Auth: Add skip_org_role_sync setting to OAuth integration Google (#61572)

* WIP

* Add: skip_org_role_sync for Google OAuth

- add setting for frontend
- add read of config
- add config to sample and default

* add: docs

* spelling

* Update pkg/login/social/social.go

* Apply suggestions from code review

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* removed unnessecary line

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

docs/sources/setup-grafana/configure-grafana/_index.md

@@ -880,7 +880,7 @@ To prevent synchronization of organization roles for a specific OAuth integratio
 
 The setting `oauth_skip_org_role_update_sync` will be deprecated in favor of provider-specific settings.
 
-The following table shows the OAuth providers, the default value setting, and the skip org role sync setting.
+The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
 | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
 | --- | --- | --- | --- |
 | AzureAD | false | false | will sync with AzureAD roles |
@@ -888,6 +888,20 @@ The following table shows the OAuth providers, the default value setting, and th
 | AzureAD | false | true | skip org role sync for AzureAD users |
 | AzureAD | true | true | skip org role sync for AzureAD users and all other OAuth providers |
 
+### [auth.google] skip_org_role_sync
+
+Upon the first login from a user, we set the organization roles from the setting `AutoAssignOrgRole`. If you want to manage organizational roles, set the `skip_org_role_sync` option to `true`.
+
+> **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
+
+The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
+| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
+| --- | --- | --- | --- |
+| Google | false | false | User organization roles are set with `defaultRole` and cannot be changed |
+| Google | true | false | User organization roles are set with `defaultRole` for Google. For other providers, the synchronization will be skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
+| Google | false | true | User organization roles are set with `defaultRole` and the org role can be changed for Google synced users. |
+| Google | true | true | User organization roles are set with `defaultRole` for Google. For other providers, the synchronization will be skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
+
 ### api_key_max_seconds_to_live
 
 Limit of API key seconds to live before expiration. Default is -1 (unlimited).

docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md

@@ -68,3 +68,13 @@ When a user logs in using an OAuth provider, Grafana verifies that the access to
 Grafana uses a refresh token to obtain a new access token without requiring the user to log in again. If a refresh token doesn't exist, Grafana logs the user out of the system after the access token has expired.
 
 By default, Grafana includes the `access_type=offline` parameter in the authorization request to request a refresh token.
+
+## Skip organization role sync
+
+We do not currently sync roles from Google and instead set the AutoAssigned role to the user at first login. To manage your user's organization role from within Grafana, set `skip_org_role_sync` to `true`.
+
+```ini
+[auth.google]
+# ..
+skip_org_role_sync = true
+```