allow insecure connections (for testing purposes); remove audience checks

audience checks will still need to be done for Access tokens, but not for ID tokens

pkg/services/grpcserver/service.go

@@ -6,11 +6,14 @@ import (
 	"net"
 	"time"
 
+	authnlib "github.com/grafana/authlib/authn"
+	authzlib "github.com/grafana/authlib/authz"
 	"github.com/grafana/dskit/instrument"
 	"github.com/grafana/dskit/middleware"
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	grpcAuth "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth"
 	"github.com/prometheus/client_golang/prometheus"
+	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 
@@ -75,7 +78,12 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
 	if cfg.StackID != "" {
 		namespaceFmt = authnlib.CloudNamespaceFormatter
 	}
-	namespaceChecker := authzlib.NewNamespaceAccessChecker(namespaceFmt)
+	namespaceChecker := authzlib.NewNamespaceAccessChecker(
+		namespaceFmt,
+		// TODO(drclau): are the following opts required/correct for on-prem?
+		authzlib.WithDisableAccessTokenNamespaceAccessCheckerOption(),
+		authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
+	)
 	stackIdExtractor := authzlib.MetadataStackIDExtractor(authzlib.DefaultStackIDMetadataKey)
 
 	// Default auth is admin token check, but this can be overridden by

pkg/storage/unified/resource/client_wrapper.go

@@ -24,7 +24,6 @@ func NewLocalResourceStoreClient(server ResourceStoreServer) ResourceStoreClient
 	channel := &inprocgrpc.Channel{}
 
 	auth := &grpcUtils.InProcAuthenticator{}
-
 	channel.RegisterService(
 		grpchan.InterceptServer(
 			&ResourceStore_ServiceDesc,

pkg/storage/unified/sql/service.go

@@ -2,6 +2,8 @@ package sql
 
 import (
 	"context"
+	"crypto/tls"
+	"net/http"
 
 	authnlib "github.com/grafana/authlib/authn"
 	"github.com/grafana/dskit/services"
@@ -72,11 +74,17 @@ func ProvideService(
 		KeyRetrieverConfig: authnlib.KeyRetrieverConfig{
 			SigningKeysURL: authCfg.SigningKeysURL,
 		},
-		VerifierConfig: authnlib.VerifierConfig{
-			AllowedAudiences: authCfg.AllowedAudiences,
-		},
+		// TODO(drclau): for ID tokens audience is the tenant
+		// VerifierConfig: authnlib.VerifierConfig{
+		// 	AllowedAudiences: authCfg.AllowedAudiences,
+		// },
 	}
 
+	// TODO(drclau): only allow insecure connections when app_mode = development
+	tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+	client := &http.Client{Transport: tr}
+	keyRetriever := authnlib.NewKeyRetriever(grpcAuthCfg.KeyRetrieverConfig, authnlib.WithHTTPClientKeyRetrieverOpt(client))
+
 	grpcOpts := []authnlib.GrpcAuthenticatorOption{}
 	switch authCfg.Mode {
 	case grpcutils.ModeInProc:
@@ -86,6 +94,7 @@ func ProvideService(
 		grpcOpts = append(grpcOpts,
 			authnlib.WithDisableAccessTokenAuthOption(),
 			authnlib.WithIDTokenAuthOption(true),
+			authnlib.WithKeyRetrieverOption(keyRetriever),
 		)
 	case grpcutils.ModeCloud:
 		grpcOpts = append(grpcOpts, authnlib.WithIDTokenAuthOption(true))