GenericOAuth: Set sub as auth id #65902
Conversation
kalleep
added
no-backport
mgyongyosi
changed the title
|
Actually I think this needs to be backported to all 9.x versions. With the security fix (CVE-2023-3128) it's necessary for all users to have an valid id. As far as I understand the change and the 9.x code, there is no way when using the |
|
Hello @IevaVasiljeva!
Please, if the current pull request addresses a bug fix, label it with the |
IevaVasiljeva
added
the
product-approved
IevaVasiljeva
removed
the
backport v9.5.x
* GenericOAuth: Set sud as auth id * GenericOAuth: Extract function to reduce complexity (cherry picked from commit 7cd6018)
What is this feature?
When connecting with generic oauth we have never set authID in user_auth table.
This leads to some strange edge cases we need to handle to not create a new insert in user_auth table on every login,
see https://github.com/grafana/grafana/blob/main/pkg/services/authn/authnimpl/sync/user_sync.go#L323-L331
This prevents generic oauth to sync a new email because the email is always the primary identifier when using generic oauth. So if a user change their email in IDP a new user is created inside grafana.
If we use id token or userinfo endpoint the sub should always be present and can be used as a unique identifier. This will make it possible to be able to change the email for a user and still resolve it to the same one inside grafana. But in order for this to work properly the user first has to login with this changes in place to the auth id is correctly set.
I opted not to force the present of a sub initially because that can maybe break non oidc compatible idps, but we should enforce this in the future.
If we wan't to enforce it we should start with adding a deprecation log when a login is performed without the present of a sub claim
Fixes #64688
Special notes for your reviewer: