Google Oauth and Nested Groups dosn't work

Grafana Authentication
1

  • What Grafana version and what operating system are you using?
    V11.1.0

  • What are you trying to achieve?
    Google Oauth Login with nestedgroups role mapping

  • How are you trying to achieve it?
    user mb@xxxx.com
    direct member of the group team-it-admins@xxxx.com
    The team-it-admins@xxxx.com is nested in the group saas-grafana-admins@xxxx.com

  • What happened?
    Login works but the role mapping works only if users are direct member of a group.
    If the user is nested , the role sync dosn’t work

  • What did you expect to happen?
    I expect the user mb@xxxx.com to have admin rights because he is a member of the group team-it-admins@xxxx.com and this group is nested in the group saas-grafana-admins@xxxx.com.

  • Can you copy/paste the configuration(s) that you are having problems with?

allowed_groups = team-it-admins@xxxx.com saas-grafana-admins@xxxx.com 
role_attribute_path = contains(groups[*], 'saas-grafana-admins@xxxx.com') && 'Admin' || 'Editor'
  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
logger=oauth.google t=2024-06-29T11:22:57.683859425+02:00 level=debug msg="Retrieving groups" scopes="[openid email profile https://www.googleapis.com/auth/cloud-identity.groups.readonly]"
logger=oauth.google t=2024-06-29T11:22:57.683917465+02:00 level=debug msg="Retrieving groups" url="https://content-cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups?query=member_key_id=='mxxxx.bxxxx@xxxx.com'"
logger=oauth.google t=2024-06-29T11:22:58.221158229+02:00 level=debug msg="HTTP GET" url="https://content-cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups?query=member_key_id=='mxxxx.bxxxx@xxxx.com'" status="200 OK" response_body="{\n  \"memberships\": [\n    {\n      \"membership\": \"groups/049x2ik50it7ez5/memberships/111523604367161282317\",\n      \"roles\": [\n        {\n          \"name\": \"MEMBER\"\n        }\n      ],\n      \"group\": \"groups/049x2ik50it7ez5\",\n      \"groupKey\": {\n        \"id\": \"team-it-admins@xxxx.com\"\n      },\n      \"displayName\": \"Team-IT-Admins\",\n      \"labels\": {\n        \"cloudidentity.googleapis.com/groups.security\": \"\",\n        \"cloudidentity.googleapis.com/groups.discussion_forum\": \"\"\n      }\n    },\n    {\n      \"membership\": \"groups/02pta16n19amfz8/memberships/111523604367161282317\",\n      \"roles\": [\n        {\n          \"name\": \"MEMBER\"\n        }\n      ],\n      \"group\": \"groups/02pta16n19amfz8\",\n      \"groupKey\": {\n        \"id\": \"manni-test@xxxx.com\"\n      },\n      \"displayName\": \"manni-test\",\n      \"labels\": {\n        \"cloudidentity.googleapis.com/groups.discussion_forum\": \"\"\n      }\n    },\n    {\n      \"membership\": \"groups/030j0zll2fes66y/memberships/111523604367161282317\",\n      \"roles\": [\n        {\n          \"name\": \"MEMBER\"\n        }\n      ],\n      \"group\": \"groups/030j0zll2fes66y\",\n      \"groupKey\": {\n        \"id\": \"all-xxxx@xxxx.com\"\n      },\n      \"displayName\": \"All xxxx\",\n      \"labels\": {\n        \"cloudidentity.googleapis.com/groups.discussion_forum\": \"\",\n        \"cloudidentity.googleapis.com/groups.dynamic\": \"\"\n      }\n    },\n    {\n      \"membership\": \"groups/034g0dwd3pm8ktc/memberships/111523604367161282317\",\n      \"roles\": [\n        {\n          \"name\": \"MEMBER\"\n        }\n      ],\n      \"group\": \"groups/034g0dwd3pm8ktc\",\n      \"groupKey\": {\n        \"id\": \"all@xxxx.com\"\n      },\n      \"displayName\": \"All\",\n      \"labels\": {\n        \"cloudidentity.googleapis.com/groups.discussion_forum\": \"\",\n        \"cloudidentity.googleapis.com/groups.dynamic\": \"\"\n      },\n      \"description\": \"all users in xxxxx\"\n    },\n    {\n      \"membership\": \"groups/039kk8xu3mewwjl/memberships/111523604367161282317\",\n      \"roles\": [\n        {\n          \"name\": \"MEMBER\"\n        }\n      ],\n      \"group\": \"groups/039kk8xu3mewwjl\",\n      \"groupKey\": {\n        \"id\": \"gcp-xxxx@xxxx.com\"\n      },\n      \"displayName\": \"gcp-xxxx\",\n      \"labels\": {\n        \"cloudidentity.googleapis.com/groups.discussion_forum\": \"\"\n      }\n    },\n    {\n      \"membership\": \"groups/00sqyw6439qxv7o/memberships/111523604367161282317\",\n      \"roles\": [\n        {\n          \"name\": \"MEMBER\"\n        }\n      ],\n      \"group\": \"groups/00sqyw6439qxv7o\",\n      \"groupKey\": {\n        \"id\": \"aws-users@xxxx.com\"\n      },\n      \"displayName\": \"aws-users\",\n      \"labels\": {\n        \"cloudidentity.googleapis.com/groups.discussion_forum\": \"\",\n        \"cloudidentity.googleapis.com/groups.security\": \"\"\n      }\n    }\n  ]\n}\n"
logger=oauth.google t=2024-06-29T11:22:58.22147934+02:00 level=debug msg="Resolved user info" data="Id: 111523604367161282317, Name: Mxxxx Bxxxxx, Email: mxxxx.bxxxx@xxxx.com, Login: mxxxx.bxxxx@xxxx.com, Role: , Groups: [team-it-admins@xxxx.com mxxxx-test@xxxx.com all-xxxx@xxxx.com all@xxxx.com gcp-xxxx@xxxx.com ], OrgRoles: map[1:Editor]"
logger=login.authinfo t=2024-06-29T11:22:58.274528343+02:00 level=debug msg="auth info set in cache" cacheKey=authinfo-0-oauth_google-111523604367161282317
logger=user.sync t=2024-06-29T11:22:58.275320404+02:00 level=debug msg="Updating auth connection for user" id=:
  • Did you follow any online instructions? If so, what is the URL?