Skip to content

Commit

Permalink
Merge pull request #686 from percona-platform/pmm-2.39.0
Browse files Browse the repository at this point in the history
[v9.2.x] Add and document option for enabling email lookup (grafana#918) (#677)
  • Loading branch information
BupycHuk authored Sep 6, 2023
2 parents 493e60d + 509b8ff commit af0add9
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 1 deletion.
3 changes: 3 additions & 0 deletions conf/defaults.ini
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,9 @@ sigv4_verbose_logging = false
# Set to true to enable Azure authentication option for HTTP-based datasources
azure_auth_enabled = false

# Use email lookup in addition to the unique ID provided by the IdP
oauth_allow_insecure_email_lookup = false

#################################### Anonymous Auth ######################
[auth.anonymous]
# enable anonymous access
Expand Down
5 changes: 4 additions & 1 deletion conf/sample.ini
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@
;google_analytics_ua_id =

# Google Analytics 4 tracking code, only enabled if you specify an id here
;google_analytics_4_id =
;google_analytics_4_id =

# Google Tag Manager ID, only enabled if you specify an id here
;google_tag_manager_id =
Expand Down Expand Up @@ -455,6 +455,9 @@
# Set to true to enable Azure authentication option for HTTP-based datasources.
;azure_auth_enabled = false

# Use email lookup in addition to the unique ID provided by the IdP
;oauth_allow_insecure_email_lookup = false

#################################### Anonymous Auth ######################
[auth.anonymous]
# enable anonymous access
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ token_rotation_interval_minutes = 10

# The maximum lifetime (seconds) an API key can be used. If it is set all the API keys should have limited lifetime that is lower than this value.
api_key_max_seconds_to_live = -1

# Enforce user lookup based on email instead of the unique ID provided by the IdP.
oauth_allow_insecure_email_lookup = false
```

### Anonymous authentication
Expand Down Expand Up @@ -114,6 +117,20 @@ You can hide the Grafana login form using the below configuration settings.
disable_login_form = true
```

### Enable email lookup

Enable user lookup based on email in addition to using unique ID provided by IdPs.

By default, Grafana relies on the user unique ID provided by the identity provider.
Looking up users by email can be safe for some identity providers (for example, when they are single tenants and unique non-editable, validated emails are provided), as well as in some infrastructures.

We strongly recommend against enabling email lookups, however it is possible to do with the following configuration.

```bash
[auth]
oauth_allow_insecure_email_lookup = true
```

### Automatic OAuth login

Set to true to attempt login with OAuth automatically, skipping the login screen.
Expand Down

0 comments on commit af0add9

Please sign in to comment.