Auth: Update docs on use PKCE by default (#68638)

* Auth: Update docs on use PKCE by default. (#68073) Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> * Fix: docs review - from introduces to provides https://github.com/grafana/grafana/pull/68638/files#r1200506006 Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> * Fix docs - Remove note about a version https://github.com/grafana/grafana/pull/68638/files#r1200508038 Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md --------- Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2023-05-31 01:17:45 +09:00 · 2023-05-31 01:17:45 +09:00 · 345b7fadc9
commit 345b7fadc9
parent a61d828998
5 changed files with 71 additions and 5 deletions
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md
@ -15,12 +15,21 @@ weight: 600

 The Azure AD authentication allows you to use an Azure Active Directory tenant as an identity provider for Grafana. You can use Azure AD Application Roles to assign users and groups to Grafana roles from the Azure Portal. This topic has the following sections:

- [Azure AD OAuth2 authentication](#configure-azure-ad-oauth2-authentication)
+- [Configure Azure AD OAuth2 authentication](#configure-azure-ad-oauth2-authentication)
  - [Create the Azure AD application](#create-the-azure-ad-application)
+    - [Assign server administrator privileges](#assign-server-administrator-privileges)
  - [Enable Azure AD OAuth in Grafana](#enable-azure-ad-oauth-in-grafana)
+    - [Configure refresh token](#configure-refresh-token)
    - [Configure allowed groups](#configure-allowed-groups)
    - [Configure allowed domains](#configure-allowed-domains)
+    - [PKCE](#pkce)
+    - [Configure automatic login](#configure-automatic-login)
    - [Team Sync (Enterprise only)](#team-sync-enterprise-only)
+  - [Common troubleshooting](#common-troubleshooting)
+    - [Users with over 200 Group assignments](#users-with-over-200-group-assignments)
+    - [Force fetching groups from Microsoft graph API](#force-fetching-groups-from-microsoft-graph-api)
+    - [Map roles](#map-roles)
+  - [Skip organization role sync](#skip-organization-role-sync)

 ## Create the Azure AD application

@ -143,6 +152,7 @@ allowed_groups =
 role_attribute_strict = false
 allow_assign_grafana_admin = false
 skip_org_role_sync = false
+use_pkce = true
 ```

 You can also use these environment variables to configure **client_id** and **client_secret**:
@ -191,9 +201,18 @@ The `allowed_domains` option limits access to users who belong to specific domai
 allowed_domains = mycompany.com mycompany.org
 ```

+### PKCE
+
+IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636)
+introduces "proof key for code exchange" (PKCE) which provides
+additional protection against some forms of authorization code
+interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03).
+
+> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.azuread]` section.
+
 ### Configure automatic login

-Set `auto_login` option to true to attempt login automatically, skipping the login screen.
+To bypass the login screen and log in automatically, enable the "auto_login" feature.
 This setting is ignored if multiple auth providers are configured to use auto login.

 ```
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md
@ -15,13 +15,23 @@ weight: 200

 You can configure many different OAuth2 authentication services with Grafana using the generic OAuth2 feature. Examples:

- [Generic OAuth authentication](#configure-generic-oauth-authentication)
+- [Configure generic OAuth authentication](#configure-generic-oauth-authentication)
+  - [Email address](#email-address)
+  - [Groups / Teams](#groups--teams)
+  - [Login](#login)
+  - [PKCE](#pkce)
+  - [Configure refresh token](#configure-refresh-token)
+  - [Configure automatic login](#configure-automatic-login)
  - [Set up OAuth2 with Auth0](#set-up-oauth2-with-auth0)
  - [Set up OAuth2 with Bitbucket](#set-up-oauth2-with-bitbucket)
  - [Set up OAuth2 with Centrify](#set-up-oauth2-with-centrify)
  - [Set up OAuth2 with OneLogin](#set-up-oauth2-with-onelogin)
-  - [Role mapping](#role-mapping)
+  - [Role Mapping](#role-mapping)
+    - [JMESPath examples](#jmespath-examples)
+      - [Map user organization role](#map-user-organization-role)
+      - [Map server administrator privileges](#map-server-administrator-privileges)
  - [Team synchronization](#team-synchronization)
+  - [Skip organization role sync](#skip-organization-role-sync)

 This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the suffixed path of `/login/generic_oauth`.

@ -106,7 +116,7 @@ You can set the user's display name with JMESPath using the `name_attribute_path
 > Available in Grafana v8.3 and later versions.

 IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636)
-introduces "proof key for code exchange" (PKCE) which introduces
+introduces "proof key for code exchange" (PKCE) which provides
 additional protection against some forms of authorization code
 interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03).

--- a/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md
@ -65,6 +65,7 @@ tls_skip_verify_insecure = false
 tls_client_cert =
 tls_client_key =
 tls_client_ca =
+use_pkce = true
 ```

 You may have to set the `root_url` option of `[server]` for the callback URL to be
@ -156,8 +157,24 @@ tls_skip_verify_insecure = false
 tls_client_cert =
 tls_client_key =
 tls_client_ca =
+use_pkce = true
 ```

+### PKCE
+
+IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636)
+introduces "proof key for code exchange" (PKCE) which provides
+additional protection against some forms of authorization code
+interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03).
+
+> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.gitlab]` section.
+
+```
+use_pkce = true
+```
+
+Grafana always uses the SHA256 based `S256` challenge method and a 128 bytes (base64url encoded) code verifier.
+
 ### Configure automatic login

 Set `auto_login` option to true to attempt login automatically, skipping the login screen.
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
@ -41,6 +41,7 @@ auth_url = https://accounts.google.com/o/oauth2/auth
 token_url = https://accounts.google.com/o/oauth2/token
 allowed_domains = mycompany.com mycompany.org
 hosted_domain = mycompany.com
+use_pkce = true
 ```

 You may have to set the `root_url` option of `[server]` for the callback URL to be
@ -58,6 +59,15 @@ automatically signed up.
 You may specify a domain to be passed as `hd` query parameter accepted by Google's
 OAuth 2.0 authentication API. Refer to Google's OAuth [documentation](https://developers.google.com/identity/openid-connect/openid-connect#hd-param).

+### PKCE
+
+IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636)
+introduces "proof key for code exchange" (PKCE) which provides
+additional protection against some forms of authorization code
+interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03).
+
+> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.google]` section.
+
 ### Configure refresh token

 > Available in Grafana v9.3 and later versions.
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md
@ -51,8 +51,18 @@ api_url = https://<tenant-id>.okta.com/oauth2/v1/userinfo
 allowed_domains =
 allowed_groups =
 role_attribute_path =
+use_pkce = true
 ```

+### PKCE
+
+IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636)
+introduces "proof key for code exchange" (PKCE) which provides
+additional protection against some forms of authorization code
+interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03).
+
+> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.okta]` section.
+
 ### Configure refresh token

 > Available in Grafana v9.3 and later versions.