Hello,
Is there an example on how to use idForwarding
feature when working with app plugins? Is it possible to use this signed JWT token to make API requests to Grafana from app plugin? If so, an example snippet would be highly appreciated.
I know that we can use externalServiceAccount
feature to make API requests to Grafana. But we are obliged to set wider scopes when creating such token which can lead users to access resources that they are not authorised to via plugin. Before, the app plugin was forwarding user cookies to make API requests to Grafana but this commit stopped forwarding cookies to app plugins and so we lost that functionality.
Any help would be appreciated.
Cheers!!
Mahendra
Alright, I figured out how can we use this token to make requests after reading a bit of Grafana sources. So, we need to enable JWT auth module on Grafana server to be able to use this token. The signing key should be obtained from Grafana API signing-keys
endpoint. So, the JWT auth config should be as follows:
[auth.jwt]
enabled = true
# Grafana adds JWT token value to this header before forwarding the request to plugin
header_name = X-Grafana-Id
# Assuming Grafana server is running on localhost:3000
jwk_set_url = http://localhost:3000/api/signing-keys/keys
username_claim = preferred_username
email_claim = email
Is it a correct way to handle the token or am I doing something strange?
Cheers!
Hi @mahendrapaipuri we don’t oficially support forwarding the JWT tokens out of the box as easy as we do it with data sources. If this way is working for you it should be all right, but it also means your app plugin requires a custom configuration to work in any other grafana instance.
1 Like
Hello @academo Thanks a lot for the response.
In fact our need was to check for permissions on the Grafana resources for a given user inside the plugin’s handler. Later, I found out there was this very nice rbac app example in the plugin examples which demonstrates how to achieve that.
This simplifies a lot as we can check for permissions on resources using EnforcementClient
and then if the check passes, use the service account token to make requests to Grafana. This way there wont be any privilege esclation risk for the plugin.
Hopefully this can help future readers!!
Cheers
1 Like