[v9.5.x] GenericOAuth: Set sub as auth id #73223
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 7cd6018 from #65902
What is this feature?
When connecting with generic oauth we have never set authID in user_auth table.
This leads to some strange edge cases we need to handle to not create a new insert in user_auth table on every login,
see https://github.com/grafana/grafana/blob/main/pkg/services/authn/authnimpl/sync/user_sync.go#L323-L331
This prevents generic oauth to sync a new email because the email is always the primary identifier when using generic oauth. So if a user change their email in IDP a new user is created inside grafana.
If we use id token or userinfo endpoint the sub should always be present and can be used as a unique identifier. This will make it possible to be able to change the email for a user and still resolve it to the same one inside grafana. But in order for this to work properly the user first has to login with this changes in place to the auth id is correctly set.
I opted not to force the present of a sub initially because that can maybe break non oidc compatible idps, but we should enforce this in the future.
If we wan't to enforce it we should start with adding a deprecation log when a login is performed without the present of a sub claim
Fixes #64688
Special notes for your reviewer: