Auth: Remove oauth skip org role sync (#84972)

* remove oauth wide skip org role sync * we are warning from config * set it to false * removed from config ini files and updated docs
2025-02-25 18:55:37 -06:00 · 2024-03-22 15:34:05 +01:00
parent f2c7023fe6
commit bb792ff540
11 changed files with 8 additions and 40 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -561,10 +561,6 @@ oauth_auto_login = false
 # OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
 oauth_state_cookie_max_age = 600
 # Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins
 # Deprecated, use skip_org_role_sync option for specific provider instead.
 oauth_skip_org_role_update_sync = false
 # limit of api_key seconds to live before expiration
 api_key_max_seconds_to_live = -1
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -538,10 +538,6 @@
 # OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
 ;oauth_state_cookie_max_age = 600
 # Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins
 # Deprecated, use skip_org_role_sync option for specific provider instead.
 ;oauth_skip_org_role_update_sync = false
 # limit of api_key seconds to live before expiration
 ;api_key_max_seconds_to_live = -1
--- a/docs/sources/setup-grafana/configure-grafana/_index.md
+++ b/docs/sources/setup-grafana/configure-grafana/_index.md
@@ -938,10 +938,10 @@ Administrators can increase this if they experience OAuth login state mismatch e
 ### oauth_skip_org_role_update_sync
 {{% admonition type="note" %}}
-This option is deprecated in favor of OAuth provider specific `skip_org_role_sync` settings. The following sections explain settings for each provider.
+This option is removed from G11 in favor of OAuth provider specific `skip_org_role_sync` settings. The following sections explain settings for each provider.
 {{% /admonition %}}
-If you want to change the `oauth_skip_org_role_update_sync` setting to `false`, then for each provider you have set up, use the `skip_org_role_sync` setting to specify whether you want to skip the synchronization.
+If you want to change the `oauth_skip_org_role_update_sync` setting from `true` to `false`, then each provider you have set up, use the `skip_org_role_sync` setting to specify whether you want to skip the synchronization.
 {{% admonition type="warning" %}}
 Currently if no organization role mapping is found for a user, Grafana doesn't update the user's organization role.
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@@ -327,7 +327,6 @@ func (hs *HTTPServer) getFrontendSettings(c *contextmodel.ReqContext) (*dtos.Fro
 	oauthProviders := hs.SocialService.GetOAuthInfoProviders()
 	frontendSettings.Auth = dtos.FrontendSettingsAuthDTO{
 		AuthProxyEnableLoginToken:     hs.Cfg.AuthProxy.EnableLoginToken,
 		OAuthSkipOrgRoleUpdateSync:    hs.Cfg.OAuthSkipOrgRoleUpdateSync,
 		SAMLSkipOrgRoleSync:           hs.Cfg.SAMLSkipOrgRoleSync,
 		LDAPSkipOrgRoleSync:           hs.Cfg.LDAPSkipOrgRoleSync,
 		JWTAuthSkipOrgRoleSync:        hs.Cfg.JWTAuth.SkipOrgRoleSync,
--- a/pkg/login/social/connectors/azuread_oauth_test.go
+++ b/pkg/login/social/connectors/azuread_oauth_test.go
@@ -801,7 +801,6 @@ func TestSocialAzureAD_SkipOrgRole(t *testing.T) {
 				},
 				cfg: &setting.Cfg{
 					AutoAssignOrgRole: "",
 					OAuthSkipOrgRoleUpdateSync: false,
 				},
 			},
 			claims: &azureClaims{
@@ -832,7 +831,6 @@ func TestSocialAzureAD_SkipOrgRole(t *testing.T) {
 				},
 				cfg: &setting.Cfg{
 					AutoAssignOrgRole: "",
 					OAuthSkipOrgRoleUpdateSync: false,
 				},
 			},
 			claims: &azureClaims{
--- a/pkg/login/social/connectors/gitlab_oauth_test.go
+++ b/pkg/login/social/connectors/gitlab_oauth_test.go
@@ -363,7 +363,6 @@ func TestSocialGitlab_extractFromToken(t *testing.T) {
 				},
 				&setting.Cfg{
 					AutoAssignOrgRole: "",
 					OAuthSkipOrgRoleUpdateSync: false,
 				}, &ssosettingstests.MockService{},
 				featuremgmt.WithFeatures())
--- a/pkg/login/social/connectors/okta_oauth_test.go
+++ b/pkg/login/social/connectors/okta_oauth_test.go
@@ -112,7 +112,6 @@ func TestSocialOkta_UserInfo(t *testing.T) {
 				},
 				&setting.Cfg{
 					AutoAssignOrgRole: tt.autoAssignOrgRole,
 					OAuthSkipOrgRoleUpdateSync: false,
 				},
 				&ssosettingstests.MockService{},
 				featuremgmt.WithFeatures())
--- a/pkg/services/authn/clients/oauth.go
+++ b/pkg/services/authn/clients/oauth.go
@@ -162,9 +162,6 @@ func (c *OAuth) Authenticate(ctx context.Context, r *authn.Request) (*authn.Iden
 	}
 	orgRoles, isGrafanaAdmin, _ := getRoles(c.cfg, func() (org.RoleType, *bool, error) {
 		if c.cfg.OAuthSkipOrgRoleUpdateSync {
 			return "", nil, nil
 		}
 		return userInfo.Role, userInfo.IsGrafanaAdmin, nil
 	})
--- a/pkg/services/login/authinfo.go
+++ b/pkg/services/login/authinfo.go
@@ -78,12 +78,6 @@ func IsExternallySynced(cfg *setting.Cfg, authModule string, oauthInfo *social.O
 	case JWTModule:
 		return !cfg.JWTAuth.SkipOrgRoleSync
 	}
 	// then check the rest of the oauth providers
 	// FIXME: remove this once we remove the setting
 	// is a deprecated setting that is used to skip org role sync for all external oauth providers
 	if cfg.OAuthSkipOrgRoleUpdateSync {
 		return false
 	}
 	switch authModule {
 	case GoogleAuthModule, OktaAuthModule, AzureADAuthModule, GitLabAuthModule, GithubAuthModule, GrafanaComAuthModule, GenericOAuthModule:
 		if oauthInfo == nil {
--- a/pkg/services/login/authinfo_test.go
+++ b/pkg/services/login/authinfo_test.go
@@ -32,14 +32,6 @@ func TestIsExternallySynced(t *testing.T) {
 			provider:  AzureADAuthModule,
 			expected:  false,
 		},
 		// FIXME: remove this test as soon as we remove the deprecated setting for skipping org role sync for all external oauth providers
 		{
 			name:      "AzureAD external user should return that it is not externally synced when oauth org role sync is set",
 			cfg:       &setting.Cfg{OAuthSkipOrgRoleUpdateSync: true},
 			oauthInfo: &social.OAuthInfo{Enabled: true, SkipOrgRoleSync: false},
 			provider:  AzureADAuthModule,
 			expected:  false,
 		},
 		{
 			name:      "AzureAD external user should return that it is not externally synced when the provider is not enabled",
 			cfg:       &setting.Cfg{},
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -1571,11 +1571,9 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	cfg.OAuthCookieMaxAge = auth.Key("oauth_state_cookie_max_age").MustInt(600)
 	cfg.SignoutRedirectUrl = valueAsString(auth, "signout_redirect_url", "")
 	// Deprecated
-	cfg.OAuthSkipOrgRoleUpdateSync = auth.Key("oauth_skip_org_role_update_sync").MustBool(false)
+	cfg.OAuthSkipOrgRoleUpdateSync = false
 	if cfg.OAuthSkipOrgRoleUpdateSync {
 		cfg.Logger.Warn("[Deprecated] The oauth_skip_org_role_update_sync configuration setting is deprecated. Please use skip_org_role_sync inside the auth provider section instead.")
 	}
 	cfg.DisableLogin = auth.Key("disable_login").MustBool(false)