Auth: Implement skip org role sync for jwt (#61647)

* Add new config option * Add frontend control * Condition new auth broker with config option * Condition old auth broker with config option Co-authored-by: Jo <joao.guerreiro@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2023-01-18 13:59:50 +01:00
parent 3debfd0ca7
commit 4d095547f8
9 changed files with 74 additions and 43 deletions
--- a/pkg/services/authn/clients/jwt.go
+++ b/pkg/services/authn/clients/jwt.go
@@ -10,6 +10,7 @@ import (
 	"github.com/jmespath/go-jmespath"

 	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/models/roletype"
 	"github.com/grafana/grafana/pkg/services/auth"
 	authJWT "github.com/grafana/grafana/pkg/services/auth/jwt"
 	"github.com/grafana/grafana/pkg/services/authn"
@@ -83,30 +84,34 @@ func (s *JWT) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identi
 		id.Name = name
 	}

-	role, grafanaAdmin := s.extractRoleAndAdmin(claims)
-	if s.cfg.JWTAuthRoleAttributeStrict && !role.IsValid() {
-		s.log.Warn("extracted Role is invalid", "role", role, "auth_id", id.AuthID)
-		return nil, ErrJWTInvalidRole.Errorf("invalid role claim in JWT: %s", role)
-	}
-
-	if role.IsValid() {
-		var orgID int64
-		// FIXME (jguer): GetIDForNewUser already has the auto assign information
-		// just neeeds the org role. Find a meaningful way to pass this default
-		// role to it (that doesn't involve id.OrgRoles[0] = role)
-		if s.cfg.AutoAssignOrg && s.cfg.AutoAssignOrgId > 0 {
-			orgID = int64(s.cfg.AutoAssignOrgId)
-			s.log.Debug("The user has a role assignment and organization membership is auto-assigned",
-				"role", role, "orgId", orgID)
-		} else {
-			orgID = int64(1)
-			s.log.Debug("The user has a role assignment and organization membership is not auto-assigned",
-				"role", role, "orgId", orgID)
+	var role roletype.RoleType
+	var grafanaAdmin bool
+	if !s.cfg.JWTAuthSkipOrgRoleSync {
+		role, grafanaAdmin = s.extractRoleAndAdmin(claims)
+		if s.cfg.JWTAuthRoleAttributeStrict && !role.IsValid() {
+			s.log.Warn("extracted Role is invalid", "role", role, "auth_id", id.AuthID)
+			return nil, ErrJWTInvalidRole.Errorf("invalid role claim in JWT: %s", role)
 		}

-		id.OrgRoles[orgID] = role
-		if s.cfg.JWTAuthAllowAssignGrafanaAdmin {
-			id.IsGrafanaAdmin = &grafanaAdmin
+		if role.IsValid() {
+			var orgID int64
+			// FIXME (jguer): GetIDForNewUser already has the auto assign information
+			// just needs the org role. Find a meaningful way to pass this default
+			// role to it (that doesn't involve id.OrgRoles[0] = role)
+			if s.cfg.AutoAssignOrg && s.cfg.AutoAssignOrgId > 0 {
+				orgID = int64(s.cfg.AutoAssignOrgId)
+				s.log.Debug("The user has a role assignment and organization membership is auto-assigned",
+					"role", role, "orgId", orgID)
+			} else {
+				orgID = int64(1)
+				s.log.Debug("The user has a role assignment and organization membership is not auto-assigned",
+					"role", role, "orgId", orgID)
+			}
+
+			id.OrgRoles[orgID] = role
+			if s.cfg.JWTAuthAllowAssignGrafanaAdmin {
+				id.IsGrafanaAdmin = &grafanaAdmin
+			}
 		}
 	}