Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth: Make sub claim required for generic oauth #84745

Closed
wants to merge 4 commits into from
Closed

OAuth: Make sub claim required for generic oauth #84745

wants to merge 4 commits into from

Conversation

kalleep
Copy link
Contributor

@kalleep kalleep commented Mar 19, 2024
edited

What is this feature?
Make sub claim required for generic oauth. We still handle the case where a auth connection was made without a valid AuthID and patches it during user sync.

  • Special case

    grafana/pkg/services/authn/authnimpl/sync/user_sync.go

    Lines 339 to 347 in a8e211b

    // Special case for generic oauth: generic oauth does not store authID,
    // so we need to find the user first then check for the userAuth connection by module and userID
    if identity.AuthenticatedBy == login.GenericOAuthModule {
    query := &login.GetAuthInfoQuery{AuthModule: identity.AuthenticatedBy, UserId: usr.ID}
    userAuth, err = s.authInfoService.GetAuthInfo(ctx, query)
    if err != nil && !errors.Is(err, user.ErrUserNotFound) {
    return nil, nil, err
    }
    }
  • Patching

    grafana/pkg/services/authn/authnimpl/sync/user_sync.go

    Line 192 in a8e211b

    func (s *UserSync) upsertAuthConnection(ctx context.Context, userID int64, identity *authn.Identity, createConnection bool) error {

Which issue(s) does this PR fix?:
Fixes #https://github.com/grafana/identity-access-team/issues/603

Release notice breaking change

Authentication with generic oauth now requires sub claim to be present in either ID-Token or API response

@kalleep kalleep added add to changelog breaking change Relevant for changelog generation labels Mar 19, 2024
@kalleep kalleep added this to the 11.0.x milestone Mar 19, 2024
@kalleep kalleep requested a review from a team as a code owner March 19, 2024 14:31
aarongodin
aarongodin approved these changes Mar 19, 2024
View reviewed changes
Copy link
Contributor

@aarongodin aarongodin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, LGTM

eleijonmarck
eleijonmarck approved these changes Mar 20, 2024
View reviewed changes
Copy link
Contributor

@eleijonmarck eleijonmarck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is no featuretoggle?

@kalleep kalleep changed the title GenericOAuth: make sub claim required OAuth: make sub claim required for generic oauth Mar 22, 2024
@kalleep kalleep changed the title OAuth: make sub claim required for generic oauth OAuth: Make sub claim required for generic oauth Mar 22, 2024
@kalleep kalleep mentioned this pull request Mar 25, 2024
Merged
3 tasks
@kalleep
Copy link
Contributor Author

kalleep commented Mar 25, 2024

Closing in favor of #85065

@kalleep kalleep closed this Mar 25, 2024
@grafana-delivery-bot grafana-delivery-bot bot removed this from the 11.0.x milestone Mar 25, 2024
@grafana-delivery-bot grafana-delivery-bot bot mentioned this pull request Apr 15, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aarongodin aarongodin aarongodin approved these changes

@eleijonmarck eleijonmarck eleijonmarck approved these changes

Assignees
No one assigned
Labels
add to changelog area/backend breaking change Relevant for changelog generation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kalleep @aarongodin @eleijonmarck