DataProxy: Adds oauth pass-through option for datasources

[seanlaff]

Closes #12556

Adds a datasource option for passing onwards the current user's oauth access token.

How it works

Anytime a user logs in with an oauth provider, we'll encrypt and persist their oauth access-token, refresh-token, token-type, and token-expiry in the user_auth table. Any time the datasource proxy is called on a datasource that has the oauthPassThru flag set to true, we'll lookup the user's token, run it through tokenSource() (which handles refreshes) and pass it along as an Authorization header to the datasource.

I opted to persist the tokens because scheduled reports would not work otherwise.

Previously users would not get an entry in the user_auth table if the auth provider did not provide an upstream auth_id for them. In this MR I changed the behavior to allow entries in that table to populate even if the user does not have an upstream id. I did this because this table seemed like the most natural place to keep the oauth tokens, and gatekeeping that table by auth_id no longer made sense since oauth providers are not required to provide an upstream id.

I also added an index to the user_id column in user_auth since it's used for lookups.

Open to feedback, thanks!

[CLAassistant]

All committers have signed the CLA.

[bergquist]

Hi! I've done a quick review of the PR and I think this is something that would be useful for Grafana.

We are currently very short on time before the release of 6.0 but I'll get back to this eventually with an in-depth review. We won't be able to get this into 6.0 but I think this is a good candidate for 6.1

[bergquist]

Hi Sean!

Great meeting you at GrafanaCon. Such a blast to see someone finding abandoned features in Grafana :) This PR is something we want to merge but I'd like to see a few changes before we do so. Esp requiring specifying which OAuth provider that should be used for passing creds to the datasource. Perhaps you have an use case that I haven't thought about but right now I think we can default to the last logged in provider. Or even better. Find which provider is used for the current session.

Some other minor remarks. Great work otherwise! I hope we have time to get this merged before 6.1!

[seanlaff]

@bergquist Think I've addressed all of the concerns mentioned so far- let me know if you have more feedback! :)

[bergquist]

Works as expected.

Would like to see some minor tweeks before we merge this.
Great work!

[daniellee]

Taking over the review here as Carl is on vacation this week and it would be nice to get this into the 6.1 release. I have tested a bit but would have to use this in a datasource plugin to really test this out. You have resolved all the feedback you got from Carl so don't see anything stopping this from being merged.

I will add this to the plugin auth guide once I get to use this in a datasource: http://docs.grafana.org/plugins/developing/auth-for-datasources/

Looking forward to adding support for this in some of our plugins. Thanks for taking the time to implement all of Carl's feedback!

[bergquist]

🍾

[hakten]

When I turn on 'Forward OAuth Identity', I don't see that OAuth Identity Forwarding details. I am using Grafana 7.0.3 and trying to use the forward option with SimpleJson data source.
Does not seeing that option means SimpleJson does not support it? Or is UI changed in later versions?