I’m trying to get Forward OAuth identity to work in order to authenticate people against data sources, using Azure AD as an identity provider. As a part of this I would like to use groups from Azure AD to restrict access to data sources that may contain sensitive information.
Enabling the option works well enough, each request to the data source contains an
Authorization: Bearer eyJ... header, which is expected, I suppose. However, this token has the content
"aud": "00000003-0000-0000-c000-000000000000" which apparently is a common “UUID” for Microsoft Graph, and importantly does not contain the groups claim.
There is also another header
X-Id-Token that’s being sent to the backend. This has the
aud key set to Client-ID of Grafana, as well as a
groups key with all the users groups included.
My thinking is that I should be able to configure the backend to accept JWT authentication, accepting JWTs that are issued to Grafana, are issued by the correct Azure AD issuer, and contains Authorised group UUIDs. It seems that the
X-Id-Token would be perfect for this, but I can’t see any way to get this sent as the
Authorization: Bearer ... header.
The Azure AD integration is setup as per: Configure Azure AD OAuth2 authentication | Grafana documentation
The configuration for authentication looks like this in Grafana.
[auth.azuread] enabled = true allow_sign_up = true allowed_domains = example.com client_id = <client-id> name = Azure AD scopes = openid email profile offline_access auth_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token