OAuth: Introduce user_refresh_token setting and make it default for the selected providers (#71533)

* First changes

* WIP docs

* Align current tests

* Add test for UseRefreshToken

* Update docs

* Fix

* Remove unnecessary AuthCodeURL from generic_oauth

* Change GitHub to disable use_refresh_token by default

docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md

@@ -21,6 +21,7 @@ The Azure AD authentication allows you to use an Azure Active Directory tenant a
     - [Assign server administrator privileges](#assign-server-administrator-privileges)
   - [Enable Azure AD OAuth in Grafana](#enable-azure-ad-oauth-in-grafana)
     - [Configure refresh token](#configure-refresh-token)
+    - [Configure allowed tenants](#configure-allowed-tenants)
     - [Configure allowed groups](#configure-allowed-groups)
     - [Configure allowed domains](#configure-allowed-domains)
     - [PKCE](#pkce)
@@ -176,7 +177,9 @@ When a user logs in using an OAuth provider, Grafana verifies that the access to
 
 Grafana uses a refresh token to obtain a new access token without requiring the user to log in again. If a refresh token doesn't exist, Grafana logs the user out of the system after the access token has expired.
 
-To enable a refresh token for AzureAD, extend the `scopes` in `[auth.azuread]` with `offline_access`.
+Refresh token fetching and access token expiration check is enabled by default for the AzureAD provider since Grafana v10.1.0 if the `accessTokenExpirationCheck` feature toggle is enabled. If you would like to disable access token expiration check then set the `use_refresh_token` configuration value to `false`.
+
+> **Note:** The `accessTokenExpirationCheck` feature toggle will be removed in Grafana v10.2.0 and the `use_refresh_token` configuration value will be used instead for configuring refresh token fetching and access token expiration check.
 
 ### Configure allowed tenants
 

docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md

@@ -65,7 +65,9 @@ To integrate your OAuth2 provider with Grafana using our generic OAuth2 authenti
 
    b. Extend the `scopes` field of `[auth.generic_oauth]` section in Grafana configuration file with refresh token scope used by your OAuth2 provider.
 
-   c. Enable the refresh token on the provider if required.
+   c. Set `use_refresh_token` to `true` in `[auth.generic_oauth]` section in Grafana configuration file.
+
+   d. Enable the refresh token on the provider if required.
 
 1. [Configure role mapping]({{< relref "#configure-role-mapping" >}}).
 1. Optional: [Configure team synchronization]({{< relref "#configure-team-synchronization" >}}).
@@ -113,6 +115,7 @@ The following table outlines the various generic OAuth2 configuration options. Y
 | `tls_client_key`             | No       | The path to the key.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                 |
 | `tls_client_ca`              | No       | The path to the trusted certificate authority list.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                 |
 | `use_pkce`                   | No       | Set to `true` to use [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636). Grafana uses the SHA256 based `S256` challenge method and a 128 bytes (base64url encoded) code verifier.                                                                                                                                                                                                                                                                                                                                                                                         | `false`         |
+| `use_refresh_token`          | No       | Set to `true` to use refresh token and check access token expiration. The `accessTokenExpirationCheck` feature toggle should also be enabled to use refresh token.                                                                                                                                                                                                                                                                                                                                                                                                                                         | `false`         |
 
 ### Configure login
 
@@ -169,11 +172,13 @@ When a user logs in using an OAuth2 provider, Grafana verifies that the access t
 
 Grafana uses a refresh token to obtain a new access token without requiring the user to log in again. If a refresh token doesn't exist, Grafana logs the user out of the system after the access token has expired.
 
-To configure generic OAuth2 to use a refresh token, perform one or both of the following steps, if required:
+To configure generic OAuth2 to use a refresh token, set `use_refresh_token` configuration option to `true` and perform one or both of the following steps, if required:
 
 1. Extend the `scopes` field of `[auth.generic_oauth]` section in Grafana configuration file with additional scopes.
 1. Enable the refresh token on the provider.
 
+> **Note:** The `accessTokenExpirationCheck` feature toggle will be removed in Grafana v10.2.0 and the `use_refresh_token` configuration value will be used instead for configuring refresh token fetching and access token expiration check.
+
 ## Configure role mapping
 
 Unless `skip_org_role_sync` option is enabled, the user's role will be set to the role retrieved from the auth provider upon user login.
@@ -336,6 +341,7 @@ To set up generic OAuth2 authentication with Auth0, follow these steps:
    token_url = https://<domain>/oauth/token
    api_url = https://<domain>/userinfo
    use_pkce = true
+   use_refresh_token = true
    ```
 
 ### Set up OAuth2 with Bitbucket
@@ -368,6 +374,7 @@ To set up generic OAuth2 authentication with Bitbucket, follow these steps:
    team_ids_attribute_path = values[*].workspace.slug
    team_ids =
    allowed_organizations =
+   use_refresh_token = true
    ```
 
 By default, a refresh token is included in the response for the **Authorization Code Grant**.

docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md

@@ -104,6 +104,10 @@ Grafana uses a refresh token to obtain a new access token without requiring the
 
 By default, GitLab provides a refresh token.
 
+Refresh token fetching and access token expiration check is enabled by default for the GitLab provider since Grafana v10.1.0 if the `accessTokenExpirationCheck` feature toggle is enabled. If you would like to disable access token expiration check then set the `use_refresh_token` configuration value to `false`.
+
+> **Note:** The `accessTokenExpirationCheck` feature toggle will be removed in Grafana v10.2.0 and the `use_refresh_token` configuration value will be used instead for configuring refresh token fetching and access token expiration check.
+
 ### allowed_groups
 
 To limit access to authenticated users that are members of one or more [GitLab

docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md

@@ -82,6 +82,10 @@ Grafana uses a refresh token to obtain a new access token without requiring the
 
 By default, Grafana includes the `access_type=offline` parameter in the authorization request to request a refresh token.
 
+Refresh token fetching and access token expiration check is enabled by default for the Google provider since Grafana v10.1.0 if the `accessTokenExpirationCheck` feature toggle is enabled. If you would like to disable access token expiration check then set the `use_refresh_token` configuration value to `false`.
+
+> **Note:** The `accessTokenExpirationCheck` feature toggle will be removed in Grafana v10.2.0 and the `use_refresh_token` configuration value will be used instead for configuring refresh token fetching and access token expiration check.
+
 ### Configure automatic login
 
 Set `auto_login` option to true to attempt login automatically, skipping the login screen.

docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md

@@ -75,7 +75,10 @@ When a user logs in using an OAuth provider, Grafana verifies that the access to
 Grafana uses a refresh token to obtain a new access token without requiring the user to log in again. If a refresh token doesn't exist, Grafana logs the user out of the system after the access token has expired.
 
 1. To enable the `Refresh Token`, grant type in the `General Settings` section.
-1. Extend the `scopes` in `[auth.okta]` with `offline_access`.
+1. Extend the `scopes` in `[auth.okta]` with `offline_access` for Grafana versions between v9.3 and v10.0.x.
+1. Set `use_refresh_token` in `[auth.okta]` to `true` for Grafana versions v10.1.0 and later.
+
+> **Note:** The `accessTokenExpirationCheck` feature toggle will be removed in Grafana v10.2.0 and the `use_refresh_token` configuration value will be used instead for configuring refresh token fetching and access token expiration check.
 
 ### Configure allowed groups and domains