AzureMiddleware and AzureTokenProvider are implemented in a way that tokens being kept in cache until their expiration time regardless whether the token is still accepted or not.

In cases when resource endpoint starts rejecting a token and returns 401, the middleware should invalidate the token and subsequent request should trigger token refresh.

Could be implemented here.

Currently we support only three known clouds: Public, China and US Gov.
To support custom cloud configurations (e.g. Azure Stack), we need a way to pass cloud metadata parse it into collection of available clouds.

az cloud list

Add metrics to measure performance for different authentication types (cache hits, token request times etc.).

Similar to how Managed Identity (MSI) authentication uses a token endpoint to request access tokens in the scope of the Grafana instance, a custom configurable token endpoint can be used to request access tokens in the scope of the currently signed in user.

This would allow user identity authentication scenarios where Grafana envrironment configured accordingly.

Add support for parametrization into the Azure authentication middleware to support custom token providers which are not directly implemented in the SDK.

For example, to avoid confusion with https://github.com/Azure/azure-sdk-for-go

Design discussion:

• grafana/grafana#61016

ADX currently implements this authentication method outside of the SDK (see here and here).

This feature has been experimental for some time but there's no reason for this anymore. Additionally, it may be the case that other data sources need to support it in the future so standardising the implementation would be useful.

azsettings.AzureSettings is a struct which keeps the Azure environment configuration.
Currently it's responsibility of a plugin to fill up and supply this struct.

We need to implement a shared reusable reader of azsettings.AzureSettings which could be used by all Azure plugins.

What happened:

At the moment, Grafana fully rely on Environment Variables or grafana.ini for Workload Identity.

What you expected to happen:

I would like to use the same Workload Identity source (token file) in multiple datasource against different Tenant ID. I have multiple Tenants which different Client that trust the OIDC issuer for my AKS cluster. But this requires different Client ID and Tenant ID per datasource settings.

Like the Client ID for Managed Identity, which is also configurable per datasource.

After changing the default database for an ADX data source, new panels still use the first default database.

Update the SDK to support a service principal credential when using user-authentication methods. This will allow us to support backend functionality via the service principal credentials which will always be present.

Design discussion:

• grafana/grafana#61016

Currently the ID token expiry isn't validated when using user-auth. This leads to unauthorised errors. The ID token expiry should be validated and refreshed if expired.

Allow the builder to appropriately build credentials for user-auth.

Design discussion:

• grafana/grafana#61016

Extend the Grafana Azure SDK to support Azure credentials with client certificates.

azsettings.AzureSettings already contain information about the current Azure cloud, adding Azure region would be also definitional for authorization and datasources.

Related:

• #24

Design discussion:

• grafana/grafana#61016