OAuth: Forward id token to the data source (#42422)

* OAuth: Forward id token to the data source * Add tests * Forward id token in legacy API * Check if id_token is string or not
2025-01-02 12:17:01 -06:00 · 2021-11-29 17:40:05 +03:00 · 2021-11-29 17:40:05 +03:00 · becfd776c3
commit becfd776c3
parent 58978dcf96
3 changed files with 24 additions and 6 deletions
--- a/pkg/api/metrics.go
+++ b/pkg/api/metrics.go
@ -179,6 +179,11 @@ func (hs *HTTPServer) handleQueryData(ctx context.Context, user *models.SignedIn
 	if hs.OAuthTokenService.IsOAuthPassThruEnabled(ds) {
 		if token := hs.OAuthTokenService.GetCurrentOAuthToken(ctx, user); token != nil {
 			req.Headers["Authorization"] = fmt.Sprintf("%s %s", token.Type(), token.AccessToken)
+
+			idToken, ok := token.Extra("id_token").(string)
+			if ok && idToken != "" {
+				req.Headers["X-ID-Token"] = idToken
+			}
 		}
 	}

--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@ -269,6 +269,11 @@ func (proxy *DataSourceProxy) director(req *http.Request) {
 	if proxy.oAuthTokenService.IsOAuthPassThruEnabled(proxy.ds) {
 		if token := proxy.oAuthTokenService.GetCurrentOAuthToken(proxy.ctx.Req.Context(), proxy.ctx.SignedInUser); token != nil {
 			req.Header.Set("Authorization", fmt.Sprintf("%s %s", token.Type(), token.AccessToken))
+
+			idToken, ok := token.Extra("id_token").(string)
+			if ok && idToken != "" {
+				req.Header.Set("X-ID-Token", idToken)
+			}
 		}
 	}
 }
--- a/pkg/api/pluginproxy/ds_proxy_test.go
+++ b/pkg/api/pluginproxy/ds_proxy_test.go
@ -487,15 +487,22 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 			SignedInUser: &models.SignedInUser{UserId: 1},
 			Context:      &web.Context{Req: req},
 		}
+
+		token := &oauth2.Token{
+			AccessToken:  "testtoken",
+			RefreshToken: "testrefreshtoken",
+			TokenType:    "Bearer",
+			Expiry:       time.Now().AddDate(0, 0, 1),
+		}
+		extra := map[string]interface{}{
+			"id_token": "testidtoken",
+		}
+		token = token.WithExtra(extra)
 		mockAuthToken := mockOAuthTokenService{
-			token: &oauth2.Token{
-				AccessToken:  "testtoken",
-				RefreshToken: "testrefreshtoken",
-				TokenType:    "Bearer",
-				Expiry:       time.Now().AddDate(0, 0, 1),
-			},
+			token:        token,
 			oAuthEnabled: true,
 		}
+
 		var routes []*plugins.Route
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
 		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
@ -507,6 +514,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 		proxy.director(req)

 		assert.Equal(t, "Bearer testtoken", req.Header.Get("Authorization"))
+		assert.Equal(t, "testidtoken", req.Header.Get("X-ID-Token"))
 	})

 	t.Run("When SendUserHeader config is enabled", func(t *testing.T) {