Auth: Add auth.azure_ad security improvements (#912)

* security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2025-02-25 18:55:37 -06:00 · 2023-06-16 16:29:09 +00:00
parent 87b127e073
commit 4821175d40
10 changed files with 351 additions and 76 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -680,6 +680,7 @@ auth_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
 token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
 allowed_domains =
 allowed_groups =
+allowed_organizations =
 role_attribute_strict = false
 allow_assign_grafana_admin = false
 force_use_graph_api = false
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -652,6 +652,7 @@
 ;token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
 ;allowed_domains =
 ;allowed_groups =
+;allowed_organizations =
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
 ;use_pkce = true