Auth: Support google OIDC and group fetching #70140

Jguer · 2023-06-15T10:23:30Z

What is this feature?

Add group fetching and teamsync support to auth.google
Support google OIDC endpoints

Closes #69520
Closes #69521
Implements #70081

Special notes for your reviewer:

Please check that:

It works as expected from a user's perspective.
If this is a pre-GA feature, it is behind a feature toggle.
The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

…/openid-configuration #69520 Signed-off-by: junya koyama <arukiidou@yahoo.co.jp>

add legacy API distinction use google auth oidc connectors add group fetching support and tests

jmatosgrafana · 2023-06-15T10:55:55Z

pkg/login/social/google_oauth.go

+
+	groups := []string{}
+
+	url := fmt.Sprintf("%s?query=member_key_id=='%s'", googleIAMGroupsEndpoint, userData.Email)


Because Email has been provided by Google I don't believe it could be manipulated to inject unexpected characters in the url

jmatosgrafana

LGTM from a security point of view

docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md

chri2547 · 2023-06-15T20:22:28Z

docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md

+
+2. Add the `https://www.googleapis.com/auth/cloud-identity.groups.readonly` scope to your Grafana `[auth.google]` configuration:
+
+Example:


chri2547 · 2023-06-15T20:22:44Z

docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md

+```ini
+[auth.google]
+# ..
+scopes = openid email profile https://www.googleapis.com/auth/cloud-identity.groups.readonly
+```


indent so that this content is nested under the step.

docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md

chri2547

A few suggestions. Thank you for the contribution!

pkg/login/social/google_oauth.go

IevaVasiljeva

Mostly looks good, but I've left some comments for edge cases that might need to be covered.

pkg/login/social/google_oauth.go

pkg/login/social/google_oauth_test.go

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

chri2547 · 2023-06-16T20:38:09Z

docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md

+
+### Configure team sync for Google OAuth
+
+> Available in Grafana v10.1.0 and later versions.


Because we version our docs, we don't need to add this kind of note. You can remove it.

Make sure you add this to the v10.1 what's new document!

Hey @chri2547 I'm ok with removing but we end up getting PRs to re-add as users are used to using the latest version of the documentation. Could you provide further guidance?

Example: #69419

Hi @Jguer , I checked with the team because you made a good point that I hadn't considered. Our guidance is to keep these kinds of notes in, and when they get stale (for example, 9.5 docs refer to 7.x), remove them as we come across them.

chri2547 · 2023-06-16T20:38:22Z

docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md

+
+### Configure team sync for Google OAuth
+
+> Available in Grafana v10.1.0 and later versions.


Suggested change

> Available in Grafana v10.1.0 and later versions.

chri2547

One additional suggestion and approved. Thank you for the contribution!

…-oidc

* Auth: Update Google OAuth default configuration based on /.well-known/openid-configuration #69520 Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> * add id_token parsing add legacy API distinction use google auth oidc connectors add group fetching support and tests * Apply suggestions from code review Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * implement review feedback * indent docs --------- Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> Co-authored-by: junya koyama <arukiidou@yahoo.co.jp> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

Jguer added add to changelog no-backport Skip backport of PR add to what's new labels Jun 15, 2023

Jguer added this to the 10.1.x milestone Jun 15, 2023

Jguer requested review from mgyongyosi, IevaVasiljeva and jmatosgrafana June 15, 2023 10:23

Jguer self-assigned this Jun 15, 2023

Jguer requested review from torkelo, a team and chri2547 as code owners June 15, 2023 10:23

grafanabot added type/docs Flags the technical writing team for documentation support; auto adds to org-wide docs project area/backend labels Jun 15, 2023

arukiidou and others added 2 commits June 15, 2023 12:30

Auth: Update Google OAuth default configuration based on /.well-known…

892e197

…/openid-configuration #69520 Signed-off-by: junya koyama <arukiidou@yahoo.co.jp>

add id_token parsing

918ecce

add legacy API distinction use google auth oidc connectors add group fetching support and tests

Jguer force-pushed the jguer/actualize-gauth-oidc branch from 5772b9e to 918ecce Compare June 15, 2023 10:30

jmatosgrafana reviewed Jun 15, 2023

View reviewed changes

jmatosgrafana approved these changes Jun 15, 2023

View reviewed changes