feat: Generic Oauth: support for team_ids, team_ids_attribute_path, teams_url #770
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Generic Oauth section of grafana configuration helps to impose additional restrictions on who is allowed to login. One of those restrictions is user presence in a particular team id (has nothing to do with teams in grafana itself). From docs:
Grafana will check for the presence of at least one of the teams specified via the team_ids configuration option using the JMESPath specified via the team_ids_attribute_path configuration option. The JSON used for the path lookup is the HTTP response obtained from querying the Teams endpoint specified via the teams_url configuration option (using /teams as a fallback endpoint). The result should be a string array of Grafana Team IDs. Using this setting ensures that only certain teams is allowed to authenticate to Grafana using your OAuth provider.
Source: https://grafana.com/docs/grafana/latest/auth/generic-oauth/#groups--teams
So this PR brings support to the following parameters:
My actual use case is non-standard: In my tiny app, I'm trying to exploit this setting to get access to a user ID token (gets sent to
teams_url
by grafana), so I can then add the user to a team via Grafana API based on user's claims.Type of change
Checklist
Verification steps
It'd be slightly difficult to do an e2e-test as part of the configuration has to be done on IDP side (Keycloak in my case) and a web-server that would return a json with team ids. So, I'd say it's better to just check the presence of the 3 newly added fields:
teams_url
,team_ids_attribute_path
,team_ids
in grafana ConfigMap.