Grafana SSO broken
In the release candidate of 2.11, SSO does not work in grafana: when clicking "Sign in with Stackspin" you get the error "user sync failed". Grafana logs say
logger=user.sync t=... level=error msg="Failed to create user" error="user already exists" auth_module=oauth_generic_oauth auth_id=...
logger=authn.service t=... level=warn msg="Failed to run post auth hook" client=auth.client.generic_oauth id= error="[user.sync.internal] unable to create user"
This seems to be a known issue due to grafana being stricter about which fields it uses as ID in case of external authentication providers.
Actually this is just wrong configuration on our part, because we tell grafana to use the preferred_username
from OIDC as login ID, which is a plainly bad choice. It should be easy enough to change it to use the kratos ID instead. That does mean that grafana will create new internal accounts for all users. I think that's okay, but in theory there could be accounts with personal settings or dashboards, so we'd have to at least mark this in the release notes. I don't think this warrants writing a migration script like we did for hedgedoc, where we had exactly the same problem, but there the user-specific data is essential.