Chore: Adding "allowed_groups" Configuration Parameter to Generic OAuth Method (#69025)

* feat: add allowed_groups for Generic OAuth

* docs: add allowed_groups more docs for Generic OAuth

conf/defaults.ini

@@ -736,6 +736,7 @@ token_url =
 api_url =
 teams_url =
 allowed_domains =
+allowed_groups =
 team_ids =
 allowed_organizations =
 tls_skip_verify_insecure = false

docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md

@@ -45,6 +45,7 @@ auth_url =
 token_url =
 api_url =
 allowed_domains = mycompany.com mycompany.org
+allowed_groups = ["Admins", "Software Engineers"]
 tls_skip_verify_insecure = false
 tls_client_cert =
 tls_client_key =
@@ -85,6 +86,8 @@ Similarly, group mappings are made using [JMESPath](http://jmespath.org/examples
 
 Furthermore, Grafana will check for the presence of at least one of the teams specified via the `team_ids` configuration option using the [JMESPath](http://jmespath.org/examples.html) specified via the `team_ids_attribute_path` configuration option. The JSON used for the path lookup is the HTTP response obtained from querying the Teams endpoint specified via the `teams_url` configuration option (using `/teams` as a fallback endpoint). The result should be a string array of Grafana Team IDs. Using this setting ensures that only certain teams is allowed to authenticate to Grafana using your OAuth provider.
 
+You can limit access to only members of a given group or list of groups by setting the `allowed_groups` option.
+
 ### Login
 
 Customize user login using `login_attribute_path` configuration option. Order of operations is as follows:

pkg/login/social/generic_oauth.go

@@ -31,6 +31,23 @@ type SocialGenericOAuth struct {
 	idTokenAttributeName string
 	teamIdsAttributePath string
 	teamIds              []string
+	allowedGroups        []string
+}
+
+func (s *SocialGenericOAuth) IsGroupMember(groups []string) bool {
+	if len(s.allowedGroups) == 0 {
+		return true
+	}
+
+	for _, allowedGroup := range s.allowedGroups {
+		for _, group := range groups {
+			if group == allowedGroup {
+				return true
+			}
+		}
+	}
+
+	return false
 }
 
 func (s *SocialGenericOAuth) IsTeamMember(client *http.Client) bool {
@@ -182,6 +199,10 @@ func (s *SocialGenericOAuth) UserInfo(client *http.Client, token *oauth2.Token)
 		return nil, errors.New("user not a member of one of the required organizations")
 	}
 
+	if !s.IsGroupMember(userInfo.Groups) {
+		return nil, errMissingGroupMembership
+	}
+
 	s.log.Debug("User info result", "result", userInfo)
 	return userInfo, nil
 }

pkg/login/social/social.go

@@ -214,6 +214,7 @@ func ProvideService(cfg *setting.Cfg,
 				teamIdsAttributePath: sec.Key("team_ids_attribute_path").String(),
 				teamIds:              sec.Key("team_ids").Strings(","),
 				allowedOrganizations: util.SplitString(sec.Key("allowed_organizations").String()),
+				allowedGroups:        util.SplitString(sec.Key("allowed_groups").String()),
 			}
 		}