Authn: allow ResolveIdentity to authenticate in "global" scope (#85835)

* Authn: allow ResolveIdentity to authenticate in "global" scope

* Use constant

pkg/services/authn/authn.go

@@ -59,6 +59,8 @@ type ClientParams struct {
 	SyncPermissions bool
 	// FetchPermissionsParams are the arguments used to fetch permissions from the DB
 	FetchPermissionsParams FetchPermissionsParams
+	// AllowGlobalOrg would allow a client to authenticate in global scope AKA org 0
+	AllowGlobalOrg bool
 }
 
 type FetchPermissionsParams struct {

pkg/services/authn/authnimpl/sync/user_sync.go

@@ -132,6 +132,13 @@ func (s *UserSync) FetchSyncedUserHook(ctx context.Context, identity *authn.Iden
 		return errFetchingSignedInUser.Errorf("failed to resolve user: %w", err)
 	}
 
+	if identity.ClientParams.AllowGlobalOrg && identity.OrgID == authn.GlobalOrgID {
+		usr.Teams = nil
+		usr.OrgName = ""
+		usr.OrgRole = org.RoleNone
+		usr.OrgID = authn.GlobalOrgID
+	}
+
 	syncSignedInUserToIdentity(usr, identity)
 	return nil
 }

pkg/services/authn/clients/identity.go

@@ -26,6 +26,7 @@ func (i *IdentityClient) Authenticate(ctx context.Context, r *authn.Request) (*a
 		OrgID: r.OrgID,
 		ID:    i.namespaceID,
 		ClientParams: authn.ClientParams{
+			AllowGlobalOrg:  true,
 			FetchSyncedUser: true,
 			SyncPermissions: true,
 		},