add oauth pass thru logic to api/ds/query (#41352)

pkg/api/metrics.go

@@ -1,7 +1,9 @@
 package api
 
 import (
+	"context"
 	"errors"
+	"fmt"
 	"net/http"
 	"time"
 
@@ -84,7 +86,7 @@ func (hs *HTTPServer) QueryMetricsV2(c *models.ReqContext, reqDTO dtos.MetricReq
 		return response.Error(http.StatusForbidden, "Access denied", err)
 	}
 
-	req, err := hs.createRequest(ds, request)
+	req, err := hs.createRequest(c.Req.Context(), ds, request)
 	if err != nil {
 		return response.Error(http.StatusBadRequest, "Request formation error", err)
 	}
@@ -224,12 +226,24 @@ func (hs *HTTPServer) QueryMetrics(c *models.ReqContext, reqDto dtos.MetricReque
 }
 
 // nolint:staticcheck // plugins.DataQueryResponse deprecated
-func (hs *HTTPServer) createRequest(ds *models.DataSource, query plugins.DataQuery) (*backend.QueryDataRequest, error) {
+func (hs *HTTPServer) createRequest(ctx context.Context, ds *models.DataSource,
+	query plugins.DataQuery) (*backend.QueryDataRequest, error) {
 	instanceSettings, err := adapters.ModelToInstanceSettings(ds, hs.decryptSecureJsonDataFn())
 	if err != nil {
 		return nil, err
 	}
 
+	if query.Headers == nil {
+		query.Headers = make(map[string]string)
+	}
+
+	if hs.OAuthTokenService.IsOAuthPassThruEnabled(ds) {
+		if token := hs.OAuthTokenService.GetCurrentOAuthToken(ctx, query.User); token != nil {
+			delete(query.Headers, "Authorization")
+			query.Headers["Authorization"] = fmt.Sprintf("%s %s", token.Type(), token.AccessToken)
+		}
+	}
+
 	req := &backend.QueryDataRequest{
 		PluginContext: backend.PluginContext{
 			OrgID:                      ds.OrgId,