authn: grpcutils: Mark ID Tokens optional in cloud mode in gRPC Authenticator (#96824)

This patch marks ID tokens as not required when initalising a gRPC
Authenticator to be used in `cloud` mode. ID Tokens are still enabled in
`cloud` mode, but the `Required` option is set to `false`.

This is needed for MT services like Cloud API Server to authenticate
against gRPC services like Resource Store with only an Access Token.

Signed-off-by: Prem Kumar <prem.saraswat@grafana.com>

pkg/services/authn/grpcutils/grpc_authenticator.go

@@ -49,14 +49,20 @@ func NewGrpcAuthenticator(cfg *setting.Cfg, tracer tracing.Tracer) (*authnlib.Gr
 	keyRetriever := authnlib.NewKeyRetriever(grpcAuthCfg.KeyRetrieverConfig, authnlib.WithHTTPClientKeyRetrieverOpt(client))
 
 	grpcOpts := []authnlib.GrpcAuthenticatorOption{
-		authnlib.WithIDTokenAuthOption(true),
 		authnlib.WithKeyRetrieverOption(keyRetriever),
 		authnlib.WithTracerAuthOption(tracer),
 	}
-	if authCfg.Mode == ModeOnPrem {
+	switch authCfg.Mode {
+	case ModeOnPrem:
 		grpcOpts = append(grpcOpts,
 			// Access token are not yet available on-prem
 			authnlib.WithDisableAccessTokenAuthOption(),
+			authnlib.WithIDTokenAuthOption(true),
+		)
+	case ModeCloud:
+		grpcOpts = append(grpcOpts,
+			// ID tokens are enabled but not required in cloud
+			authnlib.WithIDTokenAuthOption(false),
 		)
 	}