Auth: Extended JWT client for OBO and Service Authentication (#83814)

* reenable ext-jwt-client * fixup settings struct * add user and service auth * lint up * add user auth to grafana ext * fixes * Populate token permissions Co-authored-by: jguer <joao.guerreiro@grafana.com> * fix tests * fix lint * small prealloc * small prealloc * use special namespace for access policies * fix access policy auth * fix tests * fix uncalled settings expander * add feature toggle * small feedback fixes * rename entitlements to permissions * add authlibn * allow viewing the signed in user info for non user namespace * fix invalid namespacedID * use authlib as verifier for tokens * Update pkg/services/authn/clients/ext_jwt.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/authn/clients/ext_jwt_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix parameter names * change asserts to normal package * add rule for assert * fix ownerships * Local diff * test and lint * Fix test * Fix ac test * Fix pluginproxy test * Revert testdata changes * Force revert on test data --------- Co-authored-by: gamab <gabriel.mabille@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2024-04-02 17:45:15 +02:00
parent ac6e51c94a
commit 5340a6e548
28 changed files with 443 additions and 326 deletions
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -261,11 +261,8 @@ type Cfg struct {
 	OAuthCookieMaxAge             int
 	OAuthAllowInsecureEmailLookup bool

-	JWTAuth AuthJWTSettings
-	// Extended JWT Auth
-	ExtendedJWTAuthEnabled    bool
-	ExtendedJWTExpectIssuer   string
-	ExtendedJWTExpectAudience string
+	JWTAuth    AuthJWTSettings
+	ExtJWTAuth ExtJWTSettings

 	// SSO Settings Auth
 	SSOSettingsReloadInterval        time.Duration
@@ -1186,6 +1183,7 @@ func (cfg *Cfg) parseINIFile(iniFile *ini.File) error {
 	cfg.handleAWSConfig()
 	cfg.readAzureSettings()
 	cfg.readAuthJWTSettings()
+	cfg.readAuthExtJWTSettings()
 	cfg.readAuthProxySettings()
 	cfg.readSessionConfig()
 	if err := cfg.readSmtpSettings(); err != nil {
@@ -1602,12 +1600,6 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	cfg.BasicAuthEnabled = authBasic.Key("enabled").MustBool(true)
 	cfg.BasicAuthStrongPasswordPolicy = authBasic.Key("password_policy").MustBool(false)

-	// Extended JWT auth
-	authExtendedJWT := cfg.SectionWithEnvOverrides("auth.extended_jwt")
-	cfg.ExtendedJWTAuthEnabled = authExtendedJWT.Key("enabled").MustBool(false)
-	cfg.ExtendedJWTExpectAudience = authExtendedJWT.Key("expect_audience").MustString("")
-	cfg.ExtendedJWTExpectIssuer = authExtendedJWT.Key("expect_issuer").MustString("")
-
 	// SSO Settings
 	ssoSettings := iniFile.Section("sso_settings")
 	cfg.SSOSettingsReloadInterval = ssoSettings.Key("reload_interval").MustDuration(1 * time.Minute)
--- a/pkg/setting/setting_jwt.go
+++ b/pkg/setting/setting_jwt.go
@@ -25,6 +25,22 @@ type AuthJWTSettings struct {
 	UsernameAttributePath   string
 }

+type ExtJWTSettings struct {
+	Enabled        bool
+	ExpectIssuer   string
+	ExpectAudience string
+	JWKSUrl        string
+}
+
+func (cfg *Cfg) readAuthExtJWTSettings() {
+	authExtendedJWT := cfg.SectionWithEnvOverrides("auth.extended_jwt")
+	jwtSettings := ExtJWTSettings{}
+	jwtSettings.Enabled = authExtendedJWT.Key("enabled").MustBool(false)
+	jwtSettings.ExpectAudience = authExtendedJWT.Key("expect_audience").MustString("")
+	jwtSettings.JWKSUrl = authExtendedJWT.Key("jwks_url").MustString("")
+	cfg.ExtJWTAuth = jwtSettings
+}
+
 func (cfg *Cfg) readAuthJWTSettings() {
 	jwtSettings := AuthJWTSettings{}
 	authJWT := cfg.Raw.Section("auth.jwt")