Merge pull request #686 from percona-platform/pmm-2.39.0

[v9.2.x] Add and document option for enabling email lookup (grafana#918) (#677)
percona · Sep 6, 2023 · af0add9 · af0add9
2 parents 493e60d + 509b8ff
commit af0add9
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/conf/defaults.ini b/conf/defaults.ini
@@ -455,6 +455,9 @@ sigv4_verbose_logging = false
 # Set to true to enable Azure authentication option for HTTP-based datasources
 azure_auth_enabled = false
 
+# Use email lookup in addition to the unique ID provided by the IdP
+oauth_allow_insecure_email_lookup = false
+
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access

diff --git a/conf/sample.ini b/conf/sample.ini
@@ -225,7 +225,7 @@
 ;google_analytics_ua_id =
 
 # Google Analytics 4 tracking code, only enabled if you specify an id here
-;google_analytics_4_id = 
+;google_analytics_4_id =
 
 # Google Tag Manager ID, only enabled if you specify an id here
 ;google_tag_manager_id =
@@ -455,6 +455,9 @@
 # Set to true to enable Azure authentication option for HTTP-based datasources.
 ;azure_auth_enabled = false
 
+# Use email lookup in addition to the unique ID provided by the IdP
+;oauth_allow_insecure_email_lookup = false
+
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access

diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/_index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/_index.md
@@ -72,6 +72,9 @@ token_rotation_interval_minutes = 10
 
 # The maximum lifetime (seconds) an API key can be used. If it is set all the API keys should have limited lifetime that is lower than this value.
 api_key_max_seconds_to_live = -1
+
+# Enforce user lookup based on email instead of the unique ID provided by the IdP.
+oauth_allow_insecure_email_lookup = false
 ```
 
 ### Anonymous authentication
@@ -114,6 +117,20 @@ You can hide the Grafana login form using the below configuration settings.
 disable_login_form = true
 ```
 
+### Enable email lookup
+
+Enable user lookup based on email in addition to using unique ID provided by IdPs.
+
+By default, Grafana relies on the user unique ID provided by the identity provider.
+Looking up users by email can be safe for some identity providers (for example, when they are single tenants and unique non-editable, validated emails are provided), as well as in some infrastructures.
+
+We strongly recommend against enabling email lookups, however it is possible to do with the following configuration.
+
+```bash
+[auth]
+oauth_allow_insecure_email_lookup = true
+```
+
 ### Automatic OAuth login
 
 Set to true to attempt login with OAuth automatically, skipping the login screen.