Generic OAuth: Organization Mapping ignored, user always placed in Main Org

Grafana Authentication
1

  • What Grafana version and what operating system are you using?
    Grafana 11.1.0 on Linux

  • What are you trying to achieve?
    I’d like to map users to the correct organization via the auth token. This is to achieve dashboard separation for privacy, security, etc.

  • How are you trying to achieve it?
    The OAuth token is as such:

{
  ...
  "org:" {
    "org-nameA"
  },
  "role": {
    "Viewer"
  },
  ...
}

Here is my configuration:

grafana.ini:
  server:
	domain: <redacted>
  log:
	filters:
	  oauth.generic_oath:debug
  auth:
	disable_login_form: false
  auth.generic_oauth:
	enabled: true
	auth_url: <redacted>
	token_url: <redacted>
	api_url: <redacted>
	client_id: <redacted>
	scopes: profile email openid
	email_attribute_name: email
	name_attribute_path: unique_name
	role_attribute_path: role
	org_attribute_path: org
	org_mapping: 'main-org:1:Admin, org-NameA:2:Viewer, orgNameB:3:Viewer'
	allow_assign_grafana_admin: true
  users:
	auto_assign_org: false

  • What happened?
    Newly authenticated user with that token is always placed in the Main Org as a viewer.

  • What did you expect to happen?
    Newly authenticated user with that token is placed in org-NameA as a viewer.

I know that role_attribute_path is working because I can change the value in the token and the user will be authenticated as that role. What am I missing? Any help will be greatly appreciated.

2

I think this is a typo? “org:” ? Should be “org”:
About your problem, I solved it for me like this:

{
  ...
  "org:" [
    "org-nameA"
  ],
  "role": {
    "Viewer"
  },
  ...
}
3

@jellyfishheadphones did that actually solve that for you? Was it the typo? Or did you have another problem and, best case, found a solution for this? I’m currently struggling with the same problem, without typos…

4

No, that typo did not matter. That was just an example of the structure of my OAuth token, hand-written, human error added along the way.

Anyway, I can get this working if I manually configure this role mapping in the UI. Putting it in the yaml for grafana.ini does absolutely nothing for me for some reason, despite what the documentation says. Oh well. Good luck to you.