Configure refresh token handling separately for OAuth providers

With Grafana v9.3, we introduced a feature toggle called accessTokenExpirationCheck. It improves the security of Grafana by checking the expiration of the access token and automatically refreshing the expired access token when a user is logged in using one of the OAuth providers.

With the current release, we’ve introduced a new configuration option for each OAuth provider called use_refresh_token that allows you to configure whether the particular OAuth integration should use refresh tokens to automatically refresh access tokens when they expire. In addition, to further improve security and provide secure defaults, use_refresh_token is enabled by default for providers that support either refreshing tokens automatically or client-controlled fetching of refresh tokens. It’s enabled by default for the following OAuth providers: AzureAD, GitLab, Google.

For more information on how to set up refresh token handling, please refer to the documentation of the particular OAuth provider.

Note
The use_refresh_token configuration must be used in conjunction with the accessTokenExpirationCheck feature toggle. If you disable the accessTokenExpirationCheck feature toggle, Grafana won’t check the expiration of the access token and won’t automatically refresh the expired access token, even if the use_refresh_token configuration is set to true.

The accessTokenExpirationCheck feature toggle will be removed in Grafana v10.3.

Feedback

Relevant sources:

Feedback

Configure refresh token handling separately for OAuth providers

Was this page helpful?

Related documentation

Configure refresh token handling separately for OAuth providers

Was this page helpful?

Related documentation

Related resources from Grafana Labs