana.com >
2024-10-24 09:12:37 +02:00
Gabriel MABILLE
b68b69c2b4
AuthN: Use tokens for unified storage server authentication ( #95086 )
...
* Extract server code
---------
Co-authored-by: Claudiu Dragalina-Paraipan <drclau@users.noreply.github.com >
2024-10-23 15:04:15 +02:00
Misi
50a635bc7e
Auth: Introduce authn.SSOClientConfig to get client config from SSOSettings service ( #94618 )
...
* wip
* possible solution
* Separate interface for SSO settings clients
* Rename interface
* Fix tests
* Rename
* Change GetClientConfig to comma ok idiom
2024-10-16 16:27:44 +02:00
linoman
21d26de4d8
Session Refactor: Add SAMLSession ( #94490 )
...
* add saml session struct
* resolve saml session
* Add NameID
---------
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com >
2024-10-10 16:57:34 +02:00
Misi
c872cad879
OrgSync: Do not set default Organization for a user to a non-existent Organization ( #94537 )
...
Do not set default org for a user to a missing org
Co-authored-by: Karl Persson <kalle.persson@grafana.com >
2024-10-10 15:31:30 +02:00
Karl Persson
ace177f20a
AuthN: Set access token name ( #94471 )
...
* Set access token name
2024-10-09 17:08:11 +02:00
Misi
bd7850853e
Auth: Attach external session info to Grafana session ( #93849 )
...
* initial from poc changes
* wip
* Remove public external session service
* Update swagger
* Fix merge
* Cleanup
* Add backgroud service for cleanup
* Add auth_module to user_external_session
* Add tests for token revocation functions
* Add secret migration capabilities for user_external_session fields
* Cleanup, refactor to address feedback
* Fix test
2024-10-08 11:03:29 +02:00
Misi
0539ccf10d
Auth: Fix redirection when auto_login is enabled ( #94311 )
...
* Fix for SAML auto login
* Fix for OAuth auto login
2024-10-07 14:59:00 +02:00
Misi
d411ce2664
Auth: Use sessionStorage instead of cookie for automatic redirection ( #92759 )
...
* WIP: working as expected, has to be tested
* Rename query param, small changes
* Remove unused code
* Address feedback
* Cleanup
* Use the feature toggle to control the behaviour
* Use the toggle on the FE too
* Prevent the extra redirect/reload
Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com >
* Return to login if user is not authenticated
* Add tracking issue
* Align BE redirect constructor to locationSvc
2024-09-24 18:38:09 +02:00
Claudiu Dragalina-Paraipan
a8b07b0c81
[authn] use authlib client+interceptors for in-proc mode ( #93124 )
...
* Add authlib gRPC authenticators for in-proc mode
* implement `StaticRequester` signing in the unified resource client
- [x] when the `claims.AuthInfo` value type is `identity.StaticRequester`, and there's no ID token set, create an internal token and sign it with symmetrical key. This is a workaround for `go-jose` not offering the possibility to create an unsigned token.
- [x] update `IDClaimsWrapper` to support the scenario above
- [x] Switch to using `claims.From()` in `dashboardSqlAccess.SaveDashboard()`
---------
Co-authored-by: gamab <gabriel.mabille@grafana.com >
2024-09-24 09:03:48 +03:00
Gabriel MABILLE
7714b65f32
Cfg: Deduplicate DefaultOrgID code ( #93588 )
...
Cfg: Expose DefaultOrgID function
2024-09-23 16:50:11 +02:00
Gabriel MABILLE
7ef13497a8
AuthN: Ext JWT support actions ( #92486 )
2024-09-19 14:25:43 +02:00
Karl Persson
56487d37db
Authn: No longer hash service account token twice during authentication ( #92598 )
...
* APIKey: Only decode and hash token once during authentication
* Only update last used every 5 minutes
2024-08-29 09:56:23 +02:00
Charandas
4f024d94d8
Authn: resolve issues with setting up a nil identity ( #92620 )
2024-08-29 00:49:41 +03:00
Charandas
af2e79aa83
K8s: namespace mapper should use authlib's util ( #92332 )
2024-08-27 15:01:42 -07:00
Ryan McKinley
2e60f28044
Auth: remove id token flag ( #92209 )
2024-08-21 16:30:17 +03:00
Dan Cech
9020eb4b17
Auth: Update oauthtoken service to use remote cache and server lock ( #90572 )
...
* update oauthtoken service to use remote cache and server lock
* remove token cache
* retry is lock is held by an in-flight refresh
* refactor token renewal to avoid race condition
* re-add refresh token expiry cache, but in SyncOauthTokenHook
* Add delta to the cache ttl
* Fix merge
* Change lockTimeConfig
* Always set the token from within the server lock
* Improvements
* early return when user is not authed by OAuth or refresh is disabled
* Allow more time for token refresh, tracing
* Retry on Mysql Deadlock error 1213
* Update pkg/services/authn/authnimpl/sync/oauth_token_sync.go
Co-authored-by: Dan Cech <dcech@grafana.com >
* Update pkg/services/authn/authnimpl/sync/oauth_token_sync.go
Co-authored-by: Dan Cech <dcech@grafana.com >
* Add settings for configuring min wait time between retries
* Add docs for the new setting
* Clean up
* Update docs/sources/setup-grafana/configure-grafana/_index.md
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com >
---------
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com >
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com >
2024-08-19 18:57:37 +02:00
Karl Persson
5105fb7f3a
Identity: remove GetIDClaims ( #91901 )
...
remove GetIDClaims
2024-08-15 11:39:13 +02:00
Karl Persson
8bcd9c2594
Identity: Remove typed id ( #91801 )
...
* Refactor identity struct to store type in separate field
* Update ResolveIdentity to take string representation of typedID
* Add IsIdentityType to requester interface
* Use IsIdentityType from interface
* Remove usage of TypedID
* Remote typedID struct
* fix GetInternalID
2024-08-13 10:18:28 +02:00
Ryan McKinley
21d4a4f49e
Auth: use IdentityType from authlib ( #91763 )
2024-08-12 09:26:53 +03:00
Ryan McKinley
243c0935fc
Auth: Use claims.AuthInfo in requester ( #91739 )
2024-08-09 19:46:56 +03:00
Karl Persson
bcfb66b416
Identity: remove GetTypedID ( #91745 )
2024-08-09 18:20:24 +03:00
Claudiu Dragalina-Paraipan
e2435f92f1
[authn]: add GetIDClaims() to Requester ( #91387 )
...
* authn: add GetIDClaims() to Requester
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
* authn: update StaticRequester
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
* update auth/idtest/mock
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
* Fix test
Co-authored-by: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com >
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
Co-authored-by: gamab <gabriel.mabille@grafana.com >
2024-08-02 12:36:02 +03:00
Charandas
a3d3f9a1e4
Revert "Identity: Remove id token from extra info ( #91169 )" ( #91350 )
...
This reverts commit 10170cb839
2024-07-31 21:27:46 +03:00
Ryan McKinley
10170cb839
Identity: Remove id token from extra info ( #91169 )
2024-07-31 09:14:13 +03:00
Vardan Torosyan
e20f8c566d
RBAC sync: Fix removal of roles which need to be added ( #91152 )
...
* RBAC sync: Fix removal of roles which need to be added
* Optimize code
* cleanup: appease the linter
---------
Co-authored-by: Victor Cinaglia <victor@grafana.com >
2024-07-30 09:00:47 +02:00
Ryan McKinley
728150bdbd
Identity: extend k8s user.Info ( #90937 )
2024-07-30 08:27:23 +03:00
Ryan McKinley
9db3bc926e
Identity: Rename "namespace" to "type" in the requester interface ( #90567 )
2024-07-25 12:52:14 +03:00
Vardan Torosyan
82236976ae
Add support ticket fixed roles to cloud role sync ( #90864 )
...
* Add support ticket fixed roles to cloud role sync
* Adding tests
* Fix the linter
2024-07-24 17:58:21 +02:00
Charandas
4abb4d1662
ExtJwt: don't log verify errors as they spam for grafana-agent ( #90351 )
...
* ExtJwt: don't log verify errors as they spam for grafana-agent
* remove dead code
* revert unintended change
* revert unintended change
2024-07-11 18:23:43 -07:00
