Cannot assign GrafanaAdmin role with the following settings:
allow_assign_grafana_admin = true
skip_org_role_sync = false
oauth_skip_org_role_update_sync = true
In detalis:
I map user AD roles using generic_Oauth
here are the settings:
[auth.generic_oauth]
enabled = true
name = Account
allow_sign_up = true
client_id = ************************
client_secret = **************************
scopes = openid email profile
auth_url = https://login.microsoftonline.com/*************************/oauth2/authorize
token_url = https://login.microsoftonline.com/****************************/oauth2/token
;api_url = https://foo.bar/user
;teams_url =
;allowed_domains =
;team_ids =
;allowed_organizations =
role_attribute_path = contains(roles[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(roles[*], 'Viewer') && 'Viewer'
role_attribute_strict = false
;groups_attribute_path =
;team_ids_attribute_path =
;use_pkce = false
;auth_style =
allow_assign_grafana_admin = true
skip_org_role_sync = false
oauth_skip_org_role_update_sync = true
When checking logs I see:
oauth.generic_oauth t=2023-12-13T10:55:07.103445987Z level=debug msg="Received id_token" raw_json="{..........................."roles":["GrafanaAdmin"],...........................................}" data="Name: Global_1 testuser, Displayname: , Login: , Username: , Email: global2@<strong>, Upn: uit2363@**************8, Attributes: map[]"
logger=oauth.generic_oauth t=2023-12-13T10:55:07.103482915Z level=debug msg="Getting user info from API"
logger=oauth.generic_oauth t=2023-12-13T10:55:07.103646402Z level=debug msg="No api url configured"
logger=oauth.generic_oauth t=2023-12-13T10:55:07.103662072Z level=debug msg="Processing external user info" source=token data="Name: Global_1 testuser, Displayname: , Login: , Username: , Email: global2@</strong> *, Upn: uit2363@* <em><strong>, Attributes: map[]"
logger=oauth.generic_oauth t=2023-12-13T10:55:07.103682298Z level=debug msg="Setting user info name from name field"
logger=oauth.generic_oauth t=2023-12-13T10:55:07.103697567Z level=debug msg="Set user info email from extracted email" email=global2@</strong></em>*********
logger=oauth.generic_oauth t=2023-12-13T10:55:07.104141778Z level=debug msg="Defaulting to using email for user info login" email=global2@******************
logger=oauth.generic_oauth t=2023-12-13T10:55:07.104165379Z level=debug msg="User info result" result="Id: O3a_urUs7tiqu8NF6_fFQ7G8ngV51tenI3yf0u1wOsY, Name: sysex_Global_1 testuser, Email: global2@**, Login: global2@**, Role: Admin, Groups: []"
What did you expect to happen?
The user supposed to have grafanaAdmin role, but when I access the UI I see it has only Viewer access
Did this work before?
It worked when assigning Admin role, but with GrafanaAdmin it does not work