I have Grafana configured with generic_oauth, with below configs enabled:
#################################### Generic OAuth ##########################2lhttps://metrics.xyz.abc.info https://login.microsoftonline.com/c https://login.microsoftonline.com/c 0/oauth2/tokenhttps://graph.microsoft.com ], ‘AWS-xyz-Support’) && ‘Admin’ || ‘Viewer’
Expected:
Am getting below while perfomring Signon:
xxxxx lvl=info msg=“state check” logger=oauth queryState=125b0068ddd5a843bfe7c096887a41039b7050573525e3ca58468b28482ec460 cookieState=125b0068ddd5a843bfe7c096887a41039b7050573525e3ca58468b28482ec460
is there any attributes am missing??
johnh
November 15, 2019, 3:59pm
2
The " allowed_organizations " is not the Grafana org that the users are intended to be provisioned for.
It seems to be the orgs in your Oauth provider that the user needs to be a member of in order to be able to authenticate.
johnh
November 15, 2019, 4:11pm
3
Keep an eye here… I think this may be what you’re trying to do
grafana:master ← hypery2k:feature/9766-oauth-roles
opened 07:21AM - 18 May 19 UTC
The answer that worked for me is:
opened 10:28AM - 06 Apr 20 UTC
closed 12:05PM - 08 Apr 20 UTC
area/backend/auth/oauth
needs investigation
So maybe it is not an issue for you, but i tried everything to i am pretty sure … it is an issue:
**What happened**:
I want to use AzureAD for role mapping with `role_attribute_path`, but this setting has obviously no effect to my login.
**What you expected to happen**:
I would have 2 groups, better 3 for mapping roles like admin, editor, and viewer.
Wenn I log in with my credentials (which is assigned in AzureAD `Users & Groups` to Admin) then I expected to have also Admin permissions. But this is not happening.
**How to reproduce it (as minimally and precisely as possible)**:
I check [this](https://grafana.com/docs/grafana/latest/auth/generic-oauth/) page from grafana, [this](https://community.grafana.com/t/role-is-not-attached-to-user-when-using-role-attribute-path-for-generic-oauth/25689) from grafana forum and [this](https://stackoverflow.com/questions/58952293/grafana-role-assignment-using-azure-ad-oauth) from StackOverflow.
All the settings didnt work.
`role_attribute_path:` contains(info.groups[*], 'Admin') && 'Admin' || 'Editor' also lowercase
`role_attribute_path: contains(groups[*], 'Admin') && 'Admin' || 'Editor'` also lowercase
`role_attribute_path: contains(info.groups[*], '/Grafana/Admin') && 'Admin' || 'Editor'` also lowercase
Of course also with the settings for Viewer, This also didnt work.
I also used the object ID from the group. Not working. Still as same. No effect. I have always Viewer permissions.
**Anything else we need to know?**:
For now, i have enabled:
```
auto_assign_org_role: Editor
editors_can_admin: true
```
Of course, I have disabled this, for testing role_attribute_path because I thought it overwrites any settings maybe. No effect.
**Environment**:
- Grafana version: v6.6.2 (3fa63cfc34)
- OS Grafana is installed on: AWS instance
- User OS & Browser: macOS / Chrome
Adding Additional Claim in Azure AD → App Registration → → Token Configuration → Add Group Claim
