Experimental: OAuth Token Retriever #702
Conversation
andresmgot
requested review from
wbrowne and
marefr
and removed request for
a team
|
Feels like this might be provided by a 3rd party, something like github.com/go-jose/go-jose maybe - we're already using that within Grafana. Or something already available in the SDK perhaps, like https://github.com/grafana/grafana-plugin-sdk-go/blob/main/experimental/authclient/oauth2.go. |
Some Internet search revealed nothing regarding a library that already does this. I checked go-jose but that is related to JSON Web Signatures which I believe is different from what we need here. I tried and signatures generated with that package doesn't work (maybe I am missing something, this goes beyond my cryptographic knowledge). @mgyongyosi do you have any input?
That does not cover signatures. |
https://github.com/go-jose/go-jose/blob/6531eff483988d182103292d4348e075a6090c9e/jose-util/generator/utils.go#L71 for loading private key. Found some others as well.
I just noticed usage of a private key below and we're basically looking for creating an OAuth client, right? That seems to call this to parse the private key internally: Regarding signatures, what about https://pkg.go.dev/gopkg.in/go-jose/go-jose.v2?utm_source=godoc#NewSigner ? Some example usages in Grafana https://github.com/search?q=repo%3Agrafana%2Fgrafana%20NewSigner&type=code |
There was a problem hiding this comment.
LGTM. My common impression though is that OAuth is standardized and therefore should already be libraries available to do all this. but I might be wrong/misunderstand. This is not a blocker for now since this is in experimental why I approve, but would be good to figure out 3rd party libraries etc.
| @@ -29,4 +29,4 @@ Dimensions: 2 Fields by 15 Rows | |||
|
|
|||
|
|
|||
| ====== TEST DATA RESPONSE (arrow base64) ====== | |||
| FRAME=QVJST1cxAAD/////yAEAABAAAAAAAAoADgAMAAsABAAKAAAAFAAAAAAAAAEEAAoADAAAAAgABAAKAAAACAAAALgAAAADAAAATAAAACgAAAAEAAAAwP7//wgAAAAMAAAAAAAAAAAAAAAFAAAAcmVmSWQAAADg/v//CAAAAAwAAAAAAAAAAAAAAAQAAABuYW1lAAAAAAD///8IAAAAUAAAAEQAAAB7InR5cGUiOiJkaXJlY3RvcnktbGlzdGluZyIsInR5cGVWZXJzaW9uIjpbMCwwXSwicGF0aFNlcGFyYXRvciI6Ii8ifQAAAAAEAAAAbWV0YQAAAAACAAAAeAAAAAQAAACi////FAAAADwAAAA8AAAAAAAABTgAAAABAAAABAAAAJD///8IAAAAEAAAAAYAAABzdHJpbmcAAAYAAAB0c3R5cGUAAAAAAACI////CgAAAG1lZGlhLXR5cGUAAAAAEgAYABQAAAATAAwAAAAIAAQAEgAAABQAAABEAAAASAAAAAAAAAVEAAAAAQAAAAwAAAAIAAwACAAEAAgAAAAIAAAAEAAAAAYAAABzdHJpbmcAAAYAAAB0c3R5cGUAAAAAAAAEAAQABAAAAAQAAABuYW1lAAAAAP/////YAAAAFAAAAAAAAAAMABYAFAATAAwABAAMAAAAgAEAAAAAAAAUAAAAAAAAAwQACgAYAAwACAAEAAoAAAAUAAAAeAAAAA8AAAAAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAvwAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAABAAAAAAAAAAEABAAAAAAAAPwAAAAAAAAAAAAAAAgAAAA8AAAAAAAAAAAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAkAAAAQAAAAGgAAAB0AAAAoAAAAOAAAAEcAAABbAAAAdQAAAJQAAACfAAAApQAAAKkAAAC3AAAAvwAAAFJFQURNRS5tZGFjdGlvbnNhdXRoY2xpZW50ZTJlZmlsZWluZm8uZ29maWxlaW5mb190ZXN0LmdvZnJhbWVfc29ydGVyLmdvZnJhbWVfc29ydGVyX3Rlc3QuZ29nb2xkZW5fcmVzcG9uc2VfY2hlY2tlci5nb2dvbGRlbl9yZXNwb25zZV9jaGVja2VyX3Rlc3QuZ29odHRwX2xvZ2dlcm1hY3Jvc21vY2tyZXN0X2NsaWVudC5nb3Rlc3RkYXRhAAAAAAAAAAAACQAAABIAAAAbAAAAGwAAABsAAAAbAAAAGwAAABsAAAAbAAAAJAAAAC0AAAA2AAAANgAAAD8AAABkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnkAEAAAAAwAFAASAAwACAAEAAwAAAAQAAAALAAAADwAAAAAAAQAAQAAANgBAAAAAAAA4AAAAAAAAACAAQAAAAAAAAAAAAAAAAAAAAAAAAAACgAMAAAACAAEAAoAAAAIAAAAuAAAAAMAAABMAAAAKAAAAAQAAADA/v//CAAAAAwAAAAAAAAAAAAAAAUAAAByZWZJZAAAAOD+//8IAAAADAAAAAAAAAAAAAAABAAAAG5hbWUAAAAAAP///wgAAABQAAAARAAAAHsidHlwZSI6ImRpcmVjdG9yeS1saXN0aW5nIiwidHlwZVZlcnNpb24iOlswLDBdLCJwYXRoU2VwYXJhdG9yIjoiLyJ9AAAAAAQAAABtZXRhAAAAAAIAAAB4AAAABAAAAKL///8UAAAAPAAAADwAAAAAAAAFOAAAAAEAAAAEAAAAkP///wgAAAAQAAAABgAAAHN0cmluZwAABgAAAHRzdHlwZQAAAAAAAIj///8KAAAAbWVkaWEtdHlwZQAAAAASABgAFAAAABMADAAAAAgABAASAAAAFAAAAEQAAABIAAAAAAAABUQAAAABAAAADAAAAAgADAAIAAQACAAAAAgAAAAQAAAABgAAAHN0cmluZwAABgAAAHRzdHlwZQAAAAAAAAQABAAEAAAABAAAAG5hbWUAAAAA+AEAAEFSUk9XMQ== | |||
| FRAME=QVJST1cxAAD/////yAEAABAAAAAAAAoADgAMAAsABAAKAAAAFAAAAAAAAAEEAAoADAAAAAgABAAKAAAACAAAALgAAAADAAAATAAAACgAAAAEAAAAwP7//wgAAAAMAAAAAAAAAAAAAAAFAAAAcmVmSWQAAADg/v//CAAAAAwAAAAAAAAAAAAAAAQAAABuYW1lAAAAAAD///8IAAAAUAAAAEQAAAB7InR5cGUiOiJkaXJlY3RvcnktbGlzdGluZyIsInR5cGVWZXJzaW9uIjpbMCwwXSwicGF0aFNlcGFyYXRvciI6Ii8ifQAAAAAEAAAAbWV0YQAAAAACAAAAeAAAAAQAAACi////FAAAADwAAAA8AAAAAAAABTgAAAABAAAABAAAAJD///8IAAAAEAAAAAYAAABzdHJpbmcAAAYAAAB0c3R5cGUAAAAAAACI////CgAAAG1lZGlhLXR5cGUAAAAAEgAYABQAAAATAAwAAAAIAAQAEgAAABQAAABEAAAASAAAAAAAAAVEAAAAAQAAAAwAAAAIAAwACAAEAAgAAAAIAAAAEAAAAAYAAABzdHJpbmcAAAYAAAB0c3R5cGUAAAAAAAAEAAQABAAAAAQAAABuYW1lAAAAAP/////YAAAAFAAAAAAAAAAMABYAFAATAAwABAAMAAAAoAEAAAAAAAAUAAAAAAAAAwQACgAYAAwACAAEAAoAAAAUAAAAeAAAABAAAAAAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEAAAAAAAAAEgAAAAAAAAAwwAAAAAAAAAQAQAAAAAAAAAAAAAAAAAAEAEAAAAAAABEAAAAAAAAAFgBAAAAAAAASAAAAAAAAAAAAAAAAgAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAkAAAAQAAAAGgAAAB0AAAAoAAAAOAAAAEcAAABbAAAAdQAAAJQAAACfAAAApQAAAKkAAAC3AAAAuwAAAMMAAAAAAAAAUkVBRE1FLm1kYWN0aW9uc2F1dGhjbGllbnRlMmVmaWxlaW5mby5nb2ZpbGVpbmZvX3Rlc3QuZ29mcmFtZV9zb3J0ZXIuZ29mcmFtZV9zb3J0ZXJfdGVzdC5nb2dvbGRlbl9yZXNwb25zZV9jaGVja2VyLmdvZ29sZGVuX3Jlc3BvbnNlX2NoZWNrZXJfdGVzdC5nb2h0dHBfbG9nZ2VybWFjcm9zbW9ja3Jlc3RfY2xpZW50Lmdvc2lnbnRlc3RkYXRhAAAAAAAAAAAAAAAAAAkAAAASAAAAGwAAABsAAAAbAAAAGwAAABsAAAAbAAAAGwAAACQAAAAtAAAANgAAADYAAAA/AAAASAAAAAAAAABkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnlkaXJlY3RvcnkQAAAADAAUABIADAAIAAQADAAAABAAAAAsAAAAPAAAAAAABAABAAAA2AEAAAAAAADgAAAAAAAAAKABAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAwAAAAIAAQACgAAAAgAAAC4AAAAAwAAAEwAAAAoAAAABAAAAMD+//8IAAAADAAAAAAAAAAAAAAABQAAAHJlZklkAAAA4P7//wgAAAAMAAAAAAAAAAAAAAAEAAAAbmFtZQAAAAAA////CAAAAFAAAABEAAAAeyJ0eXBlIjoiZGlyZWN0b3J5LWxpc3RpbmciLCJ0eXBlVmVyc2lvbiI6WzAsMF0sInBhdGhTZXBhcmF0b3IiOiIvIn0AAAAABAAAAG1ldGEAAAAAAgAAAHgAAAAEAAAAov///xQAAAA8AAAAPAAAAAAAAAU4AAAAAQAAAAQAAACQ////CAAAABAAAAAGAAAAc3RyaW5nAAAGAAAAdHN0eXBlAAAAAAAAiP///woAAABtZWRpYS10eXBlAAAAABIAGAAUAAAAEwAMAAAACAAEABIAAAAUAAAARAAAAEgAAAAAAAAFRAAAAAEAAAAMAAAACAAMAAgABAAIAAAACAAAABAAAAAGAAAAc3RyaW5nAAAGAAAAdHN0eXBlAAAAAAAABAAEAAQAAAAEAAAAbmFtZQAAAAD4AQAAQVJST1cx | |||
There was a problem hiding this comment.
everytime there is a new package, this test fails so the snapshot here needs to be updated 🤷
@andresmgot JSON Web Signature is what we need. The Apologies for the confusion I caused, I had a custom implementation before I realized that go-jose should contain everything we need. |
|
|
andresmgot
changed the title
|
Thanks to the changes from @mgyongyosi I was able to higly simplify the tr, err := oauthtokenretriever.New(
app.httpClient,
app.grafanaAppURL,
os.Getenv("GF_PLUGIN_APP_CLIENT_ID"),
os.Getenv("GF_PLUGIN_APP_CLIENT_SECRET"),
os.Getenv("GF_PLUGIN_APP_PRIVATE_KEY"),
)
...
token, err := tr.GetExternalServiceToken(req.FormValue("userID"))
...
proxyReq.Header.Set("Authorization", token)WDYT? |
There was a problem hiding this comment.
Given this is in experimental I approve this. However, added some nits and suggestions.
In general, would be helpful to see how grafana/grafana-plugin-examples#138 would implement this before merge. You can do that in examples repo with go mod edit -replace=github.com/grafana/grafana-plugin-sdk-go=github.com/grafana/grafana-plugin-sdk-go@experimentalSign. If I understand it correctly it's up to each consumer (plugin) to retrieve client id, secret and private key from environment variables - we probably want to hide this from plugin authors within the SDK eventually?
In regards to oauth2 package nits/suggestions. As noted earlier this can happen at a later stage, but if we cannot use those out of the box, would then suggest implement the oauth2.TokenSource interface to make it compatible with the oauth2 package. The oauth2 client would possible be a nice abstraction to hide the retrieval of client id, secret and private key for plugin authors within the SDK.
| } | ||
|
|
||
| // retrieveSelfToken returns a JWT bearer token for the service account created with the app. | ||
| func (t *tokenRetriever) retrieveSelfToken() (string, error) { |
There was a problem hiding this comment.
Nit. Can't let go of this since exactly this seems to be provided by the oauth2 package: https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.9.0:clientcredentials/clientcredentials.go
Doesn't need to be fixed now, but seems like what we might want in the future since it provides standard things plus automatic reuse of token until expiration and automatically refreshes when expired.
There was a problem hiding this comment.
plus automatic reuse of token until expiration and automatically refreshes when expired
For the record, I checked this with @mgyongyosi and for the moment, the token returned does not contain a refresh token so it cannot be automatically refreshed.
| } | ||
|
|
||
| // retrieveJWTBearerToken returns a JWT bearer token for the given user ID. | ||
| func (t *tokenRetriever) retrieveJWTBearerToken(userID string) (string, error) { |
There was a problem hiding this comment.
Nit. Can't let go of this since exactly this seems to be provided by the oauth2 package: https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.9.0:jwt/jwt.go
Doesn't need to be fixed now, but seems like what we might want in the future since it provides standard things plus automatic reuse of token until expiration and automatically refreshes when expired.
There was a problem hiding this comment.
in this case, I was not able to use the jwt package since I couldn't find a way to set the necessary client_id and client_secret (the endpoint returned an error because that info was missing).
There was a problem hiding this comment.
another reason: that library only supports RS256 keys, in our case the default is ES256:
https://github.com/golang/oauth2/blob/master/internal/oauth2.go#L20
yes, I am keeping that up to date with the changes in the rest of repos. See how it's reading env vars: It makes sense to also hide the envvar management to the SDK 🤔
Let me also check if that works 👍 |
* add test manage func * flesh out * fix linter * adjust test to use experimental package * regenerate * delete dir * Experimental: OAuth Token Retriever (#702) Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com> * fix golden file * update package name * fix test * fix golden file * undo commit * fix comment * shutdown for plugin --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
What this PR does / why we need it:
Will use this as a library for grafana/grafana-plugin-examples#138
Which issue(s) this PR fixes:
Ref grafana/grafana#66245
Special notes for your reviewer: