diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md index ca7ab147626..48de62a6c9a 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md @@ -15,12 +15,21 @@ weight: 600 The Azure AD authentication allows you to use an Azure Active Directory tenant as an identity provider for Grafana. You can use Azure AD Application Roles to assign users and groups to Grafana roles from the Azure Portal. This topic has the following sections: -- [Azure AD OAuth2 authentication](#configure-azure-ad-oauth2-authentication) +- [Configure Azure AD OAuth2 authentication](#configure-azure-ad-oauth2-authentication) - [Create the Azure AD application](#create-the-azure-ad-application) + - [Assign server administrator privileges](#assign-server-administrator-privileges) - [Enable Azure AD OAuth in Grafana](#enable-azure-ad-oauth-in-grafana) + - [Configure refresh token](#configure-refresh-token) - [Configure allowed groups](#configure-allowed-groups) - [Configure allowed domains](#configure-allowed-domains) + - [PKCE](#pkce) + - [Configure automatic login](#configure-automatic-login) - [Team Sync (Enterprise only)](#team-sync-enterprise-only) + - [Common troubleshooting](#common-troubleshooting) + - [Users with over 200 Group assignments](#users-with-over-200-group-assignments) + - [Force fetching groups from Microsoft graph API](#force-fetching-groups-from-microsoft-graph-api) + - [Map roles](#map-roles) + - [Skip organization role sync](#skip-organization-role-sync) ## Create the Azure AD application @@ -143,6 +152,7 @@ allowed_groups = role_attribute_strict = false allow_assign_grafana_admin = false skip_org_role_sync = false +use_pkce = true ``` You can also use these environment variables to configure **client_id** and **client_secret**: @@ -191,9 +201,18 @@ The `allowed_domains` option limits access to users who belong to specific domai allowed_domains = mycompany.com mycompany.org ``` +### PKCE + +IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) +introduces "proof key for code exchange" (PKCE) which provides +additional protection against some forms of authorization code +interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). + +> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.azuread]` section. + ### Configure automatic login -Set `auto_login` option to true to attempt login automatically, skipping the login screen. +To bypass the login screen and log in automatically, enable the "auto_login" feature. This setting is ignored if multiple auth providers are configured to use auto login. ``` diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md index e510f2990b3..cb60725af00 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md @@ -15,13 +15,23 @@ weight: 200 You can configure many different OAuth2 authentication services with Grafana using the generic OAuth2 feature. Examples: -- [Generic OAuth authentication](#configure-generic-oauth-authentication) +- [Configure generic OAuth authentication](#configure-generic-oauth-authentication) + - [Email address](#email-address) + - [Groups / Teams](#groups--teams) + - [Login](#login) + - [PKCE](#pkce) + - [Configure refresh token](#configure-refresh-token) + - [Configure automatic login](#configure-automatic-login) - [Set up OAuth2 with Auth0](#set-up-oauth2-with-auth0) - [Set up OAuth2 with Bitbucket](#set-up-oauth2-with-bitbucket) - [Set up OAuth2 with Centrify](#set-up-oauth2-with-centrify) - [Set up OAuth2 with OneLogin](#set-up-oauth2-with-onelogin) - - [Role mapping](#role-mapping) + - [Role Mapping](#role-mapping) + - [JMESPath examples](#jmespath-examples) + - [Map user organization role](#map-user-organization-role) + - [Map server administrator privileges](#map-server-administrator-privileges) - [Team synchronization](#team-synchronization) + - [Skip organization role sync](#skip-organization-role-sync) This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the suffixed path of `/login/generic_oauth`. @@ -106,7 +116,7 @@ You can set the user's display name with JMESPath using the `name_attribute_path > Available in Grafana v8.3 and later versions. IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) -introduces "proof key for code exchange" (PKCE) which introduces +introduces "proof key for code exchange" (PKCE) which provides additional protection against some forms of authorization code interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md index 67f214df4dc..e754cc1620e 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md @@ -65,6 +65,7 @@ tls_skip_verify_insecure = false tls_client_cert = tls_client_key = tls_client_ca = +use_pkce = true ``` You may have to set the `root_url` option of `[server]` for the callback URL to be @@ -156,8 +157,24 @@ tls_skip_verify_insecure = false tls_client_cert = tls_client_key = tls_client_ca = +use_pkce = true ``` +### PKCE + +IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) +introduces "proof key for code exchange" (PKCE) which provides +additional protection against some forms of authorization code +interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). + +> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.gitlab]` section. + +``` +use_pkce = true +``` + +Grafana always uses the SHA256 based `S256` challenge method and a 128 bytes (base64url encoded) code verifier. + ### Configure automatic login Set `auto_login` option to true to attempt login automatically, skipping the login screen. diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md index e56eea304f5..722408a3158 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md @@ -41,6 +41,7 @@ auth_url = https://accounts.google.com/o/oauth2/auth token_url = https://accounts.google.com/o/oauth2/token allowed_domains = mycompany.com mycompany.org hosted_domain = mycompany.com +use_pkce = true ``` You may have to set the `root_url` option of `[server]` for the callback URL to be @@ -58,6 +59,15 @@ automatically signed up. You may specify a domain to be passed as `hd` query parameter accepted by Google's OAuth 2.0 authentication API. Refer to Google's OAuth [documentation](https://developers.google.com/identity/openid-connect/openid-connect#hd-param). +### PKCE + +IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) +introduces "proof key for code exchange" (PKCE) which provides +additional protection against some forms of authorization code +interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). + +> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.google]` section. + ### Configure refresh token > Available in Grafana v9.3 and later versions. diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md index a453d461a7e..1e48e276342 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md @@ -51,8 +51,18 @@ api_url = https://.okta.com/oauth2/v1/userinfo allowed_domains = allowed_groups = role_attribute_path = +use_pkce = true ``` +### PKCE + +IETF's [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) +introduces "proof key for code exchange" (PKCE) which provides +additional protection against some forms of authorization code +interception attacks. PKCE will be required in [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-03). + +> You can disable PKCE in Grafana by setting `use_pkce` to `false` in the`[auth.okta]` section. + ### Configure refresh token > Available in Grafana v9.3 and later versions.