OAuth: Added support for "token_url_params" configuration #20884
Conversation
marefr
requested review from
a team and
marefr
and removed request for
a team
|
Can't you add this to the existing URL-configuration settings? I've used Auth0 with Grafana without specifying any |
|
No, the existing URL configuration setting only allows you to specify it via query string (which Auth0 requires it's a HTTP form post parameter). This PR adds flexibility to support multiple other auth providers that are currently not supported because of special case parameters that must be sent during the token exchange. I wish I could also support adding header params but I reviewed the Golang oauth2 provider and it doesn't support adding headers. Regarding my specific use case with Auth0, the audience parameter is only required with Auth0 in a specific scenario (but can't avoided if you need this scenario supported) however this scenario should be the preferred configuration of Auth0 with Grafana. After successful login, the access token returned by Auth0 by default (if no audience is specified and no default audience is configured at the tenant level [the default]) will be an opaque token (not a JWT). If you have backend services that require a JWT, then you must first have a "resource server" (or API in some docs) that corresponds to your backend and you must specify its API identifier as either the default audience in the Auth0 tenant config or you must send the "audience" http form parameter on the token exchange (or in SPA, on the authorize URL). Now if I want to use RBAC in Auth0 to control my roles in Grafana, assuming you already have another resource server in Auth0 that's my primary resource server (and its API identifier is probably set as the default audience in your auth0 tenant) and I want to add support for Grafana, I either need to add the Grafana permissions to the primary resource server (which I don't want to do as they aren't related to it) or I need to create a second resource server that corresponds to Grafana and specify the Grafana permissions there. If I do that (i.e. correctly segregate my resource servers/APIs), then I am required to send the "audience" parameter as part of the token exchange or it will not correctly enforce RBAC and also will issue the JWT token with the wrong "aud". |
|
@yinzara Thanks. Grafana OAuth integration is mainly used for authenticating users. I don't have a lot of experience with Auto0 and have some hard time follow your specific use case/scenario description. When I setup Auth0 in Grafana I configure a new application and then I use that specific application in generic oauth configuration: [auth.generic_oauth]
name = Auth0
enabled = true
allow_sign_up = true
client_id = WCi<redacted>
client_secret = <secret>
scopes = openid profile email
auth_url = https://dev-y3-<redacted>.auth0.com/authorize
token_url = https://dev-y3-<redacted>.auth0.com/oauth/token
api_url = https://dev-y3-<redacted>.auth0.com/userinfo
team_ids =
allowed_organizations =
email_attribute_path =
role_attribute_path = contains("https://myapp.example.com/roles", 'admin') && 'Admin' || 'Viewer'I dont't have RBAC available in Auth0 so cannot test that, but I've added a rule to mimic the behavior of adding roles to id token: This way I don't need to specify any audience nor use the default tenant audience because the audience is the application already configured. Would be good if you could include screenshots from your Auth0 setup and/or other images or Auth0 documentation links to make it easier for me and anyone else not experience with Auth0 to understand your setup, problem and what you're trying to accomplish.
Thanks in advance |
|
This pull request has been automatically marked as stale because it has not had activity in the last 2 weeks. It will be closed in 30 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
This pull request has been automatically closed because it has not had activity in the last 30 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
I completely forgot about this PR however my issue is still valid. The problem is both related to Role Based authentication and with the "aud" (audience) parameter of the JWT. Auth0's RBAC must be enabled in your tenants to experience what I'm talking about as the enforcement and assignment of your permissions for an API based on assigned roles is handled automatically based on the audience of the login request. In my tenant configuration, we have multiple "APIs" defined: one that's the "Default" which is the API that's for my application stack (i.e. it's our custom application) and the other for third party APIs for support of our application (i.e. Grafana, Kiali, etc). We have multiple external organizations that support using our Auth0 tenant for login of their applications so we cannot change the Default audience (it must be the audience of the API for our custom applications). When a login request is submitted for one of the apps that's APIs are not our default, we must submit an "audience" parameter as part of the form post to the token endpoint (the login endpoint must also have it, but can be passed via query string) to do two things:
My example configuration would be: |
|
@yinzara could you please open a new feature request - we now handle our feature requests through discussions |
Some OAuth 2.0 providers require additional posted form parameters as part of the token retrieval.
For example, Auth0 requires an "audience" parameter be sent with the token exchange.
This PR adds support for a new "token_url_params" configuration property to any "oauth" configuration section that adds additional static form parameter values to the oauth token exchange. This allows for the above use case and any other use case that may require additional custom static parameters.