Auth: Fix AzureAD public client configuration (#99019)

Auth: Add client auth none as default to ensure public clients can be configured on the UI
2025-02-25 18:55:37 -06:00 · 2025-01-15 16:49:58 +01:00 · 2025-01-15 16:49:58 +01:00 · 125fdc8f21
commit 125fdc8f21
parent f142f12887
3 changed files with 11 additions and 3 deletions
--- a/pkg/login/social/connectors/azuread_oauth.go
+++ b/pkg/login/social/connectors/azuread_oauth.go
@ -199,7 +199,7 @@ func (s *SocialAzureAD) Exchange(ctx context.Context, code string, authOptions .
 	case social.ClientSecretPost:
 		// Default behavior for ClientSecretPost, no additional setup needed
 	default:
-		s.log.Debug("ClientAuthentication is not set. Using default client authentication method")
+		s.log.Debug("ClientAuthentication is not set. Using default client authentication method: none")
 	}

 	// Default token exchange
@ -379,6 +379,9 @@ func validateClientAuthentication(info *social.OAuthInfo, requester identity.Req
 		}
 		return nil

+	case social.None:
+		return nil
+
 	default:
 		return ssosettings.ErrInvalidOAuthConfig("Invalid client authentication method.")
 	}
--- a/pkg/login/social/social.go
+++ b/pkg/login/social/social.go
@ -16,6 +16,7 @@ const (

 	// Values for ClientAuthentication under OAuthInfo (based on oidc spec)
 	ClientSecretPost = "client_secret_post"
+	None             = "none"
 	// Azure AD
 	ManagedIdentity = "managed_identity"
 	// Other providers...
--- a/public/app/features/auth-config/fields.tsx
+++ b/public/app/features/auth-config/fields.tsx
@ -258,7 +258,7 @@ export function fieldMap(provider: string): Record<string, FieldData> {
      description: 'The client authentication method used to authenticate to the token endpoint.',
      multi: false,
      options: clientAuthenticationOptions(provider),
-      defaultValue: { value: 'client_secret_post', label: 'Client secret' },
+      defaultValue: { value: 'none', label: 'None' },
      validation: {
        required: true,
        message: 'This field is required',
@ -683,11 +683,15 @@ function clientAuthenticationOptions(provider: string): Array<SelectableValue<st
  switch (provider) {
    case 'azuread':
      return [
+        { value: 'none', label: 'None' },
        { value: 'client_secret_post', label: 'Client secret' },
        { value: 'managed_identity', label: 'Managed identity' },
      ];
    // Other providers ...
    default:
-      return [{ value: 'client_secret_post', label: 'Client secret' }];
+      return [
+        { value: 'none', label: 'None' },
+        { value: 'client_secret_post', label: 'Client secret' },
+      ];
  }
 }