IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14563 from tdabasinskas/broken_oauth_provider

Browse Source 
Support OAuth providers that are not RFC6749 compliant
This commit is contained in:
Carl Bergquist 2018-12-19 16:05:53 +01:00 committed by GitHub
commit c201fc170f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 54 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
conf/defaults.ini
View File

@ -335,6 +335,7 @@ tls_skip_verify_insecure = false
tls_client_cert = tls_client_cert =
tls_client_key = tls_client_key =
tls_client_ca = tls_client_ca =
send_client_credentials_via_post = false
#################################### Basic Auth ########################## #################################### Basic Auth ##########################
[auth.basic] [auth.basic]

4
conf/sample.ini
View File

@ -284,6 +284,10 @@ log_queries =
;tls_client_key = ;tls_client_key =
;tls_client_ca = ;tls_client_ca =
; Set to true to enable sending client_id and client_secret via POST body instead of Basic authentication HTTP header
; This might be required if the OAuth provider is not RFC6749 compliant, only supporting credentials passed via POST payload
;send_client_credentials_via_post = false
#################################### Grafana.com Auth #################### #################################### Grafana.com Auth ####################
[auth.grafana_com] [auth.grafana_com]
;enabled = false ;enabled = false

11
docs/sources/auth/generic-oauth.md
View File

@ -209,6 +209,17 @@ allowed_organizations =
token_url = https://<your domain>.my.centrify.com/OAuth2/Token/<Application ID> token_url = https://<your domain>.my.centrify.com/OAuth2/Token/<Application ID>
``` ```
## Set up OAuth2 with non-compliant providers
Some OAuth2 providers might not support `client_id` and `client_secret` passed via Basic Authentication HTTP header, which
results in `invalid_client` error. To allow Grafana to authenticate via these type of providers, the client identifiers must be
send via POST body, which can be enabled via the following settings:
```bash
[auth.generic_oauth]
send_client_credentials_via_post = true
```
<hr> <hr>

1
pkg/setting/setting_oauth.go
View File

@ -15,6 +15,7 @@ type OAuthInfo struct {
TlsClientKey string TlsClientKey string
TlsClientCa string TlsClientCa string
TlsSkipVerify bool TlsSkipVerify bool
SendClientCredentialsViaPost bool
} }
type OAuther struct { type OAuther struct {

6
pkg/social/social.go
View File

@ -79,12 +79,18 @@ func NewOAuthService() {
TlsClientKey: sec.Key("tls_client_key").String(), TlsClientKey: sec.Key("tls_client_key").String(),
TlsClientCa: sec.Key("tls_client_ca").String(), TlsClientCa: sec.Key("tls_client_ca").String(),
TlsSkipVerify: sec.Key("tls_skip_verify_insecure").MustBool(), TlsSkipVerify: sec.Key("tls_skip_verify_insecure").MustBool(),
SendClientCredentialsViaPost: sec.Key("send_client_credentials_via_post").MustBool(),
} }
if !info.Enabled { if !info.Enabled {
continue continue
} }
// handle the clients that do not properly support Basic auth headers and require passing client_id/client_secret via POST payload
if info.SendClientCredentialsViaPost {
oauth2.RegisterBrokenAuthHeaderProvider(info.TokenUrl)
}
if name == "grafananet" { if name == "grafananet" {
name = grafanaCom name = grafanaCom
} }