Introduce OpenID Connect (OIDC) based SSO support

[rudeigerc]

Currently, Grafana supports SSO via various providers including Azure, GitHub, GitLab, Google, Grafana.com, Okta, LDAP and generic OAuth. Generic OAuth is commonly used when the providers are not listed. Operators could customize the attribute paths to match the provided JSON object or tokens.

However, OAuth is designed for authorization but not authentication. OIDC was introduced as a specification to provide the functionality of authentication. It defines a set of standard claims in the token and could also be visited via endpoints configured.

Providers such as Azure, Google, and Okta actually have conformed to the OIDC specification. I believe it would be better to introduce OIDC as a provider with Grafana's RBAC integration.

Looking forward to the discussion 😃

[sakjur]

Putting the name to the side, is any specific and relevant part of the OpenID Connect spec missing from the generic OAuth provider? It implements a bunch of OpenID Connect functionality already and I think this might be more a matter of documenting what the generic OAuth provider supports and doesn't support than introducing another provider. And making sure that we support the things that are important to our users.

The naming is to me a technicality where neither OIDC nor OAuth (2.0) is sufficiently more wrong than the other to warrant a duplication or migration. Would "openid_connect" have been a better name to start with? Possibly, but we have generic_oauth already, and I'm not sure there's a strong enough argument to move away from that.

[rudeigerc]

Hi @sakjur, I agree with you that the current generic OAuth provider has already implemented various OIDC functionality. In my opinion, OIDC extends OAuth by providing an identity layer and many identity providers do implement a part of the OIDC functionality like JWT based ID Token. In terms of Grafana, I think the simplest way is to support OIDC configuration through OIDC discovery specification as follows from /.well-known/openid-configuration with existed OIDC frameworks.

As shown follows, in this way, users only have to configure issuer without other URLs, and the SocialGenericOAuth can still be used after the configuration is generated.

issuer := sec.Key("issuer").String()
provider, err := oidc.NewProvider(context.Background(), issuer)
if err != nil {
	return err
}

config = oauth2.Config{
	ClientID:     info.ClientId,
	ClientSecret: info.ClientSecret,
	Endpoint:     provider.Endpoint(),
	RedirectURL:  strings.TrimSuffix(ss.Cfg.AppURL, "/") + SocialBaseUrl + name,
	Scopes:       info.Scopes,
}

[gelicia]

Hello, as you may have heard, we are transitioning away from using discussions to discuss feature requests. Due to the age and number of responses to this discussion, we are deciding to close it. If this is something you would like to see in Grafana, feel free to open an issue so the discussion can continue. Thank you!