Auth: OAuth sets skip_org_role_sync = true for auth.google by default (#72819)

* sets skip_org_role_sync to true for google * add google skiporgrolesync and sets to true always * add field * Update docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * add AKS to words * script back to mina --------- Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2023-08-04 16:17:35 +02:00
parent 3395ad03a7
commit 95760cb021
4 changed files with 11 additions and 7 deletions
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
@@ -102,7 +102,7 @@ auto_login = true

 ## Skip organization role sync

-We do not currently sync roles from Google and instead set the AutoAssigned role to the user at first login. To manage your user's organization role from within Grafana, set `skip_org_role_sync` to `true`.
+We do not currently sync roles from Google and instead set the AutoAssigned role to the user at first login. The default setting for `skip_org_role_sync` is `true`, which means that role modifications can still be made through the user interface.

 ```ini
 [auth.google]
--- a/pkg/login/social/google_oauth.go
+++ b/pkg/login/social/google_oauth.go
@@ -22,6 +22,7 @@ type SocialGoogle struct {
 	*SocialBase
 	hostedDomain    string
 	apiUrl          string
+	skipOrgRoleSync bool
 }

 type googleUserData struct {
--- a/pkg/login/social/social.go
+++ b/pkg/login/social/social.go
@@ -192,6 +192,7 @@ func ProvideService(cfg *setting.Cfg,
 				SocialBase:      newSocialBase(name, &config, info, cfg.AutoAssignOrgRole, cfg.OAuthSkipOrgRoleUpdateSync, *features),
 				hostedDomain:    info.HostedDomain,
 				apiUrl:          info.ApiUrl,
+				skipOrgRoleSync: cfg.GoogleSkipOrgRoleSync,
 			}
 		}

--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -1482,7 +1482,9 @@ func readAuthGithubSettings(cfg *Cfg) {
 func readAuthGoogleSettings(cfg *Cfg) {
 	sec := cfg.SectionWithEnvOverrides("auth.google")
 	cfg.GoogleAuthEnabled = sec.Key("enabled").MustBool(false)
-	cfg.GoogleSkipOrgRoleSync = sec.Key("skip_org_role_sync").MustBool(false)
+	// FIXME: for now we skip org role sync for google auth
+	// as we do not sync organization roles from Google
+	cfg.GoogleSkipOrgRoleSync = true
 }

 func readAuthGitlabSettings(cfg *Cfg) {