-
Notifications
You must be signed in to change notification settings - Fork 11.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chore: Query oauth info from a new instance #83229
Chore: Query oauth info from a new instance #83229
Conversation
Hello @linoman!
Please, if the current pull request addresses a bug fix, label it with the |
1 similar comment
Hello @linoman!
Please, if the current pull request addresses a bug fix, label it with the |
This PR must be merged before a backport PR will be created. |
Upon implementation and review with @Jguer, the scope of this PR will be extended to include a configuration option to disable HD validation |
…ndition_for_allowed_domain_validations
This PR must be merged before a backport PR will be created. |
@mgyongyosi Thank you for your comments. I replaced the provider's name in the @Jguer, I have replaced the names of the variables/conf options and added some descriptions in the docs. Additionally, I've added the new configuration option to the |
docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
Outdated
Show resolved
Hide resolved
docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Jo <joao.guerreiro@grafana.com>
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-83229-to-v10.3.x origin/v10.3.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x b02ae375ba5599fa1e72fb818a1424a8e134efaa When the conflicts are resolved, stage and commit the changes:
If you have the GitHub CLI installed: # Push the branch to GitHub:
git push --set-upstream origin backport-83229-to-v10.3.x
# Create the PR body template
PR_BODY=$(gh pr view 83229 --json body --template 'Backport b02ae375ba5599fa1e72fb818a1424a8e134efaa from #83229{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Create the PR on GitHub
echo "${PR_BODY}" | gh pr create --title "[v10.3.x] Chore: Query oauth info from a new instance" --body-file - --label "type/docs" --label "area/backend" --label "add to changelog" --label "breaking change" --label "backport" --label "product-approved" --base v10.3.x --milestone 10.3.x --web Or, if you don't have the GitHub CLI installed (we recommend you install it!): # Push the branch to GitHub:
git push --set-upstream origin backport-83229-to-v10.3.x
# Create a pull request where the `base` branch is `v10.3.x` and the `compare`/`head` branch is `backport-83229-to-v10.3.x`.
# Remove the local backport branch
git switch main
git branch -D backport-83229-to-v10.3.x |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-83229-to-v10.4.x origin/v10.4.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x b02ae375ba5599fa1e72fb818a1424a8e134efaa When the conflicts are resolved, stage and commit the changes:
If you have the GitHub CLI installed: # Push the branch to GitHub:
git push --set-upstream origin backport-83229-to-v10.4.x
# Create the PR body template
PR_BODY=$(gh pr view 83229 --json body --template 'Backport b02ae375ba5599fa1e72fb818a1424a8e134efaa from #83229{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Create the PR on GitHub
echo "${PR_BODY}" | gh pr create --title "[v10.4.x] Chore: Query oauth info from a new instance" --body-file - --label "type/docs" --label "area/backend" --label "add to changelog" --label "breaking change" --label "backport" --label "product-approved" --base v10.4.x --milestone 10.4.x --web Or, if you don't have the GitHub CLI installed (we recommend you install it!): # Push the branch to GitHub:
git push --set-upstream origin backport-83229-to-v10.4.x
# Create a pull request where the `base` branch is `v10.4.x` and the `compare`/`head` branch is `backport-83229-to-v10.4.x`.
# Remove the local backport branch
git switch main
git branch -D backport-83229-to-v10.4.x |
* query OAuth info from a new instance * add `hd` validation flag * add `disable_hd_validation` to settings map * update documentation --------- Co-authored-by: Jo <joao.guerreiro@grafana.com> (cherry picked from commit b02ae37)
* query OAuth info from a new instance * add `hd` validation flag * add `disable_hd_validation` to settings map * update documentation --------- Co-authored-by: Jo <joao.guerreiro@grafana.com> (cherry picked from commit b02ae37)
* query OAuth info from a new instance * add `hd` validation flag * add `disable_hd_validation` to settings map * update documentation --------- Co-authored-by: Jo <joao.guerreiro@grafana.com>
…t 83229 to v10.3.x (#83725) * Chore: Query oauth info from a new instance (#83229) * query OAuth info from a new instance * add `hd` validation flag * add `disable_hd_validation` to settings map * update documentation --------- Co-authored-by: Jo <joao.guerreiro@grafana.com> (cherry picked from commit b02ae37)
…t 83229 to v10.4.x (#83726) * Chore: Query oauth info from a new instance (#83229) * query OAuth info from a new instance * add `hd` validation flag * add `disable_hd_validation` to settings map * update documentation --------- Co-authored-by: Jo <joao.guerreiro@grafana.com> (cherry picked from commit b02ae37)
@linoman I think there's a word missing in your breaking change description:
|
What is this feature?
This small PR avoids a settings race condition between the Google OAuth configuration settings and the SSO settings.
Why do we need this feature?
To avoid a race condition.
Who is this feature for?
IAM
Which issue(s) does this PR fix?:
Fixes #
Special notes for your reviewer:
Please check that:
Release notice breaking change
We're adding a validation between the response of the ID token HD parameter and the list of allowed domains as an extra layer of security. In the event that the HD parameter doesn't match the list of allowed domains, we're denying access to Grafana.
If you set Google OAuth configuration using
api_url,
you might be using the legacy implementation of OAuth, which doesn't have the HD parameter describing the organisation the approved token comes from. This could break your login flow.This feature can be turned off through the configuration toggle
validate_hd
. Anyone using the legacy Google OAuth configuration should turn off this validation if the ID Token response doesn't have the HD parameter.