From f79654feb33ebc752dc59137aee90ebb18132bac Mon Sep 17 00:00:00 2001
From: arukiidou <arukiidou@yahoo.co.jp>
Date: Fri, 12 May 2023 16:37:29 +0900
Subject: [PATCH] Auth: Use PKCE by default (If OAuth provider supports PKCE)
 (#68095)

OAuth: change use_pkce = true to defaults.ini/sample.ini #68073

Signed-off-by: junya koyama <arukiidou@yahoo.co.jp>
---
 conf/defaults.ini | 10 +++++++---
 conf/sample.ini   | 10 +++++++---
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/conf/defaults.ini b/conf/defaults.ini
index 30bd9c64886..261d7e45148 100644
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -162,7 +162,7 @@ query_retries = 0
 # For "sqlite" only. How many times to retry transaction in case of database is locked failures. Default is 5.
 transaction_retries = 5
 
-# Set to true to add metrics and tracing for database queries. 
+# Set to true to add metrics and tracing for database queries.
 instrument_queries = false
 
 #################################### Cache server #############################
@@ -611,6 +611,7 @@ role_attribute_strict = false
 allow_assign_grafana_admin = false
 skip_org_role_sync = false
 tls_skip_verify_insecure = false
+use_pkce = true
 
 #################################### Google Auth #########################
 [auth.google]
@@ -629,6 +630,7 @@ allowed_domains =
 hosted_domain =
 skip_org_role_sync = false
 tls_skip_verify_insecure = false
+use_pkce = true
 
 #################################### Grafana.com Auth ####################
 # legacy key names (so they work in env variables)
@@ -670,6 +672,7 @@ role_attribute_strict = false
 allow_assign_grafana_admin = false
 force_use_graph_api = false
 tls_skip_verify_insecure = false
+use_pkce = true
 
 #################################### Okta OAuth #######################
 [auth.okta]
@@ -691,6 +694,7 @@ role_attribute_strict = false
 allow_assign_grafana_admin = false
 skip_org_role_sync = false
 tls_skip_verify_insecure = false
+use_pkce = true
 
 #################################### Generic OAuth #######################
 [auth.generic_oauth]
@@ -1013,8 +1017,8 @@ ha_peers = ""
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
 ha_peer_timeout = 15s
 
-# The label is an optional string to include on each packet and stream. 
-# It uniquely identifies the cluster and prevents cross-communication 
+# The label is an optional string to include on each packet and stream.
+# It uniquely identifies the cluster and prevents cross-communication
 # issues when sending gossip messages in an enviromenet with multiple clusters.
 ha_label =
 
diff --git a/conf/sample.ini b/conf/sample.ini
index edef7dc3872..26eb48cf244 100644
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -164,7 +164,7 @@
 # For "sqlite" only. How many times to retry transaction in case of database is locked failures. Default is 5.
 ;transaction_retries = 5
 
-# Set to true to add metrics and tracing for database queries. 
+# Set to true to add metrics and tracing for database queries.
 ;instrument_queries = false
 
 ################################### Data sources #########################
@@ -599,6 +599,7 @@
 ;allow_assign_grafana_admin = false
 ;skip_org_role_sync = false
 ;tls_skip_verify_insecure = false
+;use_pkce = true
 
 #################################### Google Auth ##########################
 [auth.google]
@@ -616,6 +617,7 @@
 ;allowed_domains =
 ;hosted_domain =
 ;skip_org_role_sync = false
+;use_pkce = true
 
 #################################### Grafana.com Auth ####################
 [auth.grafana_com]
@@ -646,6 +648,7 @@
 ;allowed_groups =
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
+;use_pkce = true
 # prevent synchronizing users organization roles
 ;skip_org_role_sync = false
 
@@ -667,6 +670,7 @@
 ;role_attribute_strict = false
 ;allow_assign_grafana_admin = false
 ;skip_org_role_sync = false
+;use_pkce = true
 
 #################################### Generic OAuth ##########################
 [auth.generic_oauth]
@@ -983,8 +987,8 @@
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
 ;ha_peer_timeout = "15s"
 
-# The label is an optional string to include on each packet and stream. 
-# It uniquely identifies the cluster and prevents cross-communication 
+# The label is an optional string to include on each packet and stream.
+# It uniquely identifies the cluster and prevents cross-communication
 # issues when sending gossip messages in an enviromenet with multiple clusters.
 ;ha_label =