I understand that it’s currently not possible to set OrgId of new users based on OAuth attributes (SSO and how to set OrgID and Roles). I’m interested in having a go at implementing this functionality, as it’s important for us. I poked around the code a little bit and at first glance it doesn’t look too fiendish an undertaking (basically just making sure the right attribute is passed on to the user creation function?), but maybe there’s more to it that I’m missing.
Would anyone be able to give any pointers on this? Are these fundamental reasons why it would actually be difficult to do? Any gotchas I should be aware of before I dive in?
The main challenge here is how to make it generic:
1.) There is no option to configure custom attribute (Grafana Org ID) in some identity providers (IdP) - for example Google, GitHub, … You can do it, if you have own IdP (Keycloak, …)
2.) In theory: Grafana Org ID attribute can be also array/list. So which ID should be used in this case? What if there is >1 or 0 valid grafana org IDs?
IMHO the easiest hack will be implementation of Grafana Org ID from the header in Grafana auth proxy. Auth proxy (for example keycloak/keycloak-gatekeeper) in front of Grafana will do auth and it will provide username/Grafana Org ID in the headers to Grafana.
Just keep in mind that group can be reconfigured in the IdP anytime, so this is not a best idea.
Thanks for the input @jangaraj! What you’re saying about it being tricky to make it generic makes a lot of sense - and I can see why nothing to this effect has yet been implemented in the “stock” codebase.
In our case we do have a custom OAuth endpoint where we can tweak the attributes that are passed, and also we’ll only have a single org assignment passed by OAuth, so that should make things relatively controlled. But yes, it looks like it’ll end up being a bit of a local hack job rather than something that can actually be deployed more broadly.
