Implement authentication as GitHub App #88
Comments
|
I agree. To do this properly I'm waiting on this Grafana PR to be merged: grafana/grafana#27055. I tried to allow this plugin to be an OAuth2 client, and while it's possible, I didn't want to have a significant setup burden for installing this plugin. You would have to create a new GitHub app or a new OAuth 2.0 app for the plugin, and link directly to the callback URL in the plugin. Here's what an example callback URL would look like: http://localhost:3000/api/datasources/2638/resources/oauth/auth. The problem that I encountered was that public URL of the Grafana instance was not exposed to the datasource, nor was the datasource ID needed for the URL ( Once I got to that point, I found the above PR and I decided it wasn't worth it. If there's demand for it though, I could go back and re-implement this, and allow users to type in their grafana public URL and datasource ID into the settings to generate a callback URL. I just felt like this was too cumbersome and would create a lot of support requests / confusion. |
|
OAuth2 may satisfy our needs allowing individuals to configure the application themselves. The advantage of a full GitHub App is that we can grant that application different permissions than the individual users of the Grafana server, for instance, installing the GitHub App into repos they may not have access to otherwise. We've used this for some specific build scenarios using the Jenkins GitHub App to great effect. Additionally, a GitHub App has the advantage of enabling PAT-based API access as well as OAuth2-based API access, a GitHub App is a mashup of both an OAuth 2 app and a 'machine user'. Just with a more complicated authentication handshake 😊 Based on how we've set up other GitHub Apps I'd fully expect just a guide on how to manually set up an app, the scoped required, and dropping the generated private key into my Grafana configuration, likely as a config file entry so we can populate it automatically via Vault with our setup. |
|
GitHub App Authentication does not use standard/generic JWT payloads (for example The plugin will have 3 new settings:
The user will configure the above manually through the UI or with datasource provisioning. This way the plugin will handle the authentication internally and will not depend on Grafana to do the authentication during request proxy, etc. and the Grafana codebase will not include an exception for handling GitHub OAuth2. |
|
Any progress on this? The PAT method is a bit of a show stopper as it gives access to all organisations of that user. |
@kminehart, grafana/grafana#27055 is merged and grafana/grafana#26023 is closed, so it should be possible right? |
|
My team will also appreciate this |
|
Grafana 9.2 is out and I believe this is all supported now. |
|
I don't believe the Forward OAuth Identity feature is a solution to this. I think you can try but I doubt it will succeed, as it's been in Grafana since 7.2. |
|
I'd also very much appreciate this. My use-case: I want to use a GitHub App that has read-only access to multiple orgs in Grafana. |
|
Hi team, any update on this issue? |
|
Hi @yahel2410, sorry this is not prioritized. |
Hi all,
Related to #75 we'd very much appreciate if this plugin implemented GitHub App style authentication rather than using a PAT associated with an existing account.
Enterprise accounts are billed on a per-user basis, and 'machine users' count towards this accounting. This is exacerbated by the need to have separate accounts for separate team's private repositories that can't have shared accounts in them for security compliance. This can make integration cost prohibitive.
The primary effort here is to set up the handshake to generate an installation PAT, at which point it acts like a user PAT save that it only lasts for an hour. We've had success converting several of our internal apps to use the App communication.
The text was updated successfully, but these errors were encountered: