OAuth: Add support for empty scopes (#32129)

* add parameter empty_scopes to override scope parameter with empty value and thus be able to authenticate against IdPs without scopes. Issue #27503 Update docs/sources/auth/generic-oauth.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * updated check according to feedback * Update generic-oauth.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
2024-11-21 16:38:03 -06:00 · 2021-05-10 19:07:30 +02:00 · 2021-05-10 19:07:30 +02:00 · 0d044285a9
commit 0d044285a9
parent c610eff5cd
4 changed files with 11 additions and 0 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -474,6 +474,7 @@ allow_sign_up = true
 client_id = some_id
 client_secret =
 scopes = user:email
+empty_scopes = false
 email_attribute_name = email:primary
 email_attribute_path =
 login_attribute_path =
--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -465,6 +465,7 @@
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = user:email,read:org
+;empty_scopes = false
 ;email_attribute_name = email:primary
 ;email_attribute_path =
 ;login_attribute_path =
--- a/docs/sources/auth/generic-oauth.md
+++ b/docs/sources/auth/generic-oauth.md
@ -29,6 +29,7 @@ enabled = true
 client_id = YOUR_APP_CLIENT_ID
 client_secret = YOUR_APP_CLIENT_SECRET
 scopes =
+empty_scopes = false
 auth_url =
 token_url =
 api_url =
@ -49,6 +50,8 @@ You can also specify the SSL/TLS configuration used by the client.

 `tls_skip_verify_insecure` controls whether a client verifies the server's certificate chain and host name. If it is true, then SSL/TLS accepts any certificate presented by the server and any host name in that certificate. _You should only use this for testing_, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.

+Set `empty_scopes` to true to use an empty scope during authentication. By default, Grafana will use `user:email` as scope.
+
 Grafana will attempt to determine the user's e-mail address by querying the OAuth provider as described below in the following order until an e-mail address is found:

 1. Check for the presence of an e-mail address via the `email` field encoded in the OAuth `id_token` parameter.
--- a/pkg/login/social/social.go
+++ b/pkg/login/social/social.go
@ -85,6 +85,7 @@ func NewOAuthService() {

 	for _, name := range allOauthes {
 		sec := setting.Raw.Section("auth." + name)
+
 		info := &setting.OAuthInfo{
 			ClientId:            sec.Key("client_id").String(),
 			ClientSecret:        sec.Key("client_secret").String(),
@ -107,6 +108,11 @@ func NewOAuthService() {
 			TlsSkipVerify:       sec.Key("tls_skip_verify_insecure").MustBool(),
 		}

+		// when empty_scopes parameter exists and is true, overwrite scope with empty value
+		if sec.Key("empty_scopes").MustBool() {
+			info.Scopes = []string{}
+		}
+
 		if !info.Enabled {
 			continue
 		}