IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-11 16:15:42 -06:00
Code Issues Packages Projects Releases Wiki Activity

Proxy: Fix updating refresh token in OAuth pass-thru (#26885)

Browse Source 
* Handle updating refresh token in oauth pass-thru

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
This commit is contained in:
Sean Lafferty 2020-08-17 12:38:32 -04:00 committed by GitHub
parent 9f1165b1f6
commit 900eb8070e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/api/pluginproxy/ds_proxy.go
View File

@ -307,7 +307,7 @@ func checkWhiteList(c *models.ReqContext, host string) bool {
func addOAuthPassThruAuth(c *models.ReqContext, req *http.Request) {
authInfoQuery := &models.GetAuthInfoQuery{UserId: c.UserId}
if err := bus.Dispatch(authInfoQuery); err != nil {
logger.Error("Error fetching oauth information for user", "error", err)
logger.Error("Error fetching oauth information for user", "userid", c.UserId, "username", c.Login, "error", err)
return
}
@ -318,20 +318,21 @@ func addOAuthPassThruAuth(c *models.ReqContext, req *http.Request) {
return
}
// TokenSource handles refreshing the token if it has expired
token, err := connect.TokenSource(c.Req.Context(), &oauth2.Token{
persistedToken := &oauth2.Token{
AccessToken: authInfoQuery.Result.OAuthAccessToken,
Expiry: authInfoQuery.Result.OAuthExpiry,
RefreshToken: authInfoQuery.Result.OAuthRefreshToken,
TokenType: authInfoQuery.Result.OAuthTokenType,
}).Token()
}
// TokenSource handles refreshing the token if it has expired
token, err := connect.TokenSource(c.Req.Context(), persistedToken).Token()
if err != nil {
logger.Error("Failed to retrieve access token from oauth provider", "provider", authInfoQuery.Result.AuthModule, "error", err)
logger.Error("Failed to retrieve access token from OAuth provider", "provider", authInfoQuery.Result.AuthModule, "userid", c.UserId, "username", c.Login, "error", err)
return
}
// If the tokens are not the same, update the entry in the DB
if token.AccessToken != authInfoQuery.Result.OAuthAccessToken {
if !tokensEq(persistedToken, token) {
updateAuthCommand := &models.UpdateAuthInfoCommand{
UserId: authInfoQuery.Result.UserId,
AuthModule: authInfoQuery.Result.AuthModule,
@ -339,10 +340,19 @@ func addOAuthPassThruAuth(c *models.ReqContext, req *http.Request) {
OAuthToken: token,
}
if err := bus.Dispatch(updateAuthCommand); err != nil {
logger.Error("Failed to update access token during token refresh", "error", err)
logger.Error("Failed to update auth info during token refresh", "userid", c.UserId, "username", c.Login, "error", err)
return
}
logger.Debug("Updated OAuth info while proxying an OAuth pass-thru request", "userid", c.UserId, "username", c.Login)
}
req.Header.Del("Authorization")
req.Header.Add("Authorization", fmt.Sprintf("%s %s", token.Type(), token.AccessToken))
}
// tokensEq checks for OAuth2 token equivalence given the fields of the struct Grafana is interested in
func tokensEq(t1, t2 *oauth2.Token) bool {
return t1.AccessToken == t2.AccessToken &&
t1.RefreshToken == t2.RefreshToken &&
t1.Expiry == t2.Expiry &&
t1.TokenType == t2.TokenType
}