diff --git a/docs/sources/auth/generic-oauth.md b/docs/sources/auth/generic-oauth.md index b348352ffcb..444e92f68c1 100755 --- a/docs/sources/auth/generic-oauth.md +++ b/docs/sources/auth/generic-oauth.md @@ -41,6 +41,7 @@ tls_skip_verify_insecure = false tls_client_cert = tls_client_key = tls_client_ca = +use_pkce = true ``` Set `api_url` to the resource that returns [OpenID UserInfo](https://connect2id.com/products/server/docs/api/userinfo) compatible information. @@ -91,6 +92,24 @@ You can set the user's display name with JMESPath using the `name_attribute_path > **Note:** `name_attribute_path` is available in Grafana 7.4+. +### PKCE + +> Available in Grafana v8.3 and later versions. + +IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) +introduces "proof key for code exchange" (PKCE) which introduces +additional protection against some forms of authorization code +interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). + +You can enable PKCE in Grafana by setting `use_pkce` to `true` in the +`[auth.generic_oauth]` section. + +``` +use_pkce = true +``` + +Grafana always uses the SHA256 based `S256` challenge method and a 128 bytes (base64url encoded) code verifier. + ## Set up OAuth2 with Auth0 1. Create a new Client in Auth0 @@ -117,6 +136,7 @@ You can set the user's display name with JMESPath using the `name_attribute_path auth_url = https:///authorize token_url = https:///oauth/token api_url = https:///userinfo + use_pkce = true ``` ## Set up OAuth2 with Bitbucket