authn: grpcutils: Mark ID Tokens optional in cloud mode in gRPC Authenticator (#96824)

This patch marks ID tokens as not required when initalising a gRPC Authenticator to be used in `cloud` mode. ID Tokens are still enabled in `cloud` mode, but the `Required` option is set to `false`. This is needed for MT services like Cloud API Server to authenticate against gRPC services like Resource Store with only an Access Token. Signed-off-by: Prem Kumar <prem.saraswat@grafana.com>
2025-02-25 18:55:37 -06:00 · 2024-11-21 18:41:49 +05:30 · 2024-11-21 18:41:49 +05:30 · ca2c874161
commit ca2c874161
parent c2e1a405b9
1 changed files with 8 additions and 2 deletions
--- a/pkg/services/authn/grpcutils/grpc_authenticator.go
+++ b/pkg/services/authn/grpcutils/grpc_authenticator.go
@ -49,14 +49,20 @@ func NewGrpcAuthenticator(cfg *setting.Cfg, tracer tracing.Tracer) (*authnlib.Gr
 	keyRetriever := authnlib.NewKeyRetriever(grpcAuthCfg.KeyRetrieverConfig, authnlib.WithHTTPClientKeyRetrieverOpt(client))

 	grpcOpts := []authnlib.GrpcAuthenticatorOption{
-		authnlib.WithIDTokenAuthOption(true),
 		authnlib.WithKeyRetrieverOption(keyRetriever),
 		authnlib.WithTracerAuthOption(tracer),
 	}
-	if authCfg.Mode == ModeOnPrem {
+	switch authCfg.Mode {
+	case ModeOnPrem:
 		grpcOpts = append(grpcOpts,
 			// Access token are not yet available on-prem
 			authnlib.WithDisableAccessTokenAuthOption(),
+			authnlib.WithIDTokenAuthOption(true),
+		)
+	case ModeCloud:
+		grpcOpts = append(grpcOpts,
+			// ID tokens are enabled but not required in cloud
+			authnlib.WithIDTokenAuthOption(false),
 		)
 	}