Grafana® OAuth configuration and security considerations
Grafana® version 9.5.5 introduced significant changes to the OAuth email
lookup behavior to enhance security. However, some users may need to
revert to the previous behavior as seen in Grafana 9.5.3. This section
provides information on how to revert to the 9.5.3 behavior using the
oauth_allow_insecure_email_lookup configuration option, its
implications, and the associated security threats.
Security considerations
Before reverting to the previous behavior of Grafana version 9.5.3, it is important to consider the security risks involved.
Authentication bypass vulnerability
By enabling the oauth_allow_insecure_email_lookup configuration
option, the system becomes susceptible to a critical authentication
bypass vulnerability using Azure AD OAuth. This vulnerability is
officially identified as CVE-2023-3128 and could potentially grant
attackers access to sensitive information or unauthorized actions. For
more information, refer to the following links:
Configuring OAuth email lookup
To revert to the OAuth email lookup behavior of Grafana version 9.5.3,
you can use the oauth_allow_insecure_email_lookup configuration
option.
Enable configuration
To enable this configuration, include the following line in your Grafana configuration file:
[auth]
oauth_allow_insecure_email_lookup = true
This will restore the behavior to that of Grafana version 9.5.3. However, please be aware of the potential security risks if you choose to do so.
Upgrade to Grafana 9.5.5
In Grafana 9.5.5, the insecure email lookup behavior has been removed to mitigate the security threat. We recommend upgrading to this version to ensure the security of your system.
Additional resources
For more information on configuring authentication in Grafana, refer to the official Grafana documentation.