Replies: 1 comment
-
Hello, as you may have heard, we are transitioning away from using discussions to discuss feature requests. Due to the age and number of responses to this discussion, we are deciding to close it. If this is something you would like to see in Grafana, feel free to open an issue so the discussion can continue. Thank you! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Moved from closed issue:
#20940
and pull request:
#20884
There are many custom oauth systems that require additional parameters be specified during the token exchange part of the oauth 2.0 specification. Specifically additional HTTP form parameters should be sent as part of the POST to the "token_url" (from the custom oauth configuration of Grafana).
with Auth0, the "audience" parameter is required in a specific scenario (but can be avoided with custom rules if you need this scenario supported) however this scenario should be the preferred configuration of Auth0 with Grafana.
After successful login, the access token returned by Auth0 by default (if no audience is specified and no default audience is configured at the tenant level [the default]) will be an opaque token (not a JWT). If you have backend services that require a JWT (i.e. most of us), then you must first have a defined "Auth0 resource server" (or API in some docs) that corresponds to your backend and you must specify its API identifier (it's URL like) as either the default audience in the Auth0 tenant config or you must send the "audience" http form parameter on the token exchange (or in SPA, on the authorize URL).
If I want to use RBAC in Auth0 to control my roles in Grafana, assuming you already have another resource server in Auth0 that's my primary resource server (and its API identifier is probably set as the default audience in your auth0 tenant) and I want to add support for Grafana, I either need to add the Grafana permissions to the primary resource server (which I don't want to do as they aren't related to it) or I need to create a second resource server that corresponds to Grafana and specify the Grafana permissions there.
If I do that (i.e. correctly segregate my resource servers/APIs), then I am required to send the "audience" parameter as part of the token exchange or it will not correctly enforce RBAC and also will issue the JWT token with the wrong "aud".
Currently the only option is to send it as a HTTP query string paramter in the "token_url" however Auth0 will only accept it if it's part of the HTTP form post body.
I purpose the addition of a new token_url_params configuration option on the oauth configuration section of Grafana that accepts a query string in standard escaped format (i.e. for use in url.ParseQuery in Golang) that specifies additional form parameters be sent during the POST to the Oauth token_url endpoint.
Beta Was this translation helpful? Give feedback.
All reactions