Does Grafana support custom scopes with okta integration?

SSO with okta works smooth with standard scopes - openid, email, profile.

I would like to add a custom scope in okta. The new scope item generates the error
First request looks like this

https://asdf.oktapreview.com/oauth2/v1/authorize?access_type=online&client_id=Oxxxxxxxxxxx0h7&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Flogin%2Fokta&response_type=code&scope=openid+profile+email+myscope&state=3ngdafgdfgH_1UCk99uJWRYr%3D

http://grafana.staged-by-discourse.com/login/okta?state=3ngdafgdfgH_1UCk99uJWRYr20%3D&error=invalid_scope&error_description=Custom+scopes+are+not+allowed+for+this+request.

Any pointers or documentation on this aspect please?

Regards,
AC

Would this be a valid okta configuration? Couldn’t find any good example for this.

name = Okta
enabled = true
allow_sign_up = true
client_id = {myoktaclientid}
client_secret = {myoktaclientsecret}
scopes = openid profile email myscope
auth_url = https://{mydomain}.oktapreview.com/oauth2/v1/authorize
token_url = https://{mydomain}.oktapreview.com/oauth2/v1/token
#api_url = https://{mydomain}.oktapreview.com/oauth2/v1/userinfo
api_url = https://{mydomain}.oktapreview.com/oauth2/{authserverid}/.well-known/oauth-authorization-server?client_id={myoktaclientid}

Grafana doesn’t seem to work with custom scopes. Tried this with OKTA and doesn’t work. I seem to get the token back from okta but JMESPath expressions result in issues resulting in

Invalid type for: , expected: []jmespath.jpType{“array”, “string”}"
t=2021-05-13T17:10:29+0000 lvl=dbug msg=“OAuthLogin got user info” logger=oauth userInfo="&{Id:00ujq59ewmc5rCao40h7 Name:Alpha Charlie Email:alpha.charlie@gmail.com Login:alpha.charlie@gmail.com Company: Role: Groups:[]}"
t=2021-05-13T17:10:29+0000 lvl=dbug msg=“Building external user info from OAuth user info” logger=oauth
t=2021-05-13T17:10:29+0000 lvl=dbug msg=“Syncing Grafana user with corresponding OAuth profile” logger=oauth

Hi here @ac21 is there any update on this? Did you manage to add any custom scopes to Grafana from Okta? We are having the same issue…

Doc:

Does config option scopes solve the problem?

We got an error, when adding custom scopes to the scopes variable in the config.

What kind of error? Be specific: WHAT and HOW did you configure. WHAT is the error, WHERE you see it, … Provide reproducible example, not just “I got en error”.

Apologies… we have fixed the issue. We were previously making requests to our Org Authorization Server, which doesn’t support custom claims. By making instead our requests to any Custom Okta Authorization server (by changing the endpoints to /oauth2/${authServerName}/v1/...), we were able to get any custom scope we needed.

I’m still having issues withe custom scope/claims. I used the right auth server but looks like only the claim groups can be used. if I use a custom claim it shows Login failed, user not a member of one of the required groups. there is nothing much in the logs

logger=authn.service t=2025-01-22T20:29:30.11456266Z level=info msg=“Failed to authenticate request” client=auth.client.okta error=“[auth.oauth.userinfo.failed] user not a member of one of the required groups”