update docs

conf/defaults.ini

@@ -374,12 +374,11 @@ headers =
 [auth.jwt]
 # See documentation for more details: http://docs.grafana.org/auth/jwt/
 enabled = false
-header = 
-cookie = 
-signing_key = 
-audience = 
-issuer = 
-login_claim =  
+header =
+verification =
+verification_ttl =
+expect_claims =
+login_claim =
 email_claim = email
 auto_signup = true
 

docs/sources/auth/jwt.md

@@ -17,12 +17,13 @@ JSON Web Tokens are an open, industry standard RFC 7519 method for representing
 Grafana can use JWT tokens for authentication
 
 
+
 ```bash
 [auth.jwt]
 enabled = false
 header = X-Your-JWT-Header
 
-# Signing key locator.  This config value can be either:
+# Verification key locator.  This config value can be either:
 # 1. URL: ie https://www.gstatic.com/iap/verify/public_key-jwk
 # 2. File: ie /var/lib/grafana/yourkeyfile
 # 3. String: directly set the key
@@ -31,13 +32,14 @@ header = X-Your-JWT-Header
 # 2. RSA Public Key PEM
 # 3. Base64 encoded bytes
 # 4. raw key bytes
-signing_key = {url | path to file | string}
+verification = {url | path to file | string}
 
-# if set, verify a matching 'aud' claim
-audience =
+# Time before reloading the verification file.
+# https://golang.org/pkg/time/#ParseDuration
+verification_ttl = 6h
 
-# if set, verify a matching 'iss' claim
-issuer =
+# Claims that need to match the header.  JSON or key:value
+expect_claims =
 
 # Check for the login name at this claim
 login_claim =
@@ -53,13 +55,13 @@ auto_signup = true
 
 ### Firebase
 
-
 ```bash
 [auth.jwt]
 enabled = true
 header = X-Your-JWT-Header
-signing_key = https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
-issuer = https://securetoken.google.com/{your project}
+verification = https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
+verification_ttl = 6h
+expect_claims = iss:https://securetoken.google.com/{your_project}
 email_claim = email
 auto_signup = true
 ```
@@ -73,11 +75,12 @@ See https://cloud.google.com/iap/docs/signed-headers-howto for more details.
 [auth.jwt]
 enabled = true
 header = X-Goog-Authenticated-User-JWT
-signing_key = https://www.gstatic.com/iap/verify/public_key-jwk
-audience = /projects/PROJECT_NUMBER/global/backendServices/SERVICE_ID
-issuer = https://cloud.google.com/iap
+verification = https://www.gstatic.com/iap/verify/public_key-jwk
+verification_ttl = 6h
+expect_claims = {\
+  "aud": "/projects/PROJECT_NUMBER/global/backendServices/SERVICE_ID", \
+  "iss": "https://cloud.google.com/iap" }
 email_claim = email
 auto_signup = true
 ```
 
-/!\ NOTE: The JWK key format is not yet supported

pkg/middleware/auth_jwt_test.go

@@ -114,16 +114,17 @@ func TestAuthJWT(t *testing.T) {
 
 		// Check Firebase Support
 		Convey("Should fail to parse invalid key sets", func() {
-			setting.AuthJwtSigningKey = "NOT A KEY"
+			setting.AuthJwtVerification = "NOT A KEY"
 			InitAuthJwtKey()
 			So(decoder.CheckReady(), ShouldBeFalse)
 		})
 
 		// Check Firebase Support
 		Convey("Should parse firebase tokens", func() {
 
-			setting.AuthJwtSigningKey = pwd + "/jwt_test_data.firebase.json" //https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
-			setting.AuthJwtIssuer = "https://securetoken.google.com/safetronx"
+			setting.AuthJwtVerification = pwd + "/jwt_test_data.firebase.json" //https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
+			setting.AuthJwtExpectClaims = make(map[string]string)
+			setting.AuthJwtExpectClaims["iss"] = "https://securetoken.google.com/safetronx"
 			InitAuthJwtKey()
 			So(decoder.CheckReady(), ShouldBeTrue)
 
@@ -147,8 +148,8 @@ func TestAuthJWT(t *testing.T) {
 
 		// Check Google JWK/IAP Support
 		Convey("Should parse JWK tokens", func() {
-			setting.AuthJwtSigningKey = "https://www.gstatic.com/iap/verify/public_key-jwk"
-			setting.AuthJwtIssuer = ""
+			setting.AuthJwtVerification = "https://www.gstatic.com/iap/verify/public_key-jwk"
+			setting.AuthJwtExpectClaims = nil
 			InitAuthJwtKey()
 
 			fmt.Printf("AFTER %v\n", decoder)

pkg/setting/setting.go

@@ -5,6 +5,7 @@ package setting
 
 import (
 	"bytes"
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -514,9 +515,18 @@ func pathExists(path string) bool {
 	return false
 }
 
-// Converts a string like: "a:A b:B" > { a:A, b:B }
 func toMap(text string) map[string]string {
 	vals := make(map[string]string)
+
+	// Try parsing JSON
+	if strings.HasPrefix("{", text) {
+		err := json.Unmarshal([]byte(text), &vals)
+		if err != nil {
+			return vals
+		}
+	}
+
+	// Otherwise key:value key2:value2
 	for _, propertyAndHeader := range util.SplitString(text) {
 		split := strings.SplitN(propertyAndHeader, ":", 2)
 		if len(split) == 2 {