OAuth: Add optional strict parsing of role_attribute_path (#28021)

* OAuth: Add strict role mapping By default the user is assigned the role Viewer if role_attribute_path doesn't return a role, which is not always desirable. This commit adds a strict mode, which deny the user access if a role isn't returned. Fix #26626 * Update docs/sources/auth/generic-oauth.md Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Update docs/sources/auth/generic-oauth.md * Update .gitignore file with WAN * Removed WAN from .gitignore Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> Co-authored-by: achatterjee-grafana <aparajita.chatterjee@grafana.com>
2025-02-25 18:55:37 -06:00 · 2021-04-14 21:14:27 +02:00
parent 68f38aa49b
commit 4fc0d42470
7 changed files with 44 additions and 25 deletions
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -449,6 +449,7 @@
 ;allowed_domains =
 ;allowed_groups =
 ;role_attribute_path =
+;role_attribute_strict = false

 #################################### Generic OAuth ##########################
 [auth.generic_oauth]
@@ -470,6 +471,7 @@
 ;team_ids =
 ;allowed_organizations =
 ;role_attribute_path =
+;role_attribute_strict = false
 ;tls_skip_verify_insecure = false
 ;tls_client_cert =
 ;tls_client_key =