Configure refresh token handling separately for OAuth providers
With Grafana v9.3, we introduced a feature toggle called accessTokenExpirationCheck
. It improves the security of Grafana by checking the expiration of the access token and automatically refreshing the expired access token when a user is logged in using one of the OAuth providers.
With the current release, we’ve introduced a new configuration option for each OAuth provider called use_refresh_token
that allows you to configure whether the particular OAuth integration should use refresh tokens to automatically refresh access tokens when they expire. In addition, to further improve security and provide secure defaults, use_refresh_token
is enabled by default for providers that support either refreshing tokens automatically or client-controlled fetching of refresh tokens. It’s enabled by default for the following OAuth providers: AzureAD, GitLab, Google.
For more information on how to set up refresh token handling, please refer to the documentation of the particular OAuth provider.
Note
Theuse_refresh_token
configuration must be used in conjunction with theaccessTokenExpirationCheck
feature toggle. If you disable theaccessTokenExpirationCheck
feature toggle, Grafana won’t check the expiration of the access token and won’t automatically refresh the expired access token, even if theuse_refresh_token
configuration is set totrue
.
The accessTokenExpirationCheck
feature toggle will be removed in Grafana v10.3.