Auth: Add tls_client_cert to OAuth section in defaults.ini. #64746 (#68228)

* Auth: Add tls_client_cert to defaults.ini #64746 Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> * Auth: Add tls_client_cert to docs #64746 Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> * Auth: Add more `tls_client_cert` for docs Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> * Update docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Revert "Update docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md" This reverts commit f4f1fda7526bf4af05507bc0dc26e808687514eb. Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> --------- Signed-off-by: junya koyama <arukiidou@yahoo.co.jp> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2023-05-26 21:15:19 +09:00 · 2023-05-26 21:15:19 +09:00 · d208bf3345
commit d208bf3345
parent 283c1c7dbe
3 changed files with 32 additions and 0 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -590,6 +590,9 @@ role_attribute_path =
 role_attribute_strict = false
 allow_assign_grafana_admin = false
 tls_skip_verify_insecure = false
+tls_client_cert =
+tls_client_key =
+tls_client_ca =

 #################################### GitLab Auth #########################
 [auth.gitlab]
@ -611,6 +614,9 @@ role_attribute_strict = false
 allow_assign_grafana_admin = false
 skip_org_role_sync = false
 tls_skip_verify_insecure = false
+tls_client_cert =
+tls_client_key =
+tls_client_ca =
 use_pkce = true

 #################################### Google Auth #########################
@ -630,6 +636,9 @@ allowed_domains =
 hosted_domain =
 skip_org_role_sync = false
 tls_skip_verify_insecure = false
+tls_client_cert =
+tls_client_key =
+tls_client_ca =
 use_pkce = true

 #################################### Grafana.com Auth ####################
@ -672,6 +681,9 @@ role_attribute_strict = false
 allow_assign_grafana_admin = false
 force_use_graph_api = false
 tls_skip_verify_insecure = false
+tls_client_cert =
+tls_client_key =
+tls_client_ca =
 use_pkce = true

 #################################### Okta OAuth #######################
@ -694,6 +706,9 @@ role_attribute_strict = false
 allow_assign_grafana_admin = false
 skip_org_role_sync = false
 tls_skip_verify_insecure = false
+tls_client_cert =
+tls_client_key =
+tls_client_ca =
 use_pkce = true

 #################################### Generic OAuth #######################
--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -599,6 +599,9 @@
 ;allow_assign_grafana_admin = false
 ;skip_org_role_sync = false
 ;tls_skip_verify_insecure = false
+;tls_client_cert =
+;tls_client_key =
+;tls_client_ca =
 ;use_pkce = true

 #################################### Google Auth ##########################
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md
@ -62,6 +62,9 @@ role_attribute_path =
 role_attribute_strict = false
 allow_assign_grafana_admin = false
 tls_skip_verify_insecure = false
+tls_client_cert =
+tls_client_key =
+tls_client_ca =
 ```

 You may have to set the `root_url` option of `[server]` for the callback URL to be
@ -82,6 +85,14 @@ to login on your Grafana instance.
 You can limit access to only members of a given group or list of
 groups by setting the `allowed_groups` option.

+You can also specify the SSL/TLS configuration used by the client.
+
+- Set `tls_client_cert` to the path of the certificate.
+- Set `tls_client_key` to the path containing the key.
+- Set `tls_client_ca` to the path containing a trusted certificate authority list.
+
+`tls_skip_verify_insecure` controls whether a client verifies the server's certificate chain and host name. If it is true, then SSL/TLS accepts any certificate presented by the server and any host name in that certificate. _You should only use this for testing_, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
+
 ### Configure refresh token

 > Available in Grafana v9.3 and later versions.
@ -142,6 +153,9 @@ role_attribute_path = is_admin && 'Admin' || 'Viewer'
 role_attribute_strict = true
 allow_assign_grafana_admin = false
 tls_skip_verify_insecure = false
+tls_client_cert =
+tls_client_key =
+tls_client_ca =
 ```

 ### Configure automatic login