Cannot get Oauth role_attribute_path working with strict OIDC namespaces

Using Grafana 7.3.1 here

I use Auth0 as the Oauth supplier, which actually refuses to add claims to the /userinfo endpoint (and the id token) unless it’s prefixed with a URL-type (e.g., https://grafana.my-domain.com/) namespace scheme. So basically I’ve been forced to provide my role info as such:

{
...
"https://grafana.my-domain.com/role": "Editor"
...
}

However, I can’t for the life of me figure out how to get this parsed with the JMESpath spec used by role_attribute_path. I’ve tried role_attribute_path = "https://grafana.my-domain.com/role" which results in a “Failed to extract role” error complaining about the syntax of the expression. The only expression I’ve got accepted was role_attribute_path = "\"https://grafana.my-domain.com/role"\" which doesn’t complain about syntax, but unfortunately doesn’t seem to have found the field correctly either, as I’m still getting “Not syncing organization roles since external user doesn’t have any” despite seeing the claim in the API response from the debug log. I’m kind of running out of ideas here. Have anyone ran into this kind of issue before?

Use https://jmespath.org/ as it is mentioned in the Grafana doc and test/develope JMESpath to fit your needs. E.g.:

contains(keys(@), 'https://grafana.my-domain.com/role') && 
contains(['Editor'], "https://grafana.my-domain.com/role") && 
'Editor' || 'Viewer'

I wouldn’t use role key directly. In theory it can be missing and then it will be failing, so first test key existence first and compare it with desired value.