Backend plugins that authenticate users to their data store need OAuth2 token propagated
billoley opened this issue · comments
What would you like to be added:
Request: If configured to do so, pass the oauth token to the backend datasource code.
Why is this needed:
Datasources that authenticate users to their data store need access to the identity of the Grafana user.
(Timely = https://github.com/NationalSecurityAgency/timely)
Currently, we are using a front-end app that authenticates the user and authenticates them to Grafana using AuthProxy. After that, the datasource requests come from the browser and use PKI client certificates to authenticate to the backend data store.
Now that we are implementing a backend datasource (to use the alerting feature), we are looking into using OAuth2 with a custom OAuth2 provider (i.e. generic for Grafana config purposes) for authenticating to Grafana and to Timely (the data store).
While backend-proxied datasources have the capability of forwarding the oauth token (oauthPassThru), this capability does not exist for backend datasource plugins. Currently only the context and request are passed across the RPC wire.