Chore: Query oauth info from a new instance #83229
Conversation
linoman
added
backport
|
Hello @linoman!
Please, if the current pull request addresses a bug fix, label it with the |
1 similar comment
|
Hello @linoman!
Please, if the current pull request addresses a bug fix, label it with the |
linoman
added
the
product-approved
|
This PR must be merged before a backport PR will be created. |
linoman
changed the title
|
Upon implementation and review with @Jguer, the scope of this PR will be extended to include a configuration option to disable HD validation |
…ndition_for_allowed_domain_validations
|
This PR must be merged before a backport PR will be created. |
|
@mgyongyosi Thank you for your comments. I replaced the provider's name in the @Jguer, I have replaced the names of the variables/conf options and added some descriptions in the docs. Additionally, I've added the new configuration option to the |
docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
Outdated
Show resolved
Hide resolved
docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Jo <joao.guerreiro@grafana.com>
linoman
deleted the
linoman/avoid_race_condition_for_allowed_domain_validations
branch
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-83229-to-v10.3.x origin/v10.3.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x b02ae375ba5599fa1e72fb818a1424a8e134efaaWhen the conflicts are resolved, stage and commit the changes: If you have the GitHub CLI installed: # Push the branch to GitHub:
git push --set-upstream origin backport-83229-to-v10.3.x
# Create the PR body template
PR_BODY=$(gh pr view 83229 --json body --template 'Backport b02ae375ba5599fa1e72fb818a1424a8e134efaa from #83229{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Create the PR on GitHub
echo "${PR_BODY}" | gh pr create --title "[v10.3.x] Chore: Query oauth info from a new instance" --body-file - --label "type/docs" --label "area/backend" --label "add to changelog" --label "breaking change" --label "backport" --label "product-approved" --base v10.3.x --milestone 10.3.x --webOr, if you don't have the GitHub CLI installed (we recommend you install it!): # Push the branch to GitHub:
git push --set-upstream origin backport-83229-to-v10.3.x
# Create a pull request where the `base` branch is `v10.3.x` and the `compare`/`head` branch is `backport-83229-to-v10.3.x`.
# Remove the local backport branch
git switch main
git branch -D backport-83229-to-v10.3.x |
grafana-delivery-bot
bot
added
the
backport-failed
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-83229-to-v10.4.x origin/v10.4.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x b02ae375ba5599fa1e72fb818a1424a8e134efaaWhen the conflicts are resolved, stage and commit the changes: If you have the GitHub CLI installed: # Push the branch to GitHub:
git push --set-upstream origin backport-83229-to-v10.4.x
# Create the PR body template
PR_BODY=$(gh pr view 83229 --json body --template 'Backport b02ae375ba5599fa1e72fb818a1424a8e134efaa from #83229{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Create the PR on GitHub
echo "${PR_BODY}" | gh pr create --title "[v10.4.x] Chore: Query oauth info from a new instance" --body-file - --label "type/docs" --label "area/backend" --label "add to changelog" --label "breaking change" --label "backport" --label "product-approved" --base v10.4.x --milestone 10.4.x --webOr, if you don't have the GitHub CLI installed (we recommend you install it!): # Push the branch to GitHub:
git push --set-upstream origin backport-83229-to-v10.4.x
# Create a pull request where the `base` branch is `v10.4.x` and the `compare`/`head` branch is `backport-83229-to-v10.4.x`.
# Remove the local backport branch
git switch main
git branch -D backport-83229-to-v10.4.x |
* query OAuth info from a new instance * add `hd` validation flag * add `disable_hd_validation` to settings map * update documentation --------- Co-authored-by: Jo <joao.guerreiro@grafana.com> (cherry picked from commit b02ae37)
* query OAuth info from a new instance * add `hd` validation flag * add `disable_hd_validation` to settings map * update documentation --------- Co-authored-by: Jo <joao.guerreiro@grafana.com> (cherry picked from commit b02ae37)
* query OAuth info from a new instance * add `hd` validation flag * add `disable_hd_validation` to settings map * update documentation --------- Co-authored-by: Jo <joao.guerreiro@grafana.com>
…t 83229 to v10.3.x (#83725) * Chore: Query oauth info from a new instance (#83229) * query OAuth info from a new instance * add `hd` validation flag * add `disable_hd_validation` to settings map * update documentation --------- Co-authored-by: Jo <joao.guerreiro@grafana.com> (cherry picked from commit b02ae37)
…t 83229 to v10.4.x (#83726) * Chore: Query oauth info from a new instance (#83229) * query OAuth info from a new instance * add `hd` validation flag * add `disable_hd_validation` to settings map * update documentation --------- Co-authored-by: Jo <joao.guerreiro@grafana.com> (cherry picked from commit b02ae37)
|
@linoman I think there's a word missing in your breaking change description:
|
What is this feature?
This small PR avoids a settings race condition between the Google OAuth configuration settings and the SSO settings.
Why do we need this feature?
To avoid a race condition.
Who is this feature for?
IAM
Which issue(s) does this PR fix?:
Fixes #
Special notes for your reviewer:
Please check that:
Release notice breaking change
We're adding a validation between the response of the ID token HD parameter and the list of allowed domains as an extra layer of security. In the event that the HD parameter doesn't match the list of allowed domains, we're denying access to Grafana.
If you set Google OAuth configuration using
api_url,you might be using the legacy implementation of OAuth, which doesn't have the HD parameter describing the organisation the approved token comes from. This could break your login flow.This feature can be turned off through the configuration toggle
validate_hd. Anyone using the legacy Google OAuth configuration should turn off this validation if the ID Token response doesn't have the HD parameter.