Merge branch 'master' into flip-table-graph-feature-flag

2018-03-28 17:45:48 -07:00 · 2018-03-28 17:45:48 -07:00 · 5a66eccd47
parent bde397be68 b85a0263b7
commit 5a66eccd47
18 changed files with 455 additions and 72 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,11 @@
 ## v1.5.0.0 [unreleased]
 ### Features
 1.  [#2526](https://github.com/influxdata/chronograf/pull/2526): Add support for RS256/JWKS verification, support for id_token parsing (as in ADFS)
 ### UI Improvements
 ### Bug Fixes
 ## v1.4.3.0 [unreleased]
 ### Features
@ -19,7 +27,10 @@
 1.  [#2970](https://github.com/influxdata/chronograf/pull/2970): Fix hanging browser on docker host dashboard
 1.  [#3006](https://github.com/influxdata/chronograf/pull/3006): Fix Kapacitor Rules task enabled checkboxes to only toggle exactly as clicked
 1.  [#3048](https://github.com/influxdata/chronograf/pull/3048): Prevent Multi-Select Dropdown in InfluxDB Admin Users and Roles tabs from losing selection state
 1.  [#3073](https://github.com/influxdata/chronograf/pull/3073): Fix Delete button in All Users admin page
 1.  [#3068](https://github.com/influxdata/chronograf/pull/3068): Fix intermittent missing fill from graphs
 1.  [#3087](https://github.com/influxdata/chronograf/pull/3087): Exit annotation edit mode when user navigates away from dashboard
 1.  [#3079](https://github.com/influxdata/chronograf/pull/3082): Support custom time range in annotations api wrapper
 ## v1.4.2.3 [2018-03-08]
@ -35,7 +46,6 @@
 ## v1.4.2.1 [2018-02-28]
 ### Features
 1.  [#2837](https://github.com/influxdata/chronograf/pull/2837): Prevent execution of queries in cells that are not in view on the dashboard page
 1.  [#2829](https://github.com/influxdata/chronograf/pull/2829): Add an optional persistent legend which can toggle series visibility to dashboard cells
 1.  [#2846](https://github.com/influxdata/chronograf/pull/2846): Allow user to annotate graphs via UI or API
--- a/integrations/server_test.go
+++ b/integrations/server_test.go
@ -2821,6 +2821,9 @@ func TestServer(t *testing.T) {
 			// This is so that we can use staticly generate jwts
 			tt.args.server.TokenSecret = "secret"
 			// Endpoint for validating RSA256 signatures when using id_token parsing for ADFS
 			tt.args.server.JwksURL = ""
 			boltFile := newBoltFile()
 			tt.args.server.BoltPath = boltFile
@ -2938,7 +2941,7 @@ func TestServer(t *testing.T) {
 			buf, _ := json.Marshal(tt.args.payload)
 			reqBody := ioutil.NopCloser(bytes.NewReader(buf))
 			req, _ := http.NewRequest(tt.args.method, serverURL, reqBody)
-			token, _ := oauth2.NewJWT(tt.args.server.TokenSecret).Create(ctx, tt.args.principal)
+			token, _ := oauth2.NewJWT(tt.args.server.TokenSecret, tt.args.server.JwksURL).Create(ctx, tt.args.principal)
 			req.AddCookie(&http.Cookie{
 				Name:     "session",
 				Value:    string(token),
--- a/oauth2/cookies_test.go
+++ b/oauth2/cookies_test.go
@ -3,6 +3,7 @@ package oauth2
 import (
 	"context"
 	"fmt"
 	gojwt "github.com/dgrijalva/jwt-go"
 	"log"
 	"net/http"
 	"net/http/httptest"
@ -32,6 +33,10 @@ func (m *MockTokenizer) ExtendedPrincipal(ctx context.Context, principal Princip
 	return principal, m.ExtendErr
 }
 func (m *MockTokenizer) GetClaims(tokenString string) (gojwt.MapClaims, error) {
 	return gojwt.MapClaims{}, nil
 }
 func TestCookieAuthorize(t *testing.T) {
 	var test = []struct {
 		Desc      string
--- a/oauth2/generic.go
+++ b/oauth2/generic.go
@ -7,11 +7,20 @@ import (
 	"net/http"
 	"strings"
 	gojwt "github.com/dgrijalva/jwt-go"
 	"github.com/influxdata/chronograf"
 	"golang.org/x/oauth2"
 )
-var _ Provider = &Generic{}
+// ExtendedProvider extendts the base Provider interface with optional methods
 type ExtendedProvider interface {
 	Provider
 	// get PrincipalID from id_token
 	PrincipalIDFromClaims(claims gojwt.MapClaims) (string, error)
 	GroupFromClaims(claims gojwt.MapClaims) (string, error)
 }
 var _ ExtendedProvider = &Generic{}
 // Generic provides OAuth Login and Callback server and is modeled
 // after the Github OAuth2 provider. Callback will set an authentication
@ -197,3 +206,26 @@ func ofDomain(requiredDomains []string, email string) bool {
 	}
 	return false
 }
 // PrincipalIDFromClaims verifies an optional id_token and extracts email address of the user
 func (g *Generic) PrincipalIDFromClaims(claims gojwt.MapClaims) (string, error) {
 	if id, ok := claims[g.APIKey].(string); ok {
 		return id, nil
 	}
 	return "", fmt.Errorf("no claim for %s", g.APIKey)
 }
 // GroupFromClaims verifies an optional id_token, extracts the email address of the user and splits off the domain part
 func (g *Generic) GroupFromClaims(claims gojwt.MapClaims) (string, error) {
 	if id, ok := claims[g.APIKey].(string); ok {
 		email := strings.Split(id, "@")
 		if len(email) != 2 {
 			g.Logger.Error("malformed email address, expected %q to contain @ symbol", id)
 			return "DEFAULT", nil
 		}
 		return email[1], nil
 	}
 	return "", fmt.Errorf("no claim for %s", g.APIKey)
 }
--- a/oauth2/jwt.go
+++ b/oauth2/jwt.go
@ -2,7 +2,12 @@ package oauth2
 import (
 	"context"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"time"
 	gojwt "github.com/dgrijalva/jwt-go"
@ -14,13 +19,17 @@ var _ Tokenizer = &JWT{}
 // JWT represents a javascript web token that can be validated or marshaled into string.
 type JWT struct {
 	Secret  string
 	Jwksurl string
 	Now     func() time.Time
 }
-// NewJWT creates a new JWT using time.Now; secret is used for signing and validating.
+// NewJWT creates a new JWT using time.Now
-func NewJWT(secret string) *JWT {
+// secret is used for signing and validating signatures (HS256/HMAC)
 // jwksurl is used for validating RS256 signatures.
 func NewJWT(secret string, jwksurl string) *JWT {
 	return &JWT{
 		Secret:  secret,
 		Jwksurl: jwksurl,
 		Now:     DefaultNowTime,
 	}
 }
@ -62,16 +71,98 @@ func (j *JWT) ValidPrincipal(ctx context.Context, jwtToken Token, lifespan time.
 	gojwt.TimeFunc = j.Now
 	// Check for expected signing method.
-	alg := func(token *gojwt.Token) (interface{}, error) {
+	alg := j.KeyFunc
 		if _, ok := token.Method.(*gojwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 		}
 		return []byte(j.Secret), nil
 	}
 	return j.ValidClaims(jwtToken, lifespan, alg)
 }
 // KeyFunc verifies HMAC or RSA/RS256 signatures
 func (j *JWT) KeyFunc(token *gojwt.Token) (interface{}, error) {
 	if _, ok := token.Method.(*gojwt.SigningMethodHMAC); ok {
 		return []byte(j.Secret), nil
 	} else if _, ok := token.Method.(*gojwt.SigningMethodRSA); ok {
 		return j.KeyFuncRS256(token)
 	}
 	return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 }
 // For the id_token, the recommended signature algorithm is RS256, which
 // means we need to verify the token against a public key. This public key
 // is available from the key discovery service in JSON Web Key (JWK).
 // JWK is specified in RFC 7517.
 //
 // The location of the key discovery service (JWKSURL) is published in the
 // OpenID Provider Configuration Information at /.well-known/openid-configuration
 // implements rfc7517 section 4.7 "x5c" (X.509 Certificate Chain) Parameter
 // JWK defines a JSON Web KEy nested struct
 type JWK struct {
 	Kty string   `json:"kty"`
 	Use string   `json:"use"`
 	Alg string   `json:"alg"`
 	Kid string   `json:"kid"`
 	X5t string   `json:"x5t"`
 	N   string   `json:"n"`
 	E   string   `json:"e"`
 	X5c []string `json:"x5c"`
 }
 // JWKS defines a JKW[]
 type JWKS struct {
 	Keys []JWK `json:"keys"`
 }
 // KeyFuncRS256 verifies RS256 signed JWT tokens, it looks up the signing key in the key discovery service
 func (j *JWT) KeyFuncRS256(token *gojwt.Token) (interface{}, error) {
 	// Don't forget to validate the alg is what you expect:
 	if _, ok := token.Method.(*gojwt.SigningMethodRSA); !ok {
 		return nil, fmt.Errorf("Unsupported signing method: %v", token.Header["alg"])
 	}
 	// read JWKS document from key discovery service
 	if j.Jwksurl == "" {
 		return nil, fmt.Errorf("JWKSURL not specified, cannot validate RS256 signature")
 	}
 	rr, err := http.Get(j.Jwksurl)
 	if err != nil {
 		return nil, err
 	}
 	defer rr.Body.Close()
 	body, err := ioutil.ReadAll(rr.Body)
 	if err != nil {
 		return nil, err
 	}
 	// parse json to struct
 	var jwks JWKS
 	if err := json.Unmarshal([]byte(body), &jwks); err != nil {
 		return nil, err
 	}
 	// extract cert when kid and alg match
 	var certPkix []byte
 	for _, jwk := range jwks.Keys {
 		if token.Header["kid"] == jwk.Kid && token.Header["alg"] == jwk.Alg {
 			// FIXME: optionally walk the key chain, see rfc7517 section 4.7
 			certPkix, err = base64.StdEncoding.DecodeString(jwk.X5c[0])
 			if err != nil {
 				return nil, fmt.Errorf("base64 decode error for JWK kid %v", token.Header["kid"])
 			}
 		}
 	}
 	if certPkix == nil {
 		return nil, fmt.Errorf("no signing key found for kid %v", token.Header["kid"])
 	}
 	// parse certificate (from PKIX format) and return signing key
 	cert, err := x509.ParseCertificate(certPkix)
 	if err != nil {
 		return nil, err
 	}
 	return cert.PublicKey, nil
 }
 // ValidClaims validates a token with StandardClaims
 func (j *JWT) ValidClaims(jwtToken Token, lifespan time.Duration, alg gojwt.Keyfunc) (Principal, error) {
 	// 1. Checks for expired tokens
@ -114,6 +205,28 @@ func (j *JWT) ValidClaims(jwtToken Token, lifespan time.Duration, alg gojwt.Keyf
 	}, nil
 }
 // GetClaims extracts claims from id_token
 func (j *JWT) GetClaims(tokenString string) (gojwt.MapClaims, error) {
 	var claims gojwt.MapClaims
 	gojwt.TimeFunc = j.Now
 	token, err := gojwt.Parse(tokenString, j.KeyFunc)
 	if err != nil {
 		return nil, err
 	}
 	if !token.Valid {
 		return nil, fmt.Errorf("token is not valid")
 	}
 	claims, ok := token.Claims.(gojwt.MapClaims)
 	if !ok {
 		return nil, fmt.Errorf("token has no claims")
 	}
 	return claims, nil
 }
 // Create creates a signed JWT token from user that expires at Principal's ExpireAt time.
 func (j *JWT) Create(ctx context.Context, user Principal) (Token, error) {
 	// Create a new token object, specifying signing method and the claims
--- a/oauth2/jwt_test.go
+++ b/oauth2/jwt_test.go
@ -3,6 +3,9 @@ package oauth2_test
 import (
 	"context"
 	"errors"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
 	"testing"
 	"time"
@ -152,8 +155,82 @@ func TestSigningMethod(t *testing.T) {
 	j := oauth2.JWT{}
 	if _, err := j.ValidPrincipal(context.Background(), token, 0); err == nil {
 		t.Error("Error was expected while validating incorrectly signed token")
-	} else if err.Error() != "unexpected signing method: RS256" {
+	} else if err.Error() != "JWKSURL not specified, cannot validate RS256 signature" {
-		t.Errorf("Error wanted 'unexpected signing method', got %s", err.Error())
+		t.Errorf("Error wanted 'JWKSURL not specified, cannot validate RS256 signature', got %s", err.Error())
 	}
 }
 func TestGetClaims(t *testing.T) {
 	var tests = []struct {
 		Name         string
 		TokenString  string
 		JwksDocument string
 		Iat          int64
 		Err          error
 	}{
 		{
 			Name:         "Valid Token with RS256 signature verified against correct JWKS document",
 			TokenString:  "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSIsImtpZCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSJ9.eyJhdWQiOiJjaHJvbm9ncmFmIiwiaXNzIjoiaHR0cHM6Ly9kc3RjaW1hYWQxcC5kc3QtaXRzLmRlL2FkZnMiLCJpYXQiOjE1MTMxNjU4ODksImV4cCI6MTUxMzE2OTQ4OSwiYXV0aF90aW1lIjoxNTEzMTY1ODg4LCJzdWIiOiJlWVYzamRsZE55RlkxcUZGSDRvQWRCdkRGZmJWZm51RzI5SGlIa1N1andrPSIsInVwbiI6ImJzY0Bkc3QtaXRzLmRlIiwidW5pcXVlX25hbWUiOiJEU1RcXGJzYyIsInNpZCI6IlMtMS01LTIxLTI1MDUxNTEzOTgtMjY2MTAyODEwOS0zNzU0MjY1ODIwLTExMDQifQ.nK51Ui4XN45SVul9igNaKFQd-F63BNstBzW-T5LBVm_ANHCEHyP3_88C3ffkkQIi3PxYacRJGtfswP35ws7YJUcNp-GoGZARqz62NpMtbQyhos6mCaVXwPoxPbrZx4AkMQgxkZwJcOzceX7mpjcT3kCth30chN3lkhzSjGrXe4ZDOAV25liS-dsdBiqDiaTB91sS534GM76qJQxFUs51oSbYTRdCN1VJ0XopMcasfVDzFrtSbyvEIVXlpKK2HplnhheqF4QHrM_3cjV_NGRr3tYLe-AGTdDXKWlJD1GDz1ECXeMGQHPoz3U8cqNsFLYBstIlCgfnBWgWsPZSvJPJUg",
 			JwksDocument: `{"keys":[{"kty":"RSA","use":"sig","alg":"RS256","kid":"YDBUhqdWksKXdGuX0sytjaUuxhA","x5t":"YDBUhqdWksKXdGuX0sytjaUuxhA","n":"uwVVrs5OJRKeLUk0H5N_b4Jbvff3rxlg3WIeOO-zSSPTC5oFOc5_te0rLgVoNJJB4rNM4A7BEXI885xLrjfL3l3LHqaJetvR0tdLAnkvbUKUiGxnuGnmOsgh491P95pHPIAniy2p64FQoBbTJ0a6cF5LRuPPHKVXgjXjTydvmKrt_IVaWUDgICRsw5Bbv290SahmxcdO3akSgfsZtRkR8SmaMzAPYINi2_8P2evaKAnMQLTgUVkctaEamO_6HJ5f5sWheV7trLekU35xPVkPwShDelefnhyJcO5yICXqXzuewBEni9LrxAEJYN2rYfiFQWJy-pDe5DPUBs-IFTpctQ","e":"AQAB","x5c":["MIIC6DCCAdCgAwIBAgIQPszqLhbrpZlE+jEJTyJg7jANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBkc3RjaW1hYWQxcC5kc3QtaXRzLmRlMB4XDTE3MTIwNDE0MDEwOFoXDTE4MTIwNDE0MDEwOFowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gZHN0Y2ltYWFkMXAuZHN0LWl0cy5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsFVa7OTiUSni1JNB+Tf2+CW733968ZYN1iHjjvs0kj0wuaBTnOf7XtKy4FaDSSQeKzTOAOwRFyPPOcS643y95dyx6miXrb0dLXSwJ5L21ClIhsZ7hp5jrIIePdT\/eaRzyAJ4stqeuBUKAW0ydGunBeS0bjzxylV4I1408nb5iq7fyFWllA4CAkbMOQW79vdEmoZsXHTt2pEoH7GbUZEfEpmjMwD2CDYtv\/D9nr2igJzEC04FFZHLWhGpjv+hyeX+bFoXle7ay3pFN+cT1ZD8EoQ3pXn54ciXDuciAl6l87nsARJ4vS68QBCWDdq2H4hUFicvqQ3uQz1AbPiBU6XLUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAPHCisZyPf\/fuuQEW5LyzZSYMwBRYVR6kk\/M2ZNx6TrUEwmOb10RQ3G97bLAshN44g5lWdPYz4EOt6d2o71etIjf79f+IR0MAjEgBB2HThaHcMU9KG229Ftcauie9XeurngMawTRu60YqH7+go8EMf6a1Kdnx37DMy\/1LRlsYJVfEoOCab3GgcIdXrRSYWqsY4SVJZiTPYdqz9vmNPSXXiDSOTl6qXHV\/f53WTS2V5aIQbuJJziXlceusuVNny0o5h+j6ovZ1HhEGAu3lpD+8kY8KUqA4kXMH3VNZqzHBYazJx\/QBB3bG45cZSOvV3gUOnGBgiv9NBWjhvmY0fC3J6Q=="]}]}`,
 			Iat:          int64(1513165889),
 		},
 		{
 			Name:         "Valid Token with RS256 signature verified against correct JWKS document but predated",
 			TokenString:  "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSIsImtpZCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSJ9.eyJhdWQiOiJjaHJvbm9ncmFmIiwiaXNzIjoiaHR0cHM6Ly9kc3RjaW1hYWQxcC5kc3QtaXRzLmRlL2FkZnMiLCJpYXQiOjE1MTMxNjU4ODksImV4cCI6MTUxMzE2OTQ4OSwiYXV0aF90aW1lIjoxNTEzMTY1ODg4LCJzdWIiOiJlWVYzamRsZE55RlkxcUZGSDRvQWRCdkRGZmJWZm51RzI5SGlIa1N1andrPSIsInVwbiI6ImJzY0Bkc3QtaXRzLmRlIiwidW5pcXVlX25hbWUiOiJEU1RcXGJzYyIsInNpZCI6IlMtMS01LTIxLTI1MDUxNTEzOTgtMjY2MTAyODEwOS0zNzU0MjY1ODIwLTExMDQifQ.nK51Ui4XN45SVul9igNaKFQd-F63BNstBzW-T5LBVm_ANHCEHyP3_88C3ffkkQIi3PxYacRJGtfswP35ws7YJUcNp-GoGZARqz62NpMtbQyhos6mCaVXwPoxPbrZx4AkMQgxkZwJcOzceX7mpjcT3kCth30chN3lkhzSjGrXe4ZDOAV25liS-dsdBiqDiaTB91sS534GM76qJQxFUs51oSbYTRdCN1VJ0XopMcasfVDzFrtSbyvEIVXlpKK2HplnhheqF4QHrM_3cjV_NGRr3tYLe-AGTdDXKWlJD1GDz1ECXeMGQHPoz3U8cqNsFLYBstIlCgfnBWgWsPZSvJPJUg",
 			JwksDocument: `{"keys":[{"kty":"RSA","use":"sig","alg":"RS256","kid":"YDBUhqdWksKXdGuX0sytjaUuxhA","x5t":"YDBUhqdWksKXdGuX0sytjaUuxhA","n":"uwVVrs5OJRKeLUk0H5N_b4Jbvff3rxlg3WIeOO-zSSPTC5oFOc5_te0rLgVoNJJB4rNM4A7BEXI885xLrjfL3l3LHqaJetvR0tdLAnkvbUKUiGxnuGnmOsgh491P95pHPIAniy2p64FQoBbTJ0a6cF5LRuPPHKVXgjXjTydvmKrt_IVaWUDgICRsw5Bbv290SahmxcdO3akSgfsZtRkR8SmaMzAPYINi2_8P2evaKAnMQLTgUVkctaEamO_6HJ5f5sWheV7trLekU35xPVkPwShDelefnhyJcO5yICXqXzuewBEni9LrxAEJYN2rYfiFQWJy-pDe5DPUBs-IFTpctQ","e":"AQAB","x5c":["MIIC6DCCAdCgAwIBAgIQPszqLhbrpZlE+jEJTyJg7jANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBkc3RjaW1hYWQxcC5kc3QtaXRzLmRlMB4XDTE3MTIwNDE0MDEwOFoXDTE4MTIwNDE0MDEwOFowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gZHN0Y2ltYWFkMXAuZHN0LWl0cy5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsFVa7OTiUSni1JNB+Tf2+CW733968ZYN1iHjjvs0kj0wuaBTnOf7XtKy4FaDSSQeKzTOAOwRFyPPOcS643y95dyx6miXrb0dLXSwJ5L21ClIhsZ7hp5jrIIePdT\/eaRzyAJ4stqeuBUKAW0ydGunBeS0bjzxylV4I1408nb5iq7fyFWllA4CAkbMOQW79vdEmoZsXHTt2pEoH7GbUZEfEpmjMwD2CDYtv\/D9nr2igJzEC04FFZHLWhGpjv+hyeX+bFoXle7ay3pFN+cT1ZD8EoQ3pXn54ciXDuciAl6l87nsARJ4vS68QBCWDdq2H4hUFicvqQ3uQz1AbPiBU6XLUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAPHCisZyPf\/fuuQEW5LyzZSYMwBRYVR6kk\/M2ZNx6TrUEwmOb10RQ3G97bLAshN44g5lWdPYz4EOt6d2o71etIjf79f+IR0MAjEgBB2HThaHcMU9KG229Ftcauie9XeurngMawTRu60YqH7+go8EMf6a1Kdnx37DMy\/1LRlsYJVfEoOCab3GgcIdXrRSYWqsY4SVJZiTPYdqz9vmNPSXXiDSOTl6qXHV\/f53WTS2V5aIQbuJJziXlceusuVNny0o5h+j6ovZ1HhEGAu3lpD+8kY8KUqA4kXMH3VNZqzHBYazJx\/QBB3bG45cZSOvV3gUOnGBgiv9NBWjhvmY0fC3J6Q=="]}]}`,
 			Iat:          int64(1513165889) - 1,
 			Err:          errors.New("Token used before issued"),
 		},
 		{
 			Name:         "Valid Token with RS256 signature verified against correct JWKS document but outdated",
 			TokenString:  "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSIsImtpZCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSJ9.eyJhdWQiOiJjaHJvbm9ncmFmIiwiaXNzIjoiaHR0cHM6Ly9kc3RjaW1hYWQxcC5kc3QtaXRzLmRlL2FkZnMiLCJpYXQiOjE1MTMxNjU4ODksImV4cCI6MTUxMzE2OTQ4OSwiYXV0aF90aW1lIjoxNTEzMTY1ODg4LCJzdWIiOiJlWVYzamRsZE55RlkxcUZGSDRvQWRCdkRGZmJWZm51RzI5SGlIa1N1andrPSIsInVwbiI6ImJzY0Bkc3QtaXRzLmRlIiwidW5pcXVlX25hbWUiOiJEU1RcXGJzYyIsInNpZCI6IlMtMS01LTIxLTI1MDUxNTEzOTgtMjY2MTAyODEwOS0zNzU0MjY1ODIwLTExMDQifQ.nK51Ui4XN45SVul9igNaKFQd-F63BNstBzW-T5LBVm_ANHCEHyP3_88C3ffkkQIi3PxYacRJGtfswP35ws7YJUcNp-GoGZARqz62NpMtbQyhos6mCaVXwPoxPbrZx4AkMQgxkZwJcOzceX7mpjcT3kCth30chN3lkhzSjGrXe4ZDOAV25liS-dsdBiqDiaTB91sS534GM76qJQxFUs51oSbYTRdCN1VJ0XopMcasfVDzFrtSbyvEIVXlpKK2HplnhheqF4QHrM_3cjV_NGRr3tYLe-AGTdDXKWlJD1GDz1ECXeMGQHPoz3U8cqNsFLYBstIlCgfnBWgWsPZSvJPJUg",
 			JwksDocument: `{"keys":[{"kty":"RSA","use":"sig","alg":"RS256","kid":"YDBUhqdWksKXdGuX0sytjaUuxhA","x5t":"YDBUhqdWksKXdGuX0sytjaUuxhA","n":"uwVVrs5OJRKeLUk0H5N_b4Jbvff3rxlg3WIeOO-zSSPTC5oFOc5_te0rLgVoNJJB4rNM4A7BEXI885xLrjfL3l3LHqaJetvR0tdLAnkvbUKUiGxnuGnmOsgh491P95pHPIAniy2p64FQoBbTJ0a6cF5LRuPPHKVXgjXjTydvmKrt_IVaWUDgICRsw5Bbv290SahmxcdO3akSgfsZtRkR8SmaMzAPYINi2_8P2evaKAnMQLTgUVkctaEamO_6HJ5f5sWheV7trLekU35xPVkPwShDelefnhyJcO5yICXqXzuewBEni9LrxAEJYN2rYfiFQWJy-pDe5DPUBs-IFTpctQ","e":"AQAB","x5c":["MIIC6DCCAdCgAwIBAgIQPszqLhbrpZlE+jEJTyJg7jANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBkc3RjaW1hYWQxcC5kc3QtaXRzLmRlMB4XDTE3MTIwNDE0MDEwOFoXDTE4MTIwNDE0MDEwOFowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gZHN0Y2ltYWFkMXAuZHN0LWl0cy5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsFVa7OTiUSni1JNB+Tf2+CW733968ZYN1iHjjvs0kj0wuaBTnOf7XtKy4FaDSSQeKzTOAOwRFyPPOcS643y95dyx6miXrb0dLXSwJ5L21ClIhsZ7hp5jrIIePdT\/eaRzyAJ4stqeuBUKAW0ydGunBeS0bjzxylV4I1408nb5iq7fyFWllA4CAkbMOQW79vdEmoZsXHTt2pEoH7GbUZEfEpmjMwD2CDYtv\/D9nr2igJzEC04FFZHLWhGpjv+hyeX+bFoXle7ay3pFN+cT1ZD8EoQ3pXn54ciXDuciAl6l87nsARJ4vS68QBCWDdq2H4hUFicvqQ3uQz1AbPiBU6XLUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAPHCisZyPf\/fuuQEW5LyzZSYMwBRYVR6kk\/M2ZNx6TrUEwmOb10RQ3G97bLAshN44g5lWdPYz4EOt6d2o71etIjf79f+IR0MAjEgBB2HThaHcMU9KG229Ftcauie9XeurngMawTRu60YqH7+go8EMf6a1Kdnx37DMy\/1LRlsYJVfEoOCab3GgcIdXrRSYWqsY4SVJZiTPYdqz9vmNPSXXiDSOTl6qXHV\/f53WTS2V5aIQbuJJziXlceusuVNny0o5h+j6ovZ1HhEGAu3lpD+8kY8KUqA4kXMH3VNZqzHBYazJx\/QBB3bG45cZSOvV3gUOnGBgiv9NBWjhvmY0fC3J6Q=="]}]}`,
 			Iat:          int64(1513165889) + 3601,
 			Err:          errors.New("Token is expired"),
 		},
 		{
 			Name:         "Valid Token with RS256 signature verified against empty JWKS document",
 			TokenString:  "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSIsImtpZCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSJ9.eyJhdWQiOiJjaHJvbm9ncmFmIiwiaXNzIjoiaHR0cHM6Ly9kc3RjaW1hYWQxcC5kc3QtaXRzLmRlL2FkZnMiLCJpYXQiOjE1MTMxNjU4ODksImV4cCI6MTUxMzE2OTQ4OSwiYXV0aF90aW1lIjoxNTEzMTY1ODg4LCJzdWIiOiJlWVYzamRsZE55RlkxcUZGSDRvQWRCdkRGZmJWZm51RzI5SGlIa1N1andrPSIsInVwbiI6ImJzY0Bkc3QtaXRzLmRlIiwidW5pcXVlX25hbWUiOiJEU1RcXGJzYyIsInNpZCI6IlMtMS01LTIxLTI1MDUxNTEzOTgtMjY2MTAyODEwOS0zNzU0MjY1ODIwLTExMDQifQ.nK51Ui4XN45SVul9igNaKFQd-F63BNstBzW-T5LBVm_ANHCEHyP3_88C3ffkkQIi3PxYacRJGtfswP35ws7YJUcNp-GoGZARqz62NpMtbQyhos6mCaVXwPoxPbrZx4AkMQgxkZwJcOzceX7mpjcT3kCth30chN3lkhzSjGrXe4ZDOAV25liS-dsdBiqDiaTB91sS534GM76qJQxFUs51oSbYTRdCN1VJ0XopMcasfVDzFrtSbyvEIVXlpKK2HplnhheqF4QHrM_3cjV_NGRr3tYLe-AGTdDXKWlJD1GDz1ECXeMGQHPoz3U8cqNsFLYBstIlCgfnBWgWsPZSvJPJUg",
 			JwksDocument: "",
 			Iat:          int64(1513165889),
 			Err:          errors.New("unexpected end of JSON input"),
 		},
 		{
 			Name: "Invalid Token",
 			Err:  errors.New("token contains an invalid number of segments"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.Name, func(t *testing.T) {
 			// mock JWKS server
 			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				w.WriteHeader(http.StatusOK)
 				io.WriteString(w, tt.JwksDocument)
 			}))
 			defer ts.Close()
 			j := oauth2.JWT{
 				Jwksurl: ts.URL,
 				Now: func() time.Time {
 					return time.Unix(tt.Iat, 0)
 				},
 			}
 			_, err := j.GetClaims(tt.TokenString)
 			if tt.Err != nil {
 				if err != nil {
 					if tt.Err.Error() != err.Error() {
 						t.Errorf("Error in test %s expected error: %v actual: %v", tt.Name, tt.Err, err)
 					} // else: that's what we expect
 				} else {
 					t.Errorf("Error in test %s expected error: %v actual: none", tt.Name, tt.Err)
 				}
 			} else {
 				if err != nil {
 					t.Errorf("Error in tt %s: %v", tt.Name, err)
 				} // else: that's what we expect
 			}
 		})
 	}
 }
--- a/oauth2/mux.go
+++ b/oauth2/mux.go
@ -16,7 +16,7 @@ var _ Mux = &AuthMux{}
 const TenMinutes = 10 * time.Minute
 // NewAuthMux constructs a Mux handler that checks a cookie against the authenticator
-func NewAuthMux(p Provider, a Authenticator, t Tokenizer, basepath string, l chronograf.Logger) *AuthMux {
+func NewAuthMux(p Provider, a Authenticator, t Tokenizer, basepath string, l chronograf.Logger, UseIDToken bool) *AuthMux {
 	return &AuthMux{
 		Provider:   p,
 		Auth:       a,
@ -25,6 +25,7 @@ func NewAuthMux(p Provider, a Authenticator, t Tokenizer, basepath string, l chr
 		FailureURL: path.Join(basepath, "/login"),
 		Now:        DefaultNowTime,
 		Logger:     l,
 		UseIDToken: UseIDToken,
 	}
 }
@ -41,6 +42,7 @@ type AuthMux struct {
 	SuccessURL string            // SuccessURL is redirect location after successful authorization
 	FailureURL string            // FailureURL is redirect location after authorization failure
 	Now        func() time.Time  // Now returns the current time (for testing)
 	UseIDToken bool              // UseIDToken enables OpenID id_token support
 }
 // Login uses a Cookie with a random string as the state validation method.  JWTs are
@ -116,21 +118,62 @@ func (j *AuthMux) Callback() http.Handler {
 			return
 		}
-		// Using the token get the principal identifier from the provider
+		if token.Extra("id_token") != nil && !j.UseIDToken {
 			log.Info("found an extra id_token, but option --useidtoken is not set")
 		}
 		// if we received an extra id_token, inspect it
 		var id string
 		var group string
 		if j.UseIDToken && token.Extra("id_token") != nil && token.Extra("id_token") != "" {
 			log.Debug("found an extra id_token")
 			if provider, ok := j.Provider.(ExtendedProvider); ok {
 				log.Debug("provider implements PrincipalIDFromClaims()")
 				tokenString, ok := token.Extra("id_token").(string)
 				if !ok {
 					log.Error("cannot cast id_token as string")
 					http.Redirect(w, r, j.FailureURL, http.StatusTemporaryRedirect)
 					return
 				}
 				claims, err := j.Tokens.GetClaims(tokenString)
 				if err != nil {
 					log.Error("parsing extra id_token failed:", err)
 					http.Redirect(w, r, j.FailureURL, http.StatusTemporaryRedirect)
 					return
 				}
 				log.Debug("found claims: ", claims)
 				id, err = provider.PrincipalIDFromClaims(claims)
 				if err != nil {
 					log.Error("requested claim not found in id_token:", err)
 					http.Redirect(w, r, j.FailureURL, http.StatusTemporaryRedirect)
 					return
 				}
 				group, err = provider.GroupFromClaims(claims)
 				if err != nil {
 					log.Error("requested claim not found in id_token:", err)
 					http.Redirect(w, r, j.FailureURL, http.StatusTemporaryRedirect)
 					return
 				}
 			} else {
 				log.Debug("provider does not implement PrincipalIDFromClaims()")
 			}
 		} else {
 			// otherwise perform an additional lookup
 			oauthClient := conf.Client(r.Context(), token)
-		id, err := j.Provider.PrincipalID(oauthClient)
+			// Using the token get the principal identifier from the provider
 			id, err = j.Provider.PrincipalID(oauthClient)
 			if err != nil {
 				log.Error("Unable to get principal identifier ", err.Error())
 				http.Redirect(w, r, j.FailureURL, http.StatusTemporaryRedirect)
 				return
 			}
-
+			group, err = j.Provider.Group(oauthClient)
 		group, err := j.Provider.Group(oauthClient)
 			if err != nil {
 				log.Error("Unable to get OAuth Group", err.Error())
 				http.Redirect(w, r, j.FailureURL, http.StatusTemporaryRedirect)
 				return
 			}
 		}
 		p := Principal{
 			Subject: id,
--- a/oauth2/mux_test.go
+++ b/oauth2/mux_test.go
@ -51,7 +51,9 @@ func setupMuxTest(response interface{}, selector func(*AuthMux) http.Handler) (*
 		Tokens:     mt,
 	}
-	jm := NewAuthMux(mp, auth, mt, "", clog.New(clog.ParseLevel("debug")))
+	useidtoken := false
 	jm := NewAuthMux(mp, auth, mt, "", clog.New(clog.ParseLevel("debug")), useidtoken)
 	ts := httptest.NewServer(selector(jm))
 	jar, _ := cookiejar.New(nil)
 	hc := http.Client{
@ -177,3 +179,43 @@ func Test_AuthMux_Callback_SetsCookie(t *testing.T) {
 		t.Fatal("Expected cookie to be named", DefaultCookieName, "but was", c.Name)
 	}
 }
 func Test_AuthMux_Callback_HandlesIdToken(t *testing.T) {
 	// body taken from ADFS4
 	response := mockCallbackResponse{AccessToken: `eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSJ9.eyJhdWQiOiJ1cm46bWljcm9zb2Z0OnVzZXJpbmZvIiwiaXNzIjoiaHR0cDovL2RzdGNpbWFhZDFwLmRzdC1pdHMuZGUvYWRmcy9zZXJ2aWNlcy90cnVzdCIsImlhdCI6MTUxNTcwMDU2NSwiZXhwIjoxNTE1NzA0MTY1LCJhcHB0eXBlIjoiQ29uZmlkZW50aWFsIiwiYXBwaWQiOiJjaHJvbm9ncmFmIiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwiYXV0aF90aW1lIjoiMjAxOC0wMS0xMVQxOTo1MToyNS44MDZaIiwidmVyIjoiMS4wIiwic2NwIjoib3BlbmlkIiwic3ViIjoiZVlWM2pkbGROeUZZMXFGRkg0b0FkQnZERmZiVmZudUcyOUhpSGtTdWp3az0ifQ.sf1qJys9LMUp2S232IRK2aTXiPCE93O-cUdYQQz7kg2woyD46KLwwKIYJVqMaqLspTn3OmaIhKtgx5ZXyAEtihODB1GOBK7DBNRBYCS1iqY_v2-Qwjf7hgaNaCqBjs0DZJspfp5G9MTykvD1FOtQNjPOcBW-i2bblG9L9jlmMbOZ3F7wrZMrroTSkiSn_gRiw2SnN8K7w8WrMEXNK2_jg9ZJ7aSHeUSBwkRNFRds2QNho3HWHg-zcsZFdZ4UGSt-6Az_0LY3yENMLj5us5Rl6Qzk_Re2dhFrlnlXlY1v1DEp3icCvvjkv6AeZWjTfW4qETZaCXUKtSyZ7d5_V1CRDQ", "token_type": "bearer", "expires_in": 3600, "resource": "urn:microsoft:userinfo", "refresh_token": "X9ZGO4H1bMk2bFeOfpv18BzAuFBzUPKQNfOEfdp60FkAAQAALPEBfj23FPEzajle-hm4DrDXp8-Kj53OqoVGalyZeuR-lfJzxpQXQhRAXZOUTuuQ8AQycByh9AylQYDA0jdMFW4FL4WL_6JhNh2JrtXCv2HQ9ozbUq9F7u_O0cY7u0P2pfNujQfk3ckYn-CMVjXbuwJTve6bXUR0JDp5c195bAVA5eFWyI-2uh432t7viyaIjAVbWxQF4fvimcpF1Et9cGodZHVsrZzGxKRnzwjYkWHsqm9go4KOeSKN6MlcWbjvS1UdMjQXSvoqSI00JnSMC3hxJZFn5JcmAPB1AMnJf4VvXZ5b-aOnwdX09YT8KayWkWekAsuZqTAsFwhZPVCRGWAFAADy0e2fTe6l-U6Cj_2bWsq6Snm1QEpWHXuwOJKWZJH-9yQn8KK3KzRowSzRuACzEIpZS5skrqXs_-2aOaZibNpjCEVyw8fF8GTw3VRLufsSrMQ5pD0KL7TppTGFpaqgwIH1yq6T8aRY4DeyoJkNpnO9cw1wuqnY7oGF-J25sfZ4XNWhk6o5e9A45PXhTilClyDKDLqTfdoIsG1Koc2ywqTIb-XI_EbWR3e4ijy8Kmlehw1kU9_xAG0MmmD2HTyGHZCBRgrskYCcHd-UNgCMrNAb5dZQ8NwpKtEL46qIq4R0lheTRRK8sOWzzuJXmvDEoJiIxqSR3Ma4MOISi-vsIsAuiEL9G1aMOkDRj-kDVmqrdKRAwYnN78AWY5EFfkQJyVBbiG882wBh9S0q3HUUCxzFerOvl4eDlVn6m18rRMz7CVZYBBltGtHRhEOQ4gumICR5JRrXAC50aBmUlhDiiMdbEIwJrvWrkhKE0oAJznqC7gleP0E4EOEh9r6CEGZ7Oj8X9Cdzjbuq2G1JGBm_yUvkhAcV61DjOiIQl35BpOfshveNZf_caUtNMa2i07BBmezve17-2kWGzRunr1BD1vMTz41z-H62fy4McR47WJjdDJnuy4DH5AZYQ6ooVxWCtEqeqRPYpzO0XdOdJGXFqXs9JzDKVXTgnHU443hZBC5H-BJkZDuuJ_ZWNKXf03JhouWkxXcdaMbuaQYOZJsUySVyJ5X4usrBFjW4udZAzy7mua-nJncbvcwoyVXiFlRfZiySXolQ9865N7XUnEk_2PijMLoVDATDbA09XuRySvngNsdsQ27p21dPxChXdtpD5ofNqKJ2FBzFKmxCkuX7L01N1nDpWQTuxhHF0JfxSKG5m3jcTx8Bd7Un94mTuAB7RuglDqkdQB9o4X9NHNGSdqGQaK-xeKoNCFWevk3VZoDoY9w2NqSNV2VIuqhy7SxtDSMjZKC5kiQi5EfGeTYZAvTwMYwaXb7K4WWtscy_ZE15EOCVeYi0hM1Ma8iFFTANkSRyX83Ju4SRphxRKnpKcJ2pPYH784I5HOm5sclhUL3aLeAA161QgxRBSa9YVIZfyXHyWQTcbNucNdhmdUZnKfRv1xtXcS9VAx2yAkoKFehZivEINX0Y500-WZ1eT_RXp0BfCKmJQ8Fu50oTaI-c5h2Q3Gp_LTSODNnMrjJiJxCLD_LD1fd1e8jTYDV3NroGlpWTuTdjMUm-Z1SMXaaJzQGEnNT6F8b6un9228L6YrDC_3MJ5J80VAHL5EO1GesdEWblugCL7AQDtFjNXq0lK8Aoo8X9_hlvDwgfdR16l8QALPT1HJVzlHPG8G3dRe50TKZnl3obU0WXN1KYG1EC4Qa3LyaVCIuGJYOeFqjMINrf7PoM368nS9yhrY08nnoHZbQ7IeA1KsNq2kANeH1doCNfWrXDwn8KxjYxZPEnzvlQ5M1RIzArOqzWL8NbftW1q2yCZZ4RVg0vOTVXsqWFnQIvWK-mkELa7bvByFzbtVHOJpc_2EKBKBNv6IYUENRCu2TOf6w7u42yvng7ccoXRTiUFUlKgVmswf9FzISxFd-YKgrzp3bMhC3gReGqcJuqEwnXPvOAY_BAkVMSd_ZaCFuyclRjFvUxrAg1T_cqOvRIlJ2Qq7z4u7W3BAo9BtFdj8QNLKJXtvvzXTprglRPDNP_QEPAkwZ_Uxa13vdYFcG18WCx4GbWQXchl5B7DnISobcdCH34M-I0xDZN98VWQVmLAfPniDUD30C8pfiYF7tW_EVy958Eg_JWVy0SstYEhV-y-adrJ1Oimjv0ptsWv-yErKBUD14aex9A_QqdnTXZUg.tqMb72eWAkAIvInuLp57NDyGxfYvms3NnhN-mllkYb7Xpd8gVbQFc2mYdzOOhtnfGuakyXYF4rZdJonQwzBO6C9KYuARciUU1Ms4bWPC-aeNO5t-aO_bDZbwC9qMPmq5ZuxG633BARGaw26fr0Z7qhcJMiou_EuaIehYTKkPB-mxtRAhxxyX91qqe0-PJnCHWoxizC4hDCUwp9Jb54tNf34BG3vtkXFX-kUARNfGucgKUkh6RYkhWiMBsMVoyWmkFXB5fYxmCAH5c5wDW6srKdyIDEWZInliuKbYR0p66vg1FfoSi4bBfrsm5NtCtLKG9V6Q0FEIA6tRRgHmKUGpkw", "refresh_token_expires_in": 28519, "scope": "openid", "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSIsImtpZCI6IllEQlVocWRXa3NLWGRHdVgwc3l0amFVdXhoQSJ9.eyJhdWQiOiJjaHJvbm9ncmFmIiwiaXNzIjoiaHR0cHM6Ly9kc3RjaW1hYWQxcC5kc3QtaXRzLmRlL2FkZnMiLCJpYXQiOjE1MTU3MDA1NjUsImV4cCI6MTUxNTcwNDE2NSwiYXV0aF90aW1lIjoxNTE1NzAwMjg1LCJzdWIiOiJlWVYzamRsZE55RlkxcUZGSDRvQWRCdkRGZmJWZm51RzI5SGlIa1N1andrPSIsInVwbiI6ImJzY0Bkc3QtaXRzLmRlIiwidW5pcXVlX25hbWUiOiJEU1RcXGJzYyIsInNpZCI6IlMtMS01LTIxLTI1MDUxNTEzOTgtMjY2MTAyODEwOS0zNzU0MjY1ODIwLTExMDQifQ.XD873K6NVRTJY1700NsflLJGZKFHJfNBjB81SlADVdAHbhnq7wkAZbGEEm8wFqvTKKysUl9EALzmDa2tR9nzohVvmHftIYBO0E-wPBzdzWWX0coEgpVAc-SysP-eIQWLsj8EaodaMkCgKO0FbTWOf4GaGIBZGklrr9EEk8VRSdbXbm6Sv9WVphezEzxq6JJBRBlCVibCnZjR5OYh1Vw_7E7P38ESPbpLY3hYYl2hz4y6dQJqCwGr7YP8KrDlYtbosZYgT7ayxokEJI1udEbX5PbAq5G6mj5rLfSOl85rMg-psZiivoM8dn9lEl2P7oT8rAvMWvQp-FIRQQHwqf9cxw`}
 	hc, ts, prov := setupMuxTest(response, func(j *AuthMux) http.Handler {
 		return j.Callback()
 	})
 	defer teardownMuxTest(hc, ts, prov)
 	tsURL, _ := url.Parse(ts.URL)
 	v := url.Values{
 		"code":  {"4815162342"},
 		"state": {"foobar"},
 	}
 	tsURL.RawQuery = v.Encode()
 	resp, err := hc.Get(tsURL.String())
 	if err != nil {
 		t.Fatal("Error communicating with Callback() handler: err", err)
 	}
 	// Ensure we were redirected
 	if resp.StatusCode < 300 || resp.StatusCode >= 400 {
 		t.Fatal("Expected to be redirected, but received status code", resp.StatusCode)
 	}
 	// Check that cookie was set
 	cookies := resp.Cookies()
 	if count := len(cookies); count != 1 {
 		t.Fatal("Expected exactly one cookie to be set but found", count)
 	}
 	c := cookies[0]
 	if c.Name != DefaultCookieName {
 		t.Fatal("Expected cookie to be named", DefaultCookieName, "but was", c.Name)
 	}
 }
--- a/oauth2/oauth2.go
+++ b/oauth2/oauth2.go
@ -6,6 +6,7 @@ import (
 	"net/http"
 	"time"
 	gojwt "github.com/dgrijalva/jwt-go"
 	"golang.org/x/oauth2"
 )
@ -95,4 +96,6 @@ type Tokenizer interface {
 	ValidPrincipal(ctx context.Context, token Token, lifespan time.Duration) (Principal, error)
 	// ExtendedPrincipal adds the extention to the principal's lifespan.
 	ExtendedPrincipal(ctx context.Context, principal Principal, extension time.Duration) (Principal, error)
 	// GetClaims returns a map with verified claims
 	GetClaims(tokenString string) (gojwt.MapClaims, error)
 }
--- a/oauth2/oauth2_test.go
+++ b/oauth2/oauth2_test.go
@ -5,10 +5,12 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"time"
 	goauth "golang.org/x/oauth2"
 	gojwt "github.com/dgrijalva/jwt-go"
 	"github.com/influxdata/chronograf"
 )
@ -45,6 +47,20 @@ func (mp *MockProvider) PrincipalID(provider *http.Client) (string, error) {
 	return mp.Email, nil
 }
 func (mp *MockProvider) PrincipalIDFromClaims(claims gojwt.MapClaims) (string, error) {
 	return mp.Email, nil
 }
 func (mp *MockProvider) GroupFromClaims(claims gojwt.MapClaims) (string, error) {
 	email := strings.Split(mp.Email, "@")
 	if len(email) != 2 {
 		//g.Logger.Error("malformed email address, expected %q to contain @ symbol", id)
 		return "DEFAULT", nil
 	}
 	return email[1], nil
 }
 func (mp *MockProvider) Group(provider *http.Client) (string, error) {
 	return mp.Orgs, nil
 }
@ -76,6 +92,10 @@ func (y *YesManTokenizer) ExtendedPrincipal(ctx context.Context, p Principal, ex
 	return p, nil
 }
 func (y *YesManTokenizer) GetClaims(tokenString string) (gojwt.MapClaims, error) {
 	return gojwt.MapClaims{}, nil
 }
 func NewTestTripper(log chronograf.Logger, ts *httptest.Server, rt http.RoundTripper) (*TestTripper, error) {
 	url, err := url.Parse(ts.URL)
 	if err != nil {
--- a/server/server.go
+++ b/server/server.go
@ -57,6 +57,8 @@ type Server struct {
 	CannedPath    string        `short:"c" long:"canned-path" description:"Path to directory of pre-canned application layouts (/usr/share/chronograf/canned)" env:"CANNED_PATH" default:"canned"`
 	ResourcesPath string        `long:"resources-path" description:"Path to directory of pre-canned dashboards, sources, kapacitors, and organizations (/usr/share/chronograf/resources)" env:"RESOURCES_PATH" default:"canned"`
 	TokenSecret   string        `short:"t" long:"token-secret" description:"Secret to sign tokens" env:"TOKEN_SECRET"`
 	JwksURL       string        `long:"jwks-url" description:"URL that returns OpenID Key Discovery JWKS document." env:"JWKS_URL"`
 	UseIDToken    bool          `long:"use-id-token" description:"Enable id_token processing." env:"USE_ID_TOKEN"`
 	AuthDuration  time.Duration `long:"auth-duration" default:"720h" description:"Total duration of cookie life for authentication (in hours). 0 means authentication expires on browser close." env:"AUTH_DURATION"`
 	GithubClientID     string   `short:"i" long:"github-client-id" description:"Github Client ID for OAuth 2 support" env:"GH_CLIENT_ID"`
@ -144,8 +146,8 @@ func (s *Server) githubOAuth(logger chronograf.Logger, auth oauth2.Authenticator
 		Orgs:         s.GithubOrgs,
 		Logger:       logger,
 	}
-	jwt := oauth2.NewJWT(s.TokenSecret)
+	jwt := oauth2.NewJWT(s.TokenSecret, s.JwksURL)
-	ghMux := oauth2.NewAuthMux(&gh, auth, jwt, s.Basepath, logger)
+	ghMux := oauth2.NewAuthMux(&gh, auth, jwt, s.Basepath, logger, s.UseIDToken)
 	return &gh, ghMux, s.UseGithub
 }
@ -158,8 +160,8 @@ func (s *Server) googleOAuth(logger chronograf.Logger, auth oauth2.Authenticator
 		RedirectURL:  redirectURL,
 		Logger:       logger,
 	}
-	jwt := oauth2.NewJWT(s.TokenSecret)
+	jwt := oauth2.NewJWT(s.TokenSecret, s.JwksURL)
-	goMux := oauth2.NewAuthMux(&google, auth, jwt, s.Basepath, logger)
+	goMux := oauth2.NewAuthMux(&google, auth, jwt, s.Basepath, logger, s.UseIDToken)
 	return &google, goMux, s.UseGoogle
 }
@ -170,8 +172,8 @@ func (s *Server) herokuOAuth(logger chronograf.Logger, auth oauth2.Authenticator
 		Organizations: s.HerokuOrganizations,
 		Logger:        logger,
 	}
-	jwt := oauth2.NewJWT(s.TokenSecret)
+	jwt := oauth2.NewJWT(s.TokenSecret, s.JwksURL)
-	hMux := oauth2.NewAuthMux(&heroku, auth, jwt, s.Basepath, logger)
+	hMux := oauth2.NewAuthMux(&heroku, auth, jwt, s.Basepath, logger, s.UseIDToken)
 	return &heroku, hMux, s.UseHeroku
 }
@ -189,8 +191,8 @@ func (s *Server) genericOAuth(logger chronograf.Logger, auth oauth2.Authenticato
 		APIKey:         s.GenericAPIKey,
 		Logger:         logger,
 	}
-	jwt := oauth2.NewJWT(s.TokenSecret)
+	jwt := oauth2.NewJWT(s.TokenSecret, s.JwksURL)
-	genMux := oauth2.NewAuthMux(&gen, auth, jwt, s.Basepath, logger)
+	genMux := oauth2.NewAuthMux(&gen, auth, jwt, s.Basepath, logger, s.UseIDToken)
 	return &gen, genMux, s.UseGenericOAuth2
 }
@ -205,8 +207,8 @@ func (s *Server) auth0OAuth(logger chronograf.Logger, auth oauth2.Authenticator)
 	auth0, err := oauth2.NewAuth0(s.Auth0Domain, s.Auth0ClientID, s.Auth0ClientSecret, redirectURL.String(), s.Auth0Organizations, logger)
-	jwt := oauth2.NewJWT(s.TokenSecret)
+	jwt := oauth2.NewJWT(s.TokenSecret, s.JwksURL)
-	genMux := oauth2.NewAuthMux(&auth0, auth, jwt, s.Basepath, logger)
+	genMux := oauth2.NewAuthMux(&auth0, auth, jwt, s.Basepath, logger, s.UseIDToken)
 	if err != nil {
 		logger.Error("Error parsing Auth0 domain: err:", err)
--- a/ui/src/admin/components/chronograf/AllUsersTableRow.js
+++ b/ui/src/admin/components/chronograf/AllUsersTableRow.js
@ -1,6 +1,5 @@
 import React from 'react'
 import PropTypes from 'prop-types'
 import _ from 'lodash'
 import Tags from 'shared/components/Tags'
 import SlideToggle from 'shared/components/SlideToggle'
@ -38,7 +37,9 @@ const AllUsersTableRow = ({
    name: organizations.find(o => r.organization === o.id).name,
  }))
-  const wrappedDelete = _.curry(onDelete, user)
+  const wrappedDelete = () => {
    onDelete(user)
  }
  const removeWarning = userIsMe
    ? 'Delete your user record\nand log yourself out?'
--- a/ui/src/admin/components/chronograf/UsersTableRow.js
+++ b/ui/src/admin/components/chronograf/UsersTableRow.js
@ -2,7 +2,7 @@ import React from 'react'
 import PropTypes from 'prop-types'
 import Dropdown from 'shared/components/Dropdown'
-import DeleteConfirmTableCell from 'shared/components/DeleteConfirmTableCell'
+import ConfirmButton from 'shared/components/ConfirmButton'
 import {USER_ROLES} from 'src/admin/constants/chronografAdmin'
 import {USERS_TABLE} from 'src/admin/constants/chronografTableSizing'
@ -26,6 +26,12 @@ const UsersTableRow = ({
  const userIsMe = user.id === meID
  const wrappedDelete = () => {
    onDelete(user)
  }
  const removeWarning = 'Remove this user\nfrom Current Org?'
  return (
    <tr className={'chronograf-admin-table--user'}>
      <td>
@ -52,12 +58,13 @@ const UsersTableRow = ({
      </td>
      <td style={{width: colProvider}}>{user.provider}</td>
      <td style={{width: colScheme}}>{user.scheme}</td>
-      <DeleteConfirmTableCell
+      <ConfirmButton
        confirmText={removeWarning}
        confirmAction={wrappedDelete}
        size="btn-xs"
        type="btn-danger"
        text="Remove"
-        onDelete={onDelete}
+        customClass="table--show-on-row-hover"
        item={user}
        buttonSize="btn-xs"
        disabled={userIsMe}
      />
    </tr>
  )
--- a/ui/src/dashboards/containers/DashboardPage.js
+++ b/ui/src/dashboards/containers/DashboardPage.js
@ -28,6 +28,8 @@ import {
  hideCellEditorOverlay,
 } from 'src/dashboards/actions/cellEditorOverlay'
 import {dismissEditingAnnotation} from 'src/shared/actions/annotations'
 import {
  setAutoRefresh,
  templateControlBarVisibilityToggled as templateControlBarVisibilityToggledAction,
@ -78,10 +80,8 @@ class DashboardPage extends Component {
      timeRange,
    } = this.props
-    getAnnotationsAsync(
+    const annotationRange = this.millisecondTimeRange(timeRange)
-      source.links.annotations,
+    getAnnotationsAsync(source.links.annotations, annotationRange)
      Date.now() - timeRange.seconds * 1000
    )
    window.addEventListener('resize', this.handleWindowResize, true)
    const dashboards = await getDashboardsAsync()
@ -107,8 +107,9 @@ class DashboardPage extends Component {
    this.setState({windowHeight: window.innerHeight})
  }
-  componentWillUnMount() {
+  componentWillUnmount() {
    window.removeEventListener('resize', this.handleWindowResize, true)
    this.props.handleDismissEditingAnnotation()
  }
  inView = cell => {
@ -159,10 +160,25 @@ class DashboardPage extends Component {
      ...timeRange,
      format: FORMAT_INFLUXQL,
    })
-    getAnnotationsAsync(
+
-      source.links.annotations,
+    const annotationRange = this.millisecondTimeRange(timeRange)
-      Date.now() - timeRange.seconds * 1000
+    getAnnotationsAsync(source.links.annotations, annotationRange)
-    )
+  }
  millisecondTimeRange({seconds, lower, upper}) {
    // Is this a relative time range?
    if (seconds) {
      return {
        since: Date.now() - seconds * 1000,
        until: null,
      }
    }
    // No, this is an absolute (custom) time range
    return {
      since: Date.parse(lower),
      until: Date.parse(upper),
    }
  }
  handleUpdatePosition = cells => {
@ -511,6 +527,7 @@ DashboardPage.propTypes = {
  getAnnotationsAsync: func.isRequired,
  handleShowCellEditorOverlay: func.isRequired,
  handleHideCellEditorOverlay: func.isRequired,
  handleDismissEditingAnnotation: func.isRequired,
  selectedCell: shape({}),
  thresholdsListType: string.isRequired,
  thresholdsListColors: arrayOf(shape({}).isRequired).isRequired,
@ -587,6 +604,10 @@ const mapDispatchToProps = dispatch => ({
    hideCellEditorOverlay,
    dispatch
  ),
  handleDismissEditingAnnotation: bindActionCreators(
    dismissEditingAnnotation,
    dispatch
  ),
 })
 export default connect(mapStateToProps, mapDispatchToProps)(
--- a/ui/src/shared/actions/annotations.js
+++ b/ui/src/shared/actions/annotations.js
@ -63,8 +63,11 @@ export const addAnnotationAsync = (createUrl, annotation) => async dispatch => {
  dispatch(deleteAnnotation(annotation))
 }
-export const getAnnotationsAsync = (indexUrl, since) => async dispatch => {
+export const getAnnotationsAsync = (
-  const annotations = await api.getAnnotations(indexUrl, since)
+  indexUrl,
  {since, until}
 ) => async dispatch => {
  const annotations = await api.getAnnotations(indexUrl, since, until)
  dispatch(loadAnnotations(annotations))
 }
--- a/ui/src/shared/apis/annotation.js
+++ b/ui/src/shared/apis/annotation.js
@ -19,11 +19,11 @@ export const createAnnotation = async (url, annotation) => {
  return annoToMillisecond(response.data)
 }
-export const getAnnotations = async (url, since) => {
+export const getAnnotations = async (url, since, until) => {
  const {data} = await AJAX({
    method: 'GET',
    url,
-    params: {since: msToRFC(since)},
+    params: {since: msToRFC(since), until: msToRFC(until)},
  })
  return data.annotations.map(annoToMillisecond)
 }
--- a/ui/src/shared/components/AnnotationTooltip.js
+++ b/ui/src/shared/components/AnnotationTooltip.js
@ -10,7 +10,7 @@ import * as actions from 'shared/actions/annotations'
 const TimeStamp = ({time}) => (
  <div className="annotation-tooltip--timestamp">
-    {`${moment(+time).format('YYYY/DD/MM HH:mm:ss.SS')}`}
+    {`${moment(+time).format('YYYY/MM/DD HH:mm:ss.SS')}`}
  </div>
 )
--- a/ui/src/shared/components/LayoutCellMenu.js
+++ b/ui/src/shared/components/LayoutCellMenu.js
@ -96,7 +96,8 @@ class LayoutCellMenu extends Component {
              />
            </div>
          )}
-        {mode === 'editing' && (
+        {mode === 'editing' &&
          cellSupportsAnnotations(cell.type) && (
            <div className="dash-graph-context--buttons">
              <div
                className="btn btn-xs btn-success"