Merge pull request #14563 from tdabasinskas/broken_oauth_provider

Support OAuth providers that are not RFC6749 compliant

Merge pull request #14563 from tdabasinskas/broken_oauth_provider
Support OAuth providers that are not RFC6749 compliant
c201fc17 · Carl Bergquist · GitHub · 71837fe1 · eb517a37 · c201fc17
Commit c201fc17 authored Dec 19, 2018 by Carl Bergquist Committed by GitHub Dec 19, 2018
Show whitespace changes
Inline Side-by-side

Showing with 23 additions and 0 deletions

conf/defaults.ini
+1 -0

conf/sample.ini
+4 -0

docs/sources/auth/generic-oauth.md
+11 -0

pkg/setting/setting_oauth.go
+1 -0

pkg/social/social.go
+6 -0

No files found.
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -335,6 +335,7 @@ tls_skip_verify_insecure = false
 tls_client_cert =
 tls_client_key =
 tls_client_ca =
+send_client_credentials_via_post = false

 #################################### Basic Auth ##########################
 [auth.basic]

--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -284,6 +284,10 @@ log_queries =
 ;tls_client_key =
 ;tls_client_ca =

+; Set to true to enable sending client_id and client_secret via POST body instead of Basic authentication HTTP header
+; This might be required if the OAuth provider is not RFC6749 compliant, only supporting credentials passed via POST payload
+;send_client_credentials_via_post = false
+
 #################################### Grafana.com Auth ####################
 [auth.grafana_com]
 ;enabled = false

--- a/docs/sources/auth/generic-oauth.md
+++ b/docs/sources/auth/generic-oauth.md
@@ -209,6 +209,17 @@ allowed_organizations =
    token_url = https://<your domain>.my.centrify.com/OAuth2/Token/<Application ID>
    ```

+## Set up OAuth2 with non-compliant providers
+
+Some OAuth2 providers might not support `client_id` and `client_secret` passed via Basic Authentication HTTP header, which
+results in `invalid_client` error. To allow Grafana to authenticate via these type of providers, the client identifiers must be
+send via POST body, which can be enabled via the following settings:
+
+    ```bash
+    [auth.generic_oauth]
+    send_client_credentials_via_post = true
+    ```
+
 <hr>


--- a/pkg/setting/setting_oauth.go
+++ b/pkg/setting/setting_oauth.go
@@ -15,6 +15,7 @@ type OAuthInfo struct {
 	TlsClientKey                 string
 	TlsClientCa                  string
 	TlsSkipVerify                bool
+	SendClientCredentialsViaPost bool
 }

 type OAuther struct {

--- a/pkg/social/social.go
+++ b/pkg/social/social.go
@@ -79,12 +79,18 @@ func NewOAuthService() {
 			TlsClientKey:                 sec.Key("tls_client_key").String(),
 			TlsClientCa:                  sec.Key("tls_client_ca").String(),
 			TlsSkipVerify:                sec.Key("tls_skip_verify_insecure").MustBool(),
+			SendClientCredentialsViaPost: sec.Key("send_client_credentials_via_post").MustBool(),
 		}

 		if !info.Enabled {
 			continue
 		}

+		// handle the clients that do not properly support Basic auth headers and require passing client_id/client_secret via POST payload
+		if info.SendClientCredentialsViaPost {
+			oauth2.RegisterBrokenAuthHeaderProvider(info.TokenUrl)
+		}
+
 		if name == "grafananet" {
 			name = grafanaCom
 		}