New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth: Support OIDC Hybrid Flow #26350
Comments
That is exactly what we would need. Then we could make use of Grafana in our company. Excellent! |
For using Grafana together with OCS in our company, this feature is essential. Please include it into Grafana release. |
As suggested in #15312, maybe there should be a separate "OpenID Connect" auth plugin rather than adding this kind of feature to "Generic OAuth". |
This issue has been automatically marked as stale because it has not had activity in the last year. It will be closed in 30 days if no further activity occurs. Please feel free to leave a comment if you believe the issue is still relevant. Thank you for your contributions! |
This issue has been automatically closed because it has not had any further activity in the last 30 days. Thank you for your contributions! |
What would you like to be added:
Support for the OIDC Hybrid Flow. See Auth0, Medium, Scott Brady
Why is this needed:
Some Identity Providers do not support Authorization Code flow or require PKCE for the Authorization Code flow. Hybrid Flow adds an additional layer of security on top of the normal Authorization Code flow without requiring PKCE and while still using a client secret.
Specifically, OSIsoft Cloud Services, my company's flagship cloud service, offers authorization only by Client Credentials, Authorization Code + PKCE, and Hybrid flow. Since the only compatible method with Grafana is Client Credentials, it is not feasible to have individual users log in, instead our customers must use an organization-wide client secret stored within the Grafana server. Hybrid flow is preferred over Auth+PKCE because, in our system, Auth+PKCE is not allowed to issue a refresh token while Hybrid is, and Grafana needs a refresh token to keep users logged in and leave dashboards open over long periods.
I created #26302 for this feature and it was rejected on the grounds that there is no community support for this; if you are interested in this feature please comment or thumbs-up.
The text was updated successfully, but these errors were encountered: