OAuth: Introduce user_refresh_token setting and make it default for the selected providers #71533
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Jguer
reviewed
Jul 13, 2023
| To enable a refresh token for AzureAD, extend the `scopes` in `[auth.azuread]` with `offline_access`. | ||
| Refresh token fetching and access token expiration check is enabled by default for the AzureAD provider since Grafana v10.1.0 if the `accessTokenExpirationCheck` feature toggle is enabled. If you would like to disable access token expiration check then set the `use_refresh_token` configuration value to `false`. | ||
|
|
||
| > **Note:** The `accessTokenExpirationCheck` feature toggle will be removed in Grafana v10.2.0 and the `use_refresh_token` configuration value will be used instead for configuring refresh token fetching and access token expiration check. |
There was a problem hiding this comment.
note to self: review deployment plan
Jguer
reviewed
Jul 13, 2023
docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md
Show resolved
Hide resolved
kalleep
approved these changes
Jul 14, 2023
| @@ -114,7 +114,7 @@ func (s *SocialGoogle) extractFromAPI(ctx context.Context, client *http.Client) | |||
| } | |||
|
|
|||
| func (s *SocialGoogle) AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string { | |||
| if s.features.IsEnabled(featuremgmt.FlagAccessTokenExpirationCheck) { | |||
| if s.features.IsEnabled(featuremgmt.FlagAccessTokenExpirationCheck) && s.useRefreshToken { | |||
There was a problem hiding this comment.
Do we have any plans on removing the feature toggle and only check useRefreshToken?
There was a problem hiding this comment.
Correct, that's the plan! (having a setting by auth provider, instead of having a global setting)
mgyongyosi
changed the title
Merged
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is this feature?
This PR introduces the
use_refresh_tokenconfiguration parameter to each of the OAuth providers and extend the defaults.ini file with the default value for each provider.It would be enabled by default for the following providers (check the documentation in case you would like to enable it for other providers):
Currently this functionality is behind a feature toggle called
accessTokenExpirationCheckwhich means that the feature toggle must be enabled to use refresh tokens.accessTokenExpirationCheckfeature toggle will be removed in Grafana v10.2 and only theuse_refresh_tokensetting of the providers will be used to specify whether an OAuth provider should use refresh tokens and check the access token expiration.Why do we need this feature?
We need this to improve the security of Grafana, because currently the OAuth providers are used only for logging users in. With Grafana v9.3 we introduced a feature toggle
accessTokenExpirationCheckthat enables the access token expiration check and refreshes the access token using the refresh token. However, we decided that it would be more convenient to set the expiration check and refresh token fetching by OAuth providers and to enable it by default for the providers that either provides a refresh token by default or getting the refresh token is controlled by the client.Who is this feature for?
[Add information on what kind of user the feature is for.]
Which issue(s) does this PR fix?:
Fixes #
Special notes for your reviewer:
Please check that: