Generic OAuth - How to access user info?

michaltrunecka · October 23, 2024, 8:44am

I have the OAuth configured (for self hosted GitLab) and Role attribute path configured to assign role by groups from id_token.

contains(groups_direct[*], 'devops') && 'GrafanaAdmin' || 'Viewer'

And now I need to block access for users, which have external: true in the user info json. (from read_user from gitlab). How do I access the data. Neither of these works:

external == 'true' && 'None' || 'Viewer'
info.external == 'true' && 'None' || 'Viewer'
user_info.external == 'true' && 'None' || 'Viewer'
userinfo.external == 'true' && 'None' || 'Viewer'
read_user.external == 'true' && 'None' || 'Viewer'

How can I find out what variables are available for the role_attribute_path? I can see the jsons in debug logs, but there is no naming for them.

jangaraj · October 23, 2024, 9:21am

JMESPath expression to use for Grafana role lookup. Grafana will first evaluate the expression using the OAuth2 ID token. If no role is found, the expression will be evaluated using the user information obtained from the UserInfo endpoint.

So make sure that all required details are in the id token or in the userinfo. You can’t combine both.

Topic		Replies	Views
OAuh2 gitlab role_attribute_path JMESpath Authentication login , oauth , grafana-roles	2	1414	August 25, 2022
OAuth2 (gitlab) & roles matching (JSMEpath) Authentication login , auth , oauth , grafana-roles	2	1249	July 26, 2024
Cannot map a Generic OAuth user to an Organization Authentication	1	305	August 5, 2024
Generic_oauth role_attribute_path unable to map groups to role Authentication oauth , openshift , generic-auth	7	258	September 12, 2024
Is there way to map generic oAuth roles to grafana orgs and roles Configuration	0	1012	January 24, 2019

Generic OAuth - How to access user info?

Related topics