Commit 06bf7e8e by Alexander Morozov Committed by Marcus Efraimsson

OAuth: Removes send_client_credentials_via_post setting (#20044)

Removes send_client_credentials_via_post oauth setting and 
use auto-detect mechanism instead.
By these changes also fixes statichcheck errors

Ref #8968
parent b12dc890
......@@ -387,7 +387,6 @@ tls_skip_verify_insecure = false
tls_client_cert =
tls_client_key =
tls_client_ca =
send_client_credentials_via_post = false
#################################### SAML Auth ###########################
[auth.saml] # Enterprise only
......
......@@ -378,10 +378,6 @@
;tls_client_key =
;tls_client_ca =
; Set to true to enable sending client_id and client_secret via POST body instead of Basic authentication HTTP header
; This might be required if the OAuth provider is not RFC6749 compliant, only supporting credentials passed via POST payload
;send_client_credentials_via_post = false
#################################### SAML Auth ###########################
[auth.saml] # Enterprise only
# Defaults to false. If true, the feature is enabled.
......
......@@ -219,20 +219,6 @@ allowed_organizations =
auth_url = https://<your domain>.my.centrify.com/OAuth2/Authorize/<Application ID>
token_url = https://<your domain>.my.centrify.com/OAuth2/Token/<Application ID>
api_url = https://<your domain>.my.centrify.com/OAuth2/UserInfo/<Application ID>
```
## Set up OAuth2 with non-compliant providers
> Only available in Grafana v6.0 and above.
Some OAuth2 providers might not support `client_id` and `client_secret` passed via Basic Authentication HTTP header, which
results in `invalid_client` error. To allow Grafana to authenticate via these type of providers, the client identifiers must be
send via POST body, which can be enabled via the following settings:
```bash
[auth.generic_oauth]
send_client_credentials_via_post = true
```
## JMESPath examples
......
......@@ -222,3 +222,7 @@ Pre Grafana 6.5.0, the CloudWatch datasource used the GetMetricStatistics API fo
Each request to the GetMetricData API can include 100 queries. This means that each panel in Grafana will only issue one GetMetricData request, regardless of the number of query rows that are present in the panel. Consequently as it is no longer possible to set `HighRes` on a per query level anymore, this switch is now removed from the query editor. High resolution can still be achieved by choosing a smaller minimum period in the query editor.
The handling of multi-valued template variables in dimension values has been changed in Grafana 6.5. When a multi template variable is being used, Grafana will generate a search expression. In the GetMetricData API, expressions are limited to 1024 characters, so it might be the case that this limit is reached when a multi-valued template variable that has a lot of values is being used. If this is the case, we suggest you start using `*` wildcard as dimension value instead of a multi-valued template variable.
## Upgrading to v6.6
The Generic OAuth setting `send_client_credentials_via_post`, used for supporting non-compliant providers, has been removed. From now on, Grafana will automatically detect if credentials should be sent as part of the URL or request body for a specific provider. The result will be remembered and used for additional OAuth requests for that provider.
......@@ -83,19 +83,12 @@ func NewOAuthService() {
TlsClientKey: sec.Key("tls_client_key").String(),
TlsClientCa: sec.Key("tls_client_ca").String(),
TlsSkipVerify: sec.Key("tls_skip_verify_insecure").MustBool(),
SendClientCredentialsViaPost: sec.Key("send_client_credentials_via_post").MustBool(),
}
if !info.Enabled {
continue
}
// handle the clients that do not properly support Basic auth headers and require passing client_id/client_secret via POST payload
if info.SendClientCredentialsViaPost {
// TODO: Fix the staticcheck error
oauth2.RegisterBrokenAuthHeaderProvider(info.TokenUrl) //nolint:staticcheck
}
if name == "grafananet" {
name = grafanaCom
}
......@@ -108,6 +101,7 @@ func NewOAuthService() {
Endpoint: oauth2.Endpoint{
AuthURL: info.AuthUrl,
TokenURL: info.TokenUrl,
AuthStyle: oauth2.AuthStyleAutoDetect,
},
RedirectURL: strings.TrimSuffix(setting.AppUrl, "/") + SocialBaseUrl + name,
Scopes: info.Scopes,
......@@ -183,6 +177,7 @@ func NewOAuthService() {
Endpoint: oauth2.Endpoint{
AuthURL: setting.GrafanaComUrl + "/oauth2/authorize",
TokenURL: setting.GrafanaComUrl + "/api/oauth2/token",
AuthStyle: oauth2.AuthStyleInHeader,
},
RedirectURL: strings.TrimSuffix(setting.AppUrl, "/") + SocialBaseUrl + name,
Scopes: info.Scopes,
......
......@@ -54,11 +54,10 @@ func NewDashboardFileReader(cfg *DashboardsAsConfig, log log.Logger) (*fileReade
// pollChanges periodically runs startWalkingDisk based on interval specified in the config.
func (fr *fileReader) pollChanges(ctx context.Context) {
// TODO: Fix the staticcheck error
ticker := time.Tick(time.Duration(int64(time.Second) * fr.Cfg.UpdateIntervalSeconds)) //nolint:staticcheck
ticker := time.NewTicker(time.Duration(int64(time.Second) * fr.Cfg.UpdateIntervalSeconds))
for {
select {
case <-ticker:
case <-ticker.C:
if err := fr.startWalkingDisk(); err != nil {
fr.log.Error("failed to search for dashboards", "error", err)
}
......
......@@ -17,7 +17,6 @@ type OAuthInfo struct {
TlsClientKey string
TlsClientCa string
TlsSkipVerify bool
SendClientCredentialsViaPost bool
}
type OAuther struct {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment