Docs: Document PKCE support for OAuth (#39949)

2025-02-25 18:55:37 -06:00 · 2021-10-13 16:45:39 +02:00 · 2021-10-13 16:45:39 +02:00 · 1505b8c0b0
commit 1505b8c0b0
parent e73cd2fdeb
1 changed files with 20 additions and 0 deletions
--- a/docs/sources/auth/generic-oauth.md
+++ b/docs/sources/auth/generic-oauth.md
@ -41,6 +41,7 @@ tls_skip_verify_insecure = false
 tls_client_cert =
 tls_client_key =
 tls_client_ca =
+use_pkce = true
 ```

 Set `api_url` to the resource that returns [OpenID UserInfo](https://connect2id.com/products/server/docs/api/userinfo) compatible information.
@ -91,6 +92,24 @@ You can set the user's display name with JMESPath using the `name_attribute_path

 > **Note:** `name_attribute_path` is available in Grafana 7.4+.

+### PKCE
+
+> Available in Grafana v8.3 and later versions.
+
+IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636)
+introduces "proof key for code exchange" (PKCE) which introduces
+additional protection against some forms of authorization code
+interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03).
+
+You can enable PKCE in Grafana by setting `use_pkce` to `true` in the
+`[auth.generic_oauth]` section.
+
+```
+use_pkce = true
+```
+
+Grafana always uses the SHA256 based `S256` challenge method and a 128 bytes (base64url encoded) code verifier.
+
 ## Set up OAuth2 with Auth0

 1. Create a new Client in Auth0
@ -117,6 +136,7 @@ You can set the user's display name with JMESPath using the `name_attribute_path
   auth_url = https://<domain>/authorize
   token_url = https://<domain>/oauth/token
   api_url = https://<domain>/userinfo
+   use_pkce = true
   ```

 ## Set up OAuth2 with Bitbucket