Files

T

Alexander Zobnin 294fd943c0 Chore: Update authlib (#110880 )

* Chore: Update authlib

* exclude incompatible version of github.com/grafana/gomemcache

* Update go-jose to v4

* fix jose imports

* remove jose v3 from go.mod

* fix tests

* fix serialize

* fix failing live tests

* add v1 of ES256 testkeys. Port tests to use ES256 instead of HS256

* accept more signature algs for okta and azuread

* azure social graph token sig

* accept more signature algs for oauth refresh and jwt auth

* update workspace

* add a static signer for inproc

* rebase and fix ext_jwt

* fix jwt tests

* apply alex patch on gomemcache

* update linting

* fix ext_jwt panic

* update workspaces

---------

Co-authored-by: Jo Garnier <git@jguer.space>

2025-09-15 12:45:15 +02:00

proto/v1

UnifiedStorage: Rename Batch processing to Bulk (#101413 )

2025-02-28 08:41:08 +03:00

rbac

Chore: Update authlib (#110880 )

2025-09-15 12:45:15 +02:00

zanzana

Replace check for integration tests. (#110707 )

2025-09-08 15:49:49 +02:00

rbac_settings.go

AuthZ: Make cache ttl configurable (#103769 )

2025-04-11 10:09:47 +02:00

rbac.go

fix: auhtz grpc client no org id issue (#110952 )

2025-09-11 14:02:56 +00:00

README.md

AuthZ: Introduce cloud mode (#96922 )

2024-11-22 16:19:53 +01:00

token_auth.go

AuthZ: Make NewGrpcTokenAuth public (#101352 )

2025-02-26 17:29:32 +01:00

wireset.go

Zanzana: Initial work to run openFGA as embedded or standalone service (#89211 )

2024-06-18 10:04:18 +02:00

zanzana.go

Udate IAM Folder Reconciler Operator config (#110728 )

2025-09-05 22:56:23 +00:00

README.md

Authorization

This package contains the authorization server implementation.

Feature toggles

The following feature toggles need to be activated:

[feature_toggles]
authZGRPCServer = true
grpcServer = true

Configuration

To configure the authorization server and client, use the "authorization" section of the configuration ini file.

The remote_address setting, specifies the address where the authorization server is located (ex: server.example.org:10000).

The mode setting can be set to either cloud, grpc or inproc. When set to cloud (or grpc), the client will connect to the specified address. When set to inproc the client will use inprocgrpc (relying on go channels) to wrap a local instantiation of the server.

The listen setting determines whether the authorization server should listen for incoming requests. When set to true, the authorization service will be registered to the Grafana GRPC server.

The default configuration does not register the authorization service on the Grafana GRPC server and binds the client to it inproc:

[authorization]
remote_address = ""
listen = false
mode = "inproc"

Example

Here is an example to connect the authorization client to a remote grpc server.

[authorization]
remote_address = "server.example.org:10000"
listen = false
mode = "grpc"

Here is an example to register the authorization service on the Grafana GRPC server and connect the client to it through grpc.

app_mode = development

[authorization]
remote_address = "localhost:10000"
listen = true
mode = "grpc"

Here is an example to connect the authorization client to a remote grpc server and use access token authentication.

[environment]
stack_id = 11

[authorization]
remote_address = "server.example.org:10000"
mode = "cloud"
listen = false

[grpc_client_authentication]
token = "ReplaceWithToken"
token_exchange_url = "signing-server.example.org/path/to/signing"
token_namespace = "stacks-11"