Auth: Extended JWT client for OBO and Service Authentication

[Jguer]

Pair PR: https://github.com/grafana/auth/pull/583

What is this feature?

Extended JWT client allows On Behalf Of (impersonation) and Service authentication via an auth api access token.

• Authenticate the Access policy as itself
• Scoped by the access policy’s realm, scopes and attributes (Permissions and DelegatedPermissions) and request caller
• Short term expiration (Expiration measured in minutes)
• Can only be created using the API
• Designed for internal service use
• Should not be shared with users
• Is a JWT (can be locally validated)

Accessing Grafana as the service

Example use case: Authz proxy needs to search permissions for every user in a dedicated privileged endpoint

curl -k  'http://localhost:3000/api/user' -H 'X-Access-Token: eyJ…'

X-Access-Token should be the Cloud Access Policy Access Token
Will return the user as the access policy. The namespaced ID in grafana will be access-policy:xxxx and it will not be persisted in the database. This ID cannot own things in grafana.
Permissions will be derived from the roles present in the permissions claim of the access token.

Accessing Grafana as a user

Example use case: plugin needs to know which folders a user can view

curl -k  'http://localhost:3000/api/user' -H 'X-Access-Token: eyJ…' -H 'X-Grafana-Id: eyJ…'

By providing both Access Token and Grafana User ID Token it is possible to authenticate as the user. The namespaced ID in Grafana will be the user’s ID.
The permissions for this call will be the intersection between the user’s stored permissions and the allowed actions specified by “delegatedPermissions”.

Why do we need this feature?

Impersonation access missing for background tasks and proxy

Who is this feature for?

Backend platform and cloud plugin developers

Which issue(s) does this PR fix?:

Fixes #

Special notes for your reviewer:

Please check that:

• It works as expected from a user's perspective.
• If this is a pre-GA feature, it is behind a feature toggle.
• The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

[grafanabot]

❌ Failed to run Playwright plugin e2e tests.

Click here to browse the Playwright report and trace viewer.
For information on how to run Playwright tests locally, refer to the Developer guide.

[kalleep]

Remove this part if this is no longer true

[kalleep]

How come we are using RBAC roles here and not just plain permissions as the name suggest?

[kalleep]

we should move this check to Authenticate and remove from authenticateAsUser and authenticateAsService

[andresmgot]

you can remove this change

[Jguer]

Suggested change

"github.com/stretchr/testify/require"

[Jguer]

/deploy-hg

[Jguer]

/deploy-to-hg

[ephemeral-instances-bot]

• Preparing your instance. A comment containing your instance's url will be added to this PR when the instance is ready.
• Your instance will be ready in ~10 minutes.
• Check the GitHub actions tab to follow the workflow progress
• Slack channel: #proj-ephemeral-hg-instances
• Building instance with jguer/repurpose-ext-jwt-client oss branch and main enterprise branch. How to choose a branch

[ephemeral-instances-bot]

• Your instance can be accessed at: https://ephemeral1511182183814jguer.grafana-dev.net
• The instance is not using the CDN assets.
• How to access / How to update instance config / How to build a specific branch

[andresmgot]

LGTM from the plugins-platform perspective.

[Jguer]

tested with ephemeral instance to ensure report was still sent.

Merging the current state and we'll continue to iterate (and testing how well it integrates).

[Jguer]

May cause some services to receive unexpected namespacedIDs if the service is not parsing accepted namespaces (ex: "rendering-service:0" instead of "user:0")