ablecloud-team · jschoiRR · Jan 12, 2026 · Jan 12, 2026
diff --git a/pkg/api/admin_users.go b/pkg/api/admin_users.go
diff --git a/pkg/api/api.go b/pkg/api/api.go
@@ -588,9 +588,6 @@ func (hs *HTTPServer) registerRoutes() {
 		adminUserRoute.Post("/:id/logout", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersLogout, userIDScope)), routing.Wrap(hs.AdminLogoutUser))
 		adminUserRoute.Get("/:id/auth-tokens", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersAuthTokenList, userIDScope)), routing.Wrap(hs.AdminGetUserAuthTokens))
 		adminUserRoute.Post("/:id/revoke-auth-token", authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersAuthTokenUpdate, userIDScope)), routing.Wrap(hs.AdminRevokeUserAuthToken))
-
-		adminUserRoute.Post("/:id/oauth", reqGrafanaAdmin, authorizeInOrg(ac.UseGlobalOrg, ac.EvalPermission(ac.ActionUsersPermissionsUpdate, userIDScope)), routing.Wrap(hs.AdminAddUserOAuth))
-
 	}, reqSignedIn)
 
 	// rendering

diff --git a/pkg/api/dtos/user.go b/pkg/api/dtos/user.go
@@ -46,9 +46,3 @@ type UserLookupDTO struct {
 	Login     string `json:"login"`
 	AvatarURL string `json:"avatarUrl"`
 }
-
-type AdminAddUserOAuthForm struct {
-	UserID     int64  `json:"user_id"`
-	AuthModule string `json:"auth_module"`
-	AuthID     string `json:"auth_id"`
-}
diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
@@ -1,8 +1,7 @@
 package api
 
 import (
-	// "github.com/grafana/grafana/pkg/apimachinery/errutil"
-
+	"github.com/grafana/grafana/pkg/apimachinery/errutil"
 	"github.com/grafana/grafana/pkg/infra/metrics"
 	"github.com/grafana/grafana/pkg/middleware/cookies"
 	"github.com/grafana/grafana/pkg/services/authn"
@@ -22,9 +21,7 @@ func (hs *HTTPServer) OAuthLogin(reqCtx *contextmodel.ReqContext) {
 	if errorParam := reqCtx.Query("error"); errorParam != "" {
 		errorDesc := reqCtx.Query("error_description")
 		hs.log.Error("failed to login ", "error", errorParam, "errorDesc", errorDesc)
-		// hs.redirectWithError(reqCtx, errutil.Unauthorized("oauth.login", errutil.WithPublicMessage(hs.Cfg.OAuthLoginErrorMessage)).Errorf("Login provider denied login request"))
-
-		reqCtx.Redirect("/login?disableAutoLogin=true")
+		hs.redirectWithError(reqCtx, errutil.Unauthorized("oauth.login", errutil.WithPublicMessage(hs.Cfg.OAuthLoginErrorMessage)).Errorf("Login provider denied login request"))
 		return
 	}
 
@@ -48,14 +45,6 @@ func (hs *HTTPServer) OAuthLogin(reqCtx *contextmodel.ReqContext) {
 			cookies.WriteCookie(reqCtx.Resp, OauthPKCECookieName, pkce, hs.Cfg.OAuthCookieMaxAge, hs.CookieOptionsFromCfg)
 		}
 
-		// autoLogin := reqCtx.Query("autologin")
-		// if autoLogin == "true" {
-		// 	if strings.Contains(redirect.URL, "?") {
-		// 		redirect.URL += "&prompt=none"
-		// 	} else {
-		// 		redirect.URL += "?prompt=none"
-		// 	}
-		// }
 		reqCtx.Redirect(redirect.URL)
 		return
 	}

diff --git a/pkg/events/events.go b/pkg/events/events.go
@@ -47,13 +47,6 @@ type UserUpdated struct {
 	Email     string    `json:"email"`
 }
 
-type UserAuthUpdated struct {
-	Timestamp  time.Time `json:"timestamp"`
-	UserID     int64     `json:"user_id"`
-	AuthModule string    `json:"auth_module"`
-	AuthID     string    `json:"auth_id"`
-}
-
 type DataSourceDeleted struct {
 	Timestamp time.Time `json:"timestamp"`
 	Name      string    `json:"name"`

diff --git a/pkg/login/social/social.go b/pkg/login/social/social.go
@@ -77,7 +77,6 @@ type OAuthInfo struct {
 	OrgMapping              []string          `mapstructure:"org_mapping"`
 	Scopes                  []string          `mapstructure:"scopes" toml:"scopes"`
 	SignoutRedirectUrl      string            `mapstructure:"signout_redirect_url" toml:"signout_redirect_url"`
-	SignoutUrl              string            `mapstructure:"signout_url" toml:"signout_url"`
 	SkipOrgRoleSync         bool              `mapstructure:"skip_org_role_sync" toml:"skip_org_role_sync"`
 	TeamIdsAttributePath    string            `mapstructure:"team_ids_attribute_path" toml:"team_ids_attribute_path"`
 	TeamsUrl                string            `mapstructure:"teams_url" toml:"teams_url"`

diff --git a/pkg/models/usertoken/user_token.go b/pkg/models/usertoken/user_token.go
@@ -36,7 +36,6 @@ type UserToken struct {
 	UpdatedAt         int64
 	RevokedAt         int64
 	UnhashedToken     string
-	IdToken           string
 }
 
 const UrgentRotateTime = 1 * time.Minute

diff --git a/pkg/services/auth/auth.go b/pkg/services/auth/auth.go
@@ -71,7 +71,6 @@ type CreateTokenCommand struct {
 	ClientIP        net.IP
 	UserAgent       string
 	ExternalSession *ExternalSession
-	IdToken         string
 }
 
 // UserTokenService are used for generating and validating user tokens

diff --git a/pkg/services/auth/authimpl/auth_token.go b/pkg/services/auth/authimpl/auth_token.go
@@ -94,7 +94,6 @@ func (s *UserAuthTokenService) CreateToken(ctx context.Context, cmd *auth.Create
 		SeenAt:        0,
 		RevokedAt:     0,
 		AuthTokenSeen: false,
-		IdToken:       cmd.IdToken,
 	}
 
 	err = s.sqlStore.InTransaction(ctx, func(ctx context.Context) error {
@@ -124,11 +123,6 @@ func (s *UserAuthTokenService) CreateToken(ctx context.Context, cmd *auth.Create
 	var userToken auth.UserToken
 	err = userAuthToken.toUserToken(&userToken)
 
-	// 메모리저장 테스트
-	// if cmd.IdToken != "" {
-	// 	userToken.IdToken = cmd.IdToken
-	// }
-
 	return &userToken, err
 }
 

diff --git a/pkg/services/auth/authimpl/model.go b/pkg/services/auth/authimpl/model.go
@@ -21,7 +21,6 @@ type userAuthToken struct {
 	RevokedAt         int64
 	UnhashedToken     string `xorm:"-"`
 	ExternalSessionId int64
-	IdToken           string
 }
 
 func userAuthTokenFromUserToken(ut *auth.UserToken) (*userAuthToken, error) {
@@ -72,6 +71,5 @@ func (uat *userAuthToken) toUserToken(ut *auth.UserToken) error {
 	ut.RevokedAt = uat.RevokedAt
 	ut.UnhashedToken = uat.UnhashedToken
 	ut.ExternalSessionId = uat.ExternalSessionId
-	ut.IdToken = uat.IdToken
 	return nil
 }
diff --git a/pkg/services/authn/authnimpl/service.go b/pkg/services/authn/authnimpl/service.go
@@ -3,9 +3,7 @@ package authnimpl
 import (
 	"context"
 	"errors"
-	"fmt"
 	"net/http"
-	"net/url"
 	"strconv"
 	"strings"
 
@@ -243,19 +241,13 @@ func (s *Service) Login(ctx context.Context, client string, r *authn.Request) (i
 		s.log.FromContext(ctx).Debug("Failed to parse ip from address", "client", c.Name(), "id", id.ID, "addr", addr, "error", err)
 	}
 
-	var sessionToken *auth.UserToken
-	var sessionTokenErr error
 	externalSession := s.resolveExternalSessionFromIdentity(ctx, id, userID)
-	if externalSession != nil && externalSession.IDToken != "" {
-		sessionToken, sessionTokenErr = s.sessionService.CreateToken(ctx, &auth.CreateTokenCommand{User: &user.User{ID: userID}, ClientIP: ip, UserAgent: r.HTTPRequest.UserAgent(), ExternalSession: externalSession, IdToken: externalSession.IDToken})
-	} else {
-		sessionToken, sessionTokenErr = s.sessionService.CreateToken(ctx, &auth.CreateTokenCommand{User: &user.User{ID: userID}, ClientIP: ip, UserAgent: r.HTTPRequest.UserAgent(), ExternalSession: externalSession})
-	}
 
-	if sessionTokenErr != nil {
+	sessionToken, err := s.sessionService.CreateToken(ctx, &auth.CreateTokenCommand{User: &user.User{ID: userID}, ClientIP: ip, UserAgent: r.HTTPRequest.UserAgent(), ExternalSession: externalSession})
+	if err != nil {
 		s.metrics.failedLogin.WithLabelValues(client).Inc()
-		s.log.FromContext(ctx).Error("Failed to create session", "client", client, "id", id.ID, "err", sessionTokenErr)
-		return nil, sessionTokenErr
+		s.log.FromContext(ctx).Error("Failed to create session", "client", client, "id", id.ID, "err", err)
+		return nil, err
 	}
 
 	s.metrics.successfulLogin.WithLabelValues(client).Inc()
@@ -335,19 +327,6 @@ func (s *Service) Logout(ctx context.Context, user identity.Requester, sessionTo
 			goto Default
 		}
 
-		if s.cfg.SignoutRedirectUrl != "" {
-			rawRedirect := s.cfg.AppURL + "login?disableAutoLogin=true"
-			idToken := sessionToken.IdToken
-
-			logoutURL := fmt.Sprintf(
-				"%s?post_logout_redirect_uri=%s&id_token_hint=%s",
-				s.cfg.SignoutUrl,
-				url.QueryEscape(rawRedirect),
-				idToken,
-			)
-			clientRedirect.URL = logoutURL
-		}
-
 		redirect = clientRedirect
 	}
 

diff --git a/pkg/services/ssosettings/strategies/oauth_strategy.go b/pkg/services/ssosettings/strategies/oauth_strategy.go
@@ -102,7 +102,6 @@ func (s *OAuthStrategy) loadSettingsForProvider(provider string) map[string]any
 		"auto_login":                 section.Key("auto_login").MustBool(false),
 		"allowed_groups":             section.Key("allowed_groups").Value(),
 		"signout_redirect_url":       section.Key("signout_redirect_url").Value(),
-		"signout_url":                section.Key("signout_url").Value(),
 		"org_mapping":                section.Key("org_mapping").Value(),
 		"org_attribute_path":         section.Key("org_attribute_path").Value(),
 	}

diff --git a/pkg/services/user/model.go b/pkg/services/user/model.go
@@ -49,14 +49,6 @@ type User struct {
 	LastSeenAt time.Time
 }
 
-type UserAuth struct {
-	ID         int64     `xorm:"pk autoincr 'id'" json:"id"`
-	UserID     int64     `xorm:"user_id" json:"user_id"`
-	AuthModule string    `xorm:"auth_module" json:"auth_module"`
-	AuthID     string    `xorm:"auth_id" json:"auth_id"`
-	Created    time.Time `xorm:"created" json:"created"`
-}
-
 type CreateUserCommand struct {
 	UID              string
 	Email            string
@@ -101,13 +93,6 @@ type UpdateUserCommand struct {
 	HelpFlags1 *HelpFlags1 `json:"-"`
 }
 
-type UpdateAuthModuleCommand struct {
-	UserID     int64     `json:"user_id"`
-	AuthModule string    `json:"auth_module"`
-	AuthID     string    `json:"auth_id"`
-	Created    time.Time `xorm:"created" json:"created"`
-}
-
 type UpdateUserLastSeenAtCommand struct {
 	UserID int64
 	OrgID  int64

diff --git a/pkg/services/user/userimpl/store.go b/pkg/services/user/userimpl/store.go
@@ -26,7 +26,6 @@ type store interface {
 	Delete(context.Context, int64) error
 	LoginConflict(ctx context.Context, login, email string) error
 	Update(context.Context, *user.UpdateUserCommand) error
-	UpdateAuthModule(context.Context, *user.UpdateAuthModuleCommand) error
 	UpdateLastSeenAt(context.Context, *user.UpdateUserLastSeenAtCommand) error
 	GetSignedInUser(context.Context, *user.GetSignedInUserQuery) (*user.SignedInUser, error)
 	GetProfile(context.Context, *user.GetUserProfileQuery) (*user.UserProfileDTO, error)
@@ -282,43 +281,6 @@ func (ss *sqlStore) Update(ctx context.Context, cmd *user.UpdateUserCommand) err
 	})
 }
 
-func (ss *sqlStore) UpdateAuthModule(ctx context.Context, cmd *user.UpdateAuthModuleCommand) error {
-	// enforcement of lowercase due to forcement of caseinsensitive login
-	return ss.db.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
-		usr := user.UserAuth{
-			UserID:     cmd.UserID,
-			AuthModule: cmd.AuthModule,
-			AuthID:     cmd.AuthID,
-			Created:    time.Now(),
-		}
-
-		// 기존 레코드 조회 (서비스 계정 필터 제거)
-		q := sess.ID(cmd.UserID)
-
-		rows, err := q.Update(&usr)
-		if err != nil {
-			return err
-		}
-
-		// 존재하지 않으면 Insert
-		if rows == 0 {
-			if _, err := sess.Insert(&usr); err != nil {
-				return err
-			}
-		}
-
-		// 이벤트 publish
-		sess.PublishAfterCommit(&events.UserAuthUpdated{
-			Timestamp:  usr.Created,
-			UserID:     usr.UserID,
-			AuthModule: usr.AuthModule,
-			AuthID:     usr.AuthID,
-		})
-
-		return nil
-	})
-}
-
 func (ss *sqlStore) UpdateLastSeenAt(ctx context.Context, cmd *user.UpdateUserLastSeenAtCommand) error {
 	if cmd.UserID <= 0 {
 		return user.ErrUpdateInvalidID

diff --git a/pkg/services/user/userimpl/user.go b/pkg/services/user/userimpl/user.go
@@ -291,22 +291,6 @@ func (s *Service) Update(ctx context.Context, cmd *user.UpdateUserCommand) error
 	return s.store.Update(ctx, cmd)
 }
 
-func (s *Service) UpdateAuthModule(ctx context.Context, cmd *user.UpdateAuthModuleCommand) error {
-	ctx, span := s.tracer.Start(ctx, "user.UpdateAuthModule", trace.WithAttributes(
-		attribute.Int64("userID", cmd.UserID),
-	))
-	defer span.End()
-
-	_, err := s.store.GetByID(ctx, cmd.UserID)
-	if err != nil {
-		return err
-	}
-
-	cmd.Created = time.Now().UTC()
-
-	return s.store.UpdateAuthModule(ctx, cmd)
-}
-
 func (s *Service) UpdateLastSeenAt(ctx context.Context, cmd *user.UpdateUserLastSeenAtCommand) error {
 	ctx, span := s.tracer.Start(ctx, "user.UpdateLastSeen", trace.WithAttributes(
 		attribute.Int64("userID", cmd.UserID),

diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
@@ -175,12 +175,12 @@ type Cfg struct {
 	// CSPReportEnabled toggles Content Security Policy Report Only support.
 	CSPReportOnlyEnabled bool
 	// CSPReportOnlyTemplate contains the Content Security Policy Report Only template.
-	CSPReportOnlyTemplate           string
-	AngularSupportEnabled           bool
-	EnableFrontendSandboxForPlugins []string
-	DisableGravatar                 bool
-	DataProxyWhiteList              map[string]bool
-	ActionsAllowPostURL             string
+	CSPReportOnlyTemplate            string
+	AngularSupportEnabled            bool
+	DisableFrontendSandboxForPlugins []string
+	DisableGravatar                  bool
+	DataProxyWhiteList               map[string]bool
+	ActionsAllowPostURL              string
 
 	TempDataLifetime time.Duration
 
@@ -242,7 +242,6 @@ type Cfg struct {
 	AdminEmail                    string
 	DisableLoginForm              bool
 	SignoutRedirectUrl            string
-	SignoutUrl                    string
 	IDResponseHeaderEnabled       bool
 	IDResponseHeaderPrefix        string
 	IDResponseHeaderNamespaces    map[string]struct{}
@@ -533,7 +532,6 @@ type Cfg struct {
 
 	// Unified Storage
 	UnifiedStorage map[string]UnifiedStorageConfig
-	IndexPath      string
 }
 
 type UnifiedStorageConfig struct {
@@ -1340,9 +1338,8 @@ func (cfg *Cfg) parseINIFile(iniFile *ini.File) error {
 	cfg.ScopesListScopesURL = scopesSection.Key("list_scopes_endpoint").MustString("")
 	cfg.ScopesListDashboardsURL = scopesSection.Key("list_dashboards_endpoint").MustString("")
 
-	// unified storage config
+	// read unifed storage config
 	cfg.setUnifiedStorageConfig()
-	cfg.setIndexPath()
 
 	return nil
 }
@@ -1558,10 +1555,10 @@ func readSecuritySettings(iniFile *ini.File, cfg *Cfg) error {
 	cfg.CSPReportOnlyEnabled = security.Key("content_security_policy_report_only").MustBool(false)
 	cfg.CSPReportOnlyTemplate = security.Key("content_security_policy_report_only_template").MustString("")
 
-	enableFrontendSandboxForPlugins := security.Key("enable_frontend_sandbox_for_plugins").MustString("")
-	for _, plug := range strings.Split(enableFrontendSandboxForPlugins, ",") {
+	disableFrontendSandboxForPlugins := security.Key("disable_frontend_sandbox_for_plugins").MustString("")
+	for _, plug := range strings.Split(disableFrontendSandboxForPlugins, ",") {
 		plug = strings.TrimSpace(plug)
-		cfg.EnableFrontendSandboxForPlugins = append(cfg.EnableFrontendSandboxForPlugins, plug)
+		cfg.DisableFrontendSandboxForPlugins = append(cfg.DisableFrontendSandboxForPlugins, plug)
 	}
 
 	if cfg.CSPEnabled && cfg.CSPTemplate == "" {
@@ -1630,7 +1627,6 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	cfg.OAuthCookieMaxAge = auth.Key("oauth_state_cookie_max_age").MustInt(600)
 	cfg.OAuthRefreshTokenServerLockMinWaitMs = auth.Key("oauth_refresh_token_server_lock_min_wait_ms").MustInt64(1000)
 	cfg.SignoutRedirectUrl = valueAsString(auth, "signout_redirect_url", "")
-	cfg.SignoutUrl = valueAsString(auth, "signout_url", "")
 
 	// Deprecated
 	cfg.OAuthSkipOrgRoleUpdateSync = false