Auth: support token introspection #87991
Comments
|
@mgyongyosi, can you please share your thoughts on this and let me know if its okay to open a PR for the same? |
|
Hey, so the idea would be to call token introspect endpoint for every request to make sure that the access token is still valid when a user has authenticated through oauth and if this is enabled? If this is the case I am a bit concerned on the overhead this would add and we already have a way to facilitate the desired behavior using refresh tokens. Instead of calling token introspection for access tokens we will try to refresh access tokens once they have expired. If the refresh fails due to e.g. revocation the user will be signed out. For generic oauth you can read more here: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-a-refresh-token Btw ignore the notes that says this requires a feature toggle. This is no longer true and I have made a pr to fix that part |
|
Hi @kalleep, thanks for the suggestion! I did try out the above method using refresh tokens. But one limitation I see with this is that when the token expiry duration is somewhat longer, then the user will still have access to perform operations in Grafana (even though the session is closed from the auth server). |
|
yes that is the point of jwt, to be able to authenticate without the need to reach out to the service that created the token and with that there are some downsides i.e. not to be able to immediately revoke tokens when a session gets closed. You could always tweek the |
Why is this needed:
Currently, if the user logs in using one of the OAuth providers and then later sometime if the session is logged out from the authorization server, the user will still be able to perform tasks on Grafana. I our organization we have a requirement that users should not have permission once their session is closed/signed out from the authorization server.
What would you like to be added:
Token introspection needs to be added in Grafana to validate the access token from the authorization server. If the session is signed out, the access token will be invalid. From Grafana's point of view, if the status of the token is not "active", then such operations should fail and the user should be logged out.
Who is this feature for?
All users using OAuth with Grafana
I am currently working on this enhancement (Generic OAuth for now) and if the community believes that this is useful addition, I would be happy to raise a PR for the same.
The text was updated successfully, but these errors were encountered: