Forward OAuth identity: The JWT scoped to Grafana is not sent to application


I’m trying to get Forward OAuth identity to work in order to authenticate people against data sources, using Azure AD as an identity provider. As a part of this I would like to use groups from Azure AD to restrict access to data sources that may contain sensitive information.

Enabling the option works well enough, each request to the data source contains an Authorization: Bearer eyJ... header, which is expected, I suppose. However, this token has the content "aud": "00000003-0000-0000-c000-000000000000" which apparently is a common “UUID” for Microsoft Graph, and importantly does not contain the groups claim.

There is also another header X-Id-Token that’s being sent to the backend. This has the aud key set to Client-ID of Grafana, as well as a groups key with all the users groups included.

My thinking is that I should be able to configure the backend to accept JWT authentication, accepting JWTs that are issued to Grafana, are issued by the correct Azure AD issuer, and contains Authorised group UUIDs. It seems that the X-Id-Token would be perfect for this, but I can’t see any way to get this sent as the Authorization: Bearer ... header.

The Azure AD integration is setup as per: Configure Azure AD OAuth2 authentication | Grafana documentation

The configuration for authentication looks like this in Grafana.

    enabled = true
    allow_sign_up = true
    allowed_domains =
    client_id = <client-id>
    name = Azure AD
    scopes = openid email profile offline_access
    auth_url =<tenant-id>/oauth2/v2.0/authorize
    token_url =<tenant-id>/oauth2/v2.0/token