Allow oauth email attribute name to be configurable (#13006)

* Allow oauth email attribute name to be configurable Signed-off-by: Bob Shannon <bshannon@palantir.com> * Document e-mail determination steps for generic oauth * Add reference to email_attribute_name * Re-add e-mail determination docs to new generic-oauth page * Inherit default e-mail attribute from defaults.ini
2025-02-25 18:55:37 -06:00 · 2018-09-10 03:45:07 -04:00
parent 7c78b64a36
commit f257ff0216
5 changed files with 31 additions and 18 deletions
--- a/docs/sources/auth/generic-oauth.md
+++ b/docs/sources/auth/generic-oauth.md
@@ -32,7 +32,14 @@ allowed_domains = mycompany.com mycompany.org
 allow_sign_up = true
 ```

-Set api_url to the resource that returns [OpenID UserInfo](https://connect2id.com/products/server/docs/api/userinfo) compatible information.
+Set `api_url` to the resource that returns [OpenID UserInfo](https://connect2id.com/products/server/docs/api/userinfo) compatible information.
+
+Grafana will attempt to determine the user's e-mail address by querying the OAuth provider as described below in the following order until an e-mail address is found:
+
+1. Check for the presence of an e-mail address via the `email` field encoded in the OAuth `id_token` parameter.
+2. Check for the presence of an e-mail address in the `attributes` map encoded in the OAuth `id_token` parameter. By default Grafana will perform a lookup into the attributes map using the `email:primary` key, however, this is configurable and can be adjusted by using the `email_attribute_name` configuration option.
+3. Query the `/emails` endpoint of the OAuth provider's API (configured with `api_url`) and check for the presence of an e-mail address marked as a primary address.
+4. If no e-mail address is found in steps (1-3), then the e-mail address of the user is set to the empty string.

 ## Set up OAuth2 with Okta