Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"token pass through" feature for JWT Authentication #34037

Open
TBOU opened this issue May 13, 2021 · 2 comments
Open

"token pass through" feature for JWT Authentication #34037

TBOU opened this issue May 13, 2021 · 2 comments
Labels
area/auth area/datasource/backend type/feature-request

Comments

@TBOU
Copy link

TBOU commented May 13, 2021

What would you like to be added:

A new JWT authentication mode has been added recently (cf. [Feature request] JWT Authentication #8198).

For this new authentication mode, would it be possible to have the same "token pass through" feature for data source plugins as the one already available with OAuth authentication?

More details below on the current mechanism for OAuth authentication.

When using OAuth authentication, it is possible to forward the OAuth access token to a data source plugin. This allows the data source plugin to send requests with an "Authorization" header containing the same credentials as the ones with which the user logged into Grafana (useful when querying a database with ACLs, because the Grafana user identity can be transmitted to the database and the results are filtered by user's ACLs).

This feature is activated by setting the "oauthPassThru" key to true in the JSON data of the data source configuration.

For OAuth authentication, it is implemented in 2 places.

For data source "client-side" plugins (through the Grafana data source proxy), in ds_proxy.go :

if oauthtoken.IsOAuthPassThruEnabled(proxy.ds) {
	if token := oauthtoken.@(proxy.ctx.Req.Context(), proxy.ctx.SignedInUser); token != nil {
		req.Header.Set("Authorization", fmt.Sprintf("%s %s", token.Type(), token.AccessToken))
	}
}

For data source "backend" plugins, in datasource_plugin_wrapper_v2.go :

if oauthtoken.IsOAuthPassThruEnabled(ds) {
	if token := oauthtoken.GetCurrentOAuthToken(ctx, query.User); token != nil {
		delete(query.Headers, "Authorization")
		query.Headers["Authorization"] = fmt.Sprintf("%s %s", token.Type(), token.AccessToken)
	}
}

Why is this needed:

Because it allows transmitting Grafana user identity to requests made by data source plugins, which is useful when querying databases with ACLs.

Also because this feature is already present with OAuth authentication.

@sakjur suggested to see first if #17846 could be a response but it seems that not. In #17846, headers' values must be set statically in the data source configuration.
The "token pass through" feature is dynamic : the token to pass to the "Authorization" header is the one gotten by the user that logged into Grafana (it is unknown at data source configuration time).
@ivanahuckova ivanahuckova added this to Inbox in Backend Platform Backlog via automation May 17, 2021
@dsotirakis dsotirakis removed this from Inbox in Backend Platform Backlog May 26, 2021
@yuesenxiong yuesenxiong mentioned this issue Apr 9, 2024
Open
@akevdmeer
Copy link

We would really like JWT passthrough. I tried that linked PR on top of Grafana 10.4.2 and it works. (What I did spot is that it forwards the access token also as X-Id-Token which I think is inappropriate.)

@akevdmeer
Copy link

@yuesenxiong I've asked on the Grafana slack what it would take to move this forward, and received the feedback that your PR is not against the grafana/grafana repo so that it can't be assigned for review.

Could you please create a pull request against this repo?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/auth area/datasource/backend type/feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Jguer @TBOU @ivanahuckova @akevdmeer