* add prompt param to AzureAD oauth config
* yarn i18n-extract
* validate auth prompt value
* make login_prompt available for all SSO providers
* use base authCodeURL for azure and google
* add docs for the new field for azure and generic oauth
* fix typo
* fix frontend unit test
* add prompt parameter to docs for the other providers
* remove prompt from okta
* add unit tests for the other providers
* address feedback
* add back translations for prompt labels
* Validate authID when user is provisioned
* Add new `user_unique_id` to `user_auth` table
* Validate provisioned user with saml assertion
* Rework `ExternalUID`
* Validate for ExternalUID only
* Enhance verbosity
* Move ExternalUID to saml config
* Rename db variable for externalUID
* Add verbosity to debug ExternalUID
* Assign new error for ExternalUID mismatch
* Add `GetByLoginFn`
* Add new configuration to saml tests
* add validation for empty externalUID
* added backend support for client_secret_jwt
* added backend support for client_secret_jwt
* added all logic to the exchange function (overloaded social exchange in azuread_oauth to handle managed identity client id)
* ran yarn install to update lock file
* added support for client_secret_jwt when managed_identity_client_id is null
* added audience flag and changed exchange to directly access oauth config using .info
* added logic in setting oauth.Config for supported client authentication values
* added client_authentication, managed_identity_client_id, and audience to sample.ini file
* using provided ctx in ManagedIdentityCallback function
* added frontend support for federated identity credential auth
* added client authentication field
* added Azure AD documentation for Grafana
* added bold font to "Add" keyword in documentation
* minor wording change relating to previous commit
* addressed changing audience to federated_credential_audience, moving validation, and changing managedIdentityCallback to private function
* correction to audience name changing
* fixed orgMappingClientAuthentication function name, and added in logic into validateFederatedCredentialAudience function
* Change docs
* Add iam team as owner of azcore pkg
* added backend support for client_secret_jwt
* added all logic to the exchange function (overloaded social exchange in azuread_oauth to handle managed identity client id)
* ran yarn install to update lock file
* added support for client_secret_jwt when managed_identity_client_id is null
* added audience flag and changed exchange to directly access oauth config using .info
* added logic in setting oauth.Config for supported client authentication values
* added client_authentication, managed_identity_client_id, and audience to sample.ini file
* using provided ctx in ManagedIdentityCallback function
* added frontend support for federated identity credential auth
* added client authentication field
* added Azure AD documentation for Grafana
* added bold font to "Add" keyword in documentation
* minor wording change relating to previous commit
* addressed changing audience to federated_credential_audience, moving validation, and changing managedIdentityCallback to private function
* correction to audience name changing
* fixed orgMappingClientAuthentication function name, and added in logic into validateFederatedCredentialAudience function
* Change docs
* Add iam team as owner of azcore pkg
* updated yarn lock file
* updated doc for correction
* removed wrong changes in pkg directory
* removed newline in dashboard-generate.yaml and unified.ts
* updated yarn.lock to match upstream
* Lint
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
* removing unwanted changes
* added back removed newline
* fixed failing test in azuread_oauth_test.go
* Update azuread_oauth.go
removed unnecessary newline, fixed lint
---------
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
* keep config in a separate struct in LDAP
* implement reload function for LDAP
* remove param from sso service constructor
* update unit tests
* add feature flag
* remove nil params
* address feedback
* add unit test for disabled config
* add root and client certificate value fields for LDAP
* update error messages for connection error
* add LDAP fallback strategy for SSO settings service
* fix params for sso service provider
* fix params for sso service provider
* sort imports
* sort imports
* replace json.Number with int64 in config map
* remove type assertions
* Social: link to OrgRoleMapper
* OIDC: support Generic Oauth org to role mappings
Fixes: #73448
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
* Handle when getAllOrgs fails in the org_role_mapper
* Add more tests
* OIDC: ensure orgs are evaluated from API when not from token
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
* OIDC: ensure AutoAssignOrg is applied with OrgMapping without RoleAttributeStrict
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
* Extend docs
* Fix test, lint
---------
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
* add strategy and tests
* use settings provider service and remove multiple providers strategy
* Move SAML strategy to ssosettings service
* Update codeowners file
* reload from settings provider
* add saml as configurable provider
* Add new SAML strategy
* rename old saml settings interface
* update saml string references
* use OSS license
* validate saml provider depends on license for List
* add tests for list rendering including saml
* change the licensing validation to service init
* replace service struct for provider
* add strategy and tests
* use settings provider service and remove multiple providers strategy
* update codeowners file
* reload from settings provider
* query OAuth info from a new instance
* add `hd` validation flag
* add `disable_hd_validation` to settings map
* update documentation
---------
Co-authored-by: Jo <joao.guerreiro@grafana.com>
* Add AuthNSvc reload handling
* Working, need to add test
* Remove commented out code
* Add Reload implementation to connectors
* Align and add tests, refactor
* Add more tests, linting
* Add extra checks + tests to oauth client
* Clean up based on reviews
* Move config instantiation into newSocialBase
* Use specific error
* replace SSOSettings with SSOSettingsDTO
* fix database tests
* fix oauth strategy
* fix sso settings service tests
* add secrets encryption on update
* rename SSOSettingsDTO to SSOSettings
* remove extraKeys from strategy
* change back settings type from createOAuthConnector to OAuthInfo
* do not parse multi-value fields in oauth strategy
* Configure SkipOrgRoleSync from OAuthInfo
* Remove skipOrgRoleSync from socialbase and connectors
* Add test to socialimpl.ProvideService
* Deprecate AuthSettings' fields
* clean up misleading init of frontendsettings.Auth
* Refactor to prevent cyclic dependencies
* Move list authorization to the API layer
* Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled
* wip, need to handle the cyclic dep
* Remove cyclic dependency
* Align tests + refactor
* Move back OAuthInfo to social
* Delete pkg/login/social/constants
* Move reloadable registration to the social providers
* Rename connectors.Error to connectors.SocialError
* Return data in camelCase from the OAuth fb strategy
* changes
* wip
* Add defaults for oauth fb strategy
* revert other changes
* Add tests
* Add Defaults to cfg and use it in OAuthStrategy
* Return *OAuthInfo from OAuthStrategy
* lint
* Remove unnecessary Defaults
* Introduce const for fields, fix import order
* Align failing tests
* clean up
* Changes requested by @gamab
* Update pkg/services/ssosettings/strategies/oauth_strategy_test.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Load data on startup
* Rename + simplify
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* inital changes, db migration
* changes
* Implement basic GetAll, Delete
* Add first batch of tests
* Add more tests
* Add service tests for GetForProvider, List
* Update http_server.go + wire.go
* Lint + update fixed role
* Update CODEOWNERS
* Change API init
* Change roles, rename
* Review with @kalleep
* Revert a mistakenly changed part
* Updates based on @dmihai 's feedback
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Mihai Doarna
Misi
Mykhailo Zahlada
linoman
John Naizer
Mathieu Parent