github-datasource icon indicating copy to clipboard operation
github-datasource copied to clipboard
Published 1 week ago verified publisher icon grafana

Implement authentication as GitHub App

Open cliffchapmanrbx opened this issue 5 years ago • 11 comments

Hi all,

Related to #75 we'd very much appreciate if this plugin implemented GitHub App style authentication rather than using a PAT associated with an existing account.

Enterprise accounts are billed on a per-user basis, and 'machine users' count towards this accounting. This is exacerbated by the need to have separate accounts for separate team's private repositories that can't have shared accounts in them for security compliance. This can make integration cost prohibitive.

The primary effort here is to set up the handshake to generate an installation PAT, at which point it acts like a user PAT save that it only lasts for an hour. We've had success converting several of our internal apps to use the App communication.

cliffchapmanrbx avatar Oct 13 '20 22:10 cliffchapmanrbx

I agree.

To do this properly I'm waiting on this Grafana PR to be merged: https://github.com/grafana/grafana/pull/27055.

I tried to allow this plugin to be an OAuth2 client, and while it's possible, I didn't want to have a significant setup burden for installing this plugin. You would have to create a new GitHub app or a new OAuth 2.0 app for the plugin, and link directly to the callback URL in the plugin.

Here's what an example callback URL would look like: http://localhost:3000/api/datasources/2638/resources/oauth/auth. The problem that I encountered was that public URL of the Grafana instance was not exposed to the datasource, nor was the datasource ID needed for the URL (2638 in the above example), so I couldn't easily generate a callback URL that users could paste into the setup page for an OAuth / GitHub app.

Once I got to that point, I found the above PR and I decided it wasn't worth it. If there's demand for it though, I could go back and re-implement this, and allow users to type in their grafana public URL and datasource ID into the settings to generate a callback URL. I just felt like this was too cumbersome and would create a lot of support requests / confusion.

kminehart avatar Oct 14 '20 15:10 kminehart

OAuth2 may satisfy our needs allowing individuals to configure the application themselves. The advantage of a full GitHub App is that we can grant that application different permissions than the individual users of the Grafana server, for instance, installing the GitHub App into repos they may not have access to otherwise. We've used this for some specific build scenarios using the Jenkins GitHub App to great effect.

Additionally, a GitHub App has the advantage of enabling PAT-based API access as well as OAuth2-based API access, a GitHub App is a mashup of both an OAuth 2 app and a 'machine user'. Just with a more complicated authentication handshake 😊

Based on how we've set up other GitHub Apps I'd fully expect just a guide on how to manually set up an app, the scoped required, and dropping the generated private key into my Grafana configuration, likely as a config file entry so we can populate it automatically via Vault with our setup.

cliffchapmanrbx avatar Oct 14 '20 19:10 cliffchapmanrbx

GitHub App Authentication does not use standard/generic JWT payloads (for example expires_in vs. expires_at, etc.) That's why I created https://github.com/beatlabs/github-auth The above package returns an authenticated HTTP Client which gets refreshed tokens automatically.

The plugin will have 3 new settings:

  • AppID
  • InstallationID
  • PrivateKey file

The user will configure the above manually through the UI or with datasource provisioning.

This way the plugin will handle the authentication internally and will not depend on Grafana to do the authentication during request proxy, etc. and the Grafana codebase will not include an exception for handling GitHub OAuth2. I'll open a PR to add the app auth support as described above (we have users in the company asking for this datasource and the authentication is a blocker for us). Let me know if you had any suggestions or comments, it's really appreciated.

siavashs avatar Feb 28 '22 17:02 siavashs

Any progress on this? The PAT method is a bit of a show stopper as it gives access to all organisations of that user.

NickLarsenNZ avatar Apr 22 '22 12:04 NickLarsenNZ

To do this properly I'm waiting on this Grafana PR to be merged: https://github.com/grafana/grafana/pull/27055.

@kminehart, https://github.com/grafana/grafana/pull/27055 is merged and https://github.com/grafana/grafana/issues/26023 is closed, so it should be possible right?

NickLarsenNZ avatar Aug 31 '22 22:08 NickLarsenNZ

My team will also appreciate this

hemi-reslife avatar Nov 10 '22 01:11 hemi-reslife

Grafana 9.2 is out and I believe this is all supported now.

NickLarsenNZ avatar Nov 24 '22 12:11 NickLarsenNZ

I don't believe the Forward OAuth Identity feature is a solution to this. I think you can try but I doubt it will succeed, as it's been in Grafana since 7.2.

kminehart avatar Nov 24 '22 14:11 kminehart

I'd also very much appreciate this. My use-case: I want to use a GitHub App that has read-only access to multiple orgs in Grafana.

galargh avatar Dec 12 '22 13:12 galargh

Hi team, any update on this issue?

yahel2410 avatar Mar 07 '24 16:03 yahel2410

Hi @yahel2410, sorry this is not prioritized.

zoltanbedi avatar Mar 11 '24 14:03 zoltanbedi

GitHub App authentication has been implemented as part of the 1.9.0 release! You can check out the setup instructions and more details in the documentation here.

Thanks for your patience, and feel free to reach out if you have any questions!

itsgareth avatar Sep 28 '24 15:09 itsgareth