feat: Generic Oauth: support for team_ids, team_ids_attribute_path, teams_url

[weisdd]

Description

Generic Oauth section of grafana configuration helps to impose additional restrictions on who is allowed to login. One of those restrictions is user presence in a particular team id (has nothing to do with teams in grafana itself). From docs:

Grafana will check for the presence of at least one of the teams specified via the team_ids configuration option using the JMESPath specified via the team_ids_attribute_path configuration option. The JSON used for the path lookup is the HTTP response obtained from querying the Teams endpoint specified via the teams_url configuration option (using /teams as a fallback endpoint). The result should be a string array of Grafana Team IDs. Using this setting ensures that only certain teams is allowed to authenticate to Grafana using your OAuth provider.

Source: https://grafana.com/docs/grafana/latest/auth/generic-oauth/#groups--teams

So this PR brings support to the following parameters:

[auth.generic_oauth]
team_ids = 1
team_ids_attribute_path = [*]
teams_url = http://255.255.255.254:8080/teams

My actual use case is non-standard: In my tiny app, I'm trying to exploit this setting to get access to a user ID token (gets sent to teams_url by grafana), so I can then add the user to a team via Grafana API based on user's claims.

Type of change

• New feature (non-breaking change which adds functionality)

Checklist

• This change requires a documentation update
• I have added tests that prove my fix is effective or that my feature works
• I have added a test case that will be used to verify my changes
• Verified independently on a cluster by reviewer

Verification steps

It'd be slightly difficult to do an e2e-test as part of the configuration has to be done on IDP side (Keycloak in my case) and a web-server that would return a json with team ids. So, I'd say it's better to just check the presence of the 3 newly added fields: teams_url, team_ids_attribute_path, team_ids in grafana ConfigMap.

  spec:
    config:
      auth:
        disable_login_form: true
        login_maximum_inactive_lifetime_duration: 4h
        login_maximum_lifetime_duration: 8h
        oauth_auto_login: true
        signout_redirect_url: http://keycloak.localhost/auth/realms/monitoring/protocol/openid-connect/logout?redirect_uri=http://grafana.localhost
      auth.generic_oauth:
        allow_sign_up: true
        api_url: http://keycloak.localhost/auth/realms/monitoring/protocol/openid-connect/userinfo
        auth_url: http://keycloak.localhost/auth/realms/monitoring/protocol/openid-connect/auth
        client_id: grafana
        client_secret: REDACTED
        enabled: true
        role_attribute_path: contains(roles[*], 'grafana-admin') && 'Admin' || contains(roles[*],
          'grafana-editor') && 'Editor' || 'Viewer'
        scopes: email profile
        team_ids: "1"
        team_ids_attribute_path: '[*]'
        teams_url: http://255.255.255.254:8080/teams
        token_url: http://keycloak.localhost/auth/realms/monitoring/protocol/openid-connect/token

[NissesSenap]

Great PR @weisdd, thanks for the links to the original docs and a good example output.
LGTM
@HubertStefanski or @pb82 any thoughts?

[HubertStefanski]

@weisdd LGTM! (also thanks for the docs and examples)

@NissesSenap Thanks for taking a look, LGTM'd also