Auth: Add skip_org_role_sync for Okta (#62106)

* WIP

* Update pkg/services/login/authinfo.go

* fix: merge

* change order to internal last

* adds: docs

* add: configuration for defaults and sample

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: Jo <joao.guerreiro@grafana.com>

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

---------

Co-authored-by: Jo <joao.guerreiro@grafana.com>
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

conf/defaults.ini

@@ -621,6 +621,7 @@ allowed_groups =
 role_attribute_path =
 role_attribute_strict = false
 allow_assign_grafana_admin = false
+skip_org_role_sync = false
 
 #################################### Generic OAuth #######################
 [auth.generic_oauth]

conf/sample.ini

@@ -616,6 +616,7 @@
 ;role_attribute_path =
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
+;skip_org_role_sync = false
 
 #################################### Generic OAuth ##########################
 [auth.generic_oauth]

docs/sources/setup-grafana/configure-grafana/_index.md

@@ -940,6 +940,21 @@ The following table shows the OAuth provider's setting with the default value an
 | GitLab | false | true | User organization roles are set with `defaultRole`, and the organization role can be changed for GitLab synced users. |
 | GitLab | true | true | User organization roles are set with `defaultRole` for GitLab. For other providers, the synchronization is skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
 
+### [auth.okta] skip_org_role_sync
+
+When a user logs in the first time, Grafana sets the organization role based on the value specified in `AutoAssignOrgRole`. If you want to manage organization roles through Grafana's UI, set the `skip_org_role_sync` option to `true`.
+This also impacts `allow_assign_grafana_admin` setting, by not syncing the grafana admin role from GitLab.
+
+> **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
+
+The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
+| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
+| --- | --- | --- | --- |
+| Okta | false | false | User organization roles are set with `defaultRole` and cannot be changed. |
+| Github | true | false | User organization roles are set with `defaultRole` for Okta, and Grafana Admins are set. For other providers, the synchronization is skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
+| Okta | false | true | User organization roles are set with `defaultRole`, and the organization role can be changed for Okta synced users. |
+| Okta | true | true | User organization roles are set with `defaultRole` for Okta. For other providers, the synchronization is skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
+
 ### api_key_max_seconds_to_live
 
 Limit of API key seconds to live before expiration. Default is -1 (unlimited).

docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md

@@ -130,6 +130,17 @@ Example:
 role_attribute_path = contains(groups[*], 'admin') && 'GrafanaAdmin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'
 ```
 
+## Skip organization role sync
+
+To prevent the sync of org roles from Okta, set `skip_org_role_sync` to `true`. This is useful if you want to manage the organization roles for your users from within Grafana.
+
+```ini
+[auth.okta]
+# ..
+# prevents the sync of org roles from Okta
+skip_org_role_sync = true
+```
+
 ### Team Sync (Enterprise only)
 
 Map your Okta groups to teams in Grafana so that your users will automatically be added to

packages/grafana-data/src/types/config.ts

@@ -232,6 +232,7 @@ export interface AuthSettings {
   GrafanaComSkipOrgRoleSync?: boolean;
   GithubSkipOrgRoleSync?: boolean;
   GitLabSkipOrgRoleSync?: boolean;
+  OktaSkipOrgRoleSync?: boolean;
   AzureADSkipOrgRoleSync?: boolean;
   GoogleSkipOrgRoleSync?: boolean;
   DisableSyncLock?: boolean;

pkg/api/frontendsettings.go

@@ -155,6 +155,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *contextmodel.ReqContext) (map[st
 			"GrafanaComSkipOrgRoleSync":  hs.Cfg.GrafanaComSkipOrgRoleSync,
 			"GitLabSkipOrgRoleSync":      hs.Cfg.GitLabSkipOrgRoleSync,
 			"AzureADSkipOrgRoleSync":     hs.Cfg.AzureADSkipOrgRoleSync,
+			"OktaSkipOrgRoleSync":        hs.Cfg.OktaSkipOrgRoleSync,
 			"DisableSyncLock":            hs.Cfg.DisableSyncLock,
 		},
 		"buildInfo": map[string]interface{}{

pkg/login/social/okta_oauth.go

@@ -8,12 +8,15 @@ import (
 
 	"golang.org/x/oauth2"
 	"gopkg.in/square/go-jose.v2/jwt"
+
+	"github.com/grafana/grafana/pkg/models/roletype"
 )
 
 type SocialOkta struct {
 	*SocialBase
-	apiUrl        string
-	allowedGroups []string
+	apiUrl          string
+	allowedGroups   []string
+	skipOrgRoleSync bool
 }
 
 type OktaUserInfoJson struct {
@@ -75,14 +78,20 @@ func (s *SocialOkta) UserInfo(client *http.Client, token *oauth2.Token) (*BasicU
 		return nil, errMissingGroupMembership
 	}
 
-	role, grafanaAdmin := s.extractRoleAndAdmin(data.rawJSON, groups, true)
-	if s.roleAttributeStrict && !role.IsValid() {
-		return nil, &InvalidBasicRoleError{idP: "Okta", assignedRole: string(role)}
+	var role roletype.RoleType
+	var isGrafanaAdmin *bool
+	if !s.skipOrgRoleSync {
+		var grafanaAdmin bool
+		role, grafanaAdmin = s.extractRoleAndAdmin(data.rawJSON, groups, true)
+		if s.roleAttributeStrict && !role.IsValid() {
+			return nil, &InvalidBasicRoleError{idP: "Okta", assignedRole: string(role)}
+		}
+		if s.allowAssignGrafanaAdmin {
+			isGrafanaAdmin = &grafanaAdmin
+		}
 	}
-
-	var isGrafanaAdmin *bool = nil
-	if s.allowAssignGrafanaAdmin {
-		isGrafanaAdmin = &grafanaAdmin
+	if s.allowAssignGrafanaAdmin && s.skipOrgRoleSync {
+		s.log.Debug("allowAssignGrafanaAdmin and skipOrgRoleSync are both set, Grafana Admin role will not be synced, consider setting one or the other")
 	}
 
 	return &BasicUserInfo{

pkg/login/social/social.go

@@ -183,9 +183,10 @@ func ProvideService(cfg *setting.Cfg,
 		// Okta
 		if name == "okta" {
 			ss.socialMap["okta"] = &SocialOkta{
-				SocialBase:    newSocialBase(name, &config, info, cfg.AutoAssignOrgRole, cfg.OAuthSkipOrgRoleUpdateSync, *features),
-				apiUrl:        info.ApiUrl,
-				allowedGroups: util.SplitString(sec.Key("allowed_groups").String()),
+				SocialBase:      newSocialBase(name, &config, info, cfg.AutoAssignOrgRole, cfg.OAuthSkipOrgRoleUpdateSync, *features),
+				apiUrl:          info.ApiUrl,
+				allowedGroups:   util.SplitString(sec.Key("allowed_groups").String()),
+				skipOrgRoleSync: cfg.OktaSkipOrgRoleSync,
 			}
 		}
 

pkg/services/login/authinfo.go

@@ -34,6 +34,8 @@ func GetAuthProviderLabel(authModule string) string {
 		return "AzureAD"
 	case "oauth_gitlab":
 		return "GitLab"
+	case "oauth_okta":
+		return "Okta"
 	case "oauth_grafana_com", "oauth_grafananet":
 		return "grafana.com"
 	case SAMLAuthModule:

pkg/setting/setting.go

@@ -500,6 +500,9 @@ type Cfg struct {
 
 	SecureSocksDSProxy SecureSocksDSProxySettings
 
+	// Okta OAuth
+	OktaSkipOrgRoleSync bool
+
 	// Access Control
 	RBACEnabled         bool
 	RBACPermissionCache bool
@@ -1394,6 +1397,11 @@ func readAuthGitlabSettings(iniFile *ini.File, cfg *Cfg) {
 	cfg.GitLabSkipOrgRoleSync = sec.Key("skip_org_role_sync").MustBool(false)
 }
 
+func readAuthOktaSettings(iniFile *ini.File, cfg *Cfg) {
+	sec := iniFile.Section("auth.okta")
+	cfg.OktaSkipOrgRoleSync = sec.Key("skip_org_role_sync").MustBool(false)
+}
+
 func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	auth := iniFile.Section("auth")
 
@@ -1454,6 +1462,9 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	// GitLab Auth
 	readAuthGitlabSettings(iniFile, cfg)
 
+	// Okta Auth
+	readAuthOktaSettings(iniFile, cfg)
+
 	// anonymous access
 	AnonymousEnabled = iniFile.Section("auth.anonymous").Key("enabled").MustBool(false)
 	cfg.AnonymousEnabled = AnonymousEnabled

public/app/features/admin/UserAdminPage.tsx

@@ -117,6 +117,7 @@ export class UserAdminPage extends PureComponent<Props> {
     const isGitLabUser = user?.isExternal && user?.authLabels?.includes('GitLab');
     const isAuthProxyUser = user?.isExternal && user?.authLabels?.includes('Auth Proxy');
     const isAzureADUser = user?.isExternal && user?.authLabels?.includes('AzureAD');
+    const isOktaUser = user?.isExternal && user?.authLabels?.includes('Okta');
     const isGrafanaComUser = user?.isExternal && user?.authLabels?.includes('grafana.com');
     const isUserSynced =
       !config.auth.DisableSyncLock &&
@@ -127,6 +128,7 @@ export class UserAdminPage extends PureComponent<Props> {
           isGitLabUser ||
           isOAuthUserWithSkippableSync ||
           isSAMLUser ||
+          isOktaUser ||
           isLDAPUser ||
           isGithubUser ||
           isAzureADUser ||
@@ -139,6 +141,7 @@ export class UserAdminPage extends PureComponent<Props> {
         (!config.auth.JWTAuthSkipOrgRoleSync && isJWTUser) ||
         // both OAuthSkipOrgRoleUpdateSync and specific provider settings needs to be false for a user to be synced
         (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.GrafanaComSkipOrgRoleSync && isGrafanaComUser) ||
+        (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.OktaSkipOrgRoleSync && isOktaUser) ||
         (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.GithubSkipOrgRoleSync && isGithubUser) ||
         (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.AzureADSkipOrgRoleSync && isAzureADUser) ||
         (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.GitLabSkipOrgRoleSync && isGitLabUser) ||