Grafana Authentication/Authorization via OAUTH and AzureAD

I have issues with the setup of OAUTH with AzureAD in Grafana. On AzureAD everything has been configured. Also in Grafana the setup has been done. I can also login but I just get always assigned the “VIEWER” role as default as the correct role for example ADMIN or EDITOR has not been taken.

The Page where I folowed the instructions is:

Also inside the Logs on Grafana side I see:
lvl=dbug msg=“Received id_token” logger=oauth.generic_oauth raw_json=“roles”:[“Admin”],…

Any suggestions?

ID token looks OK, so just configure role_attribute_path, e.g.:

role_attribute_path = contains(roles[*], 'Admin') && 'Admin' || contains(roles[*], 'Editor') && 'Editor' || 'Viewer'

Yes, that works. BUT just in case if I have assigned Roles in Azure to the Users or Security Groups. But If I don’t assign any Rule it will give immediately “ADMIN” Profile to the user.
This is the log:
t=2020-03-25T08:18:50+0000 lvl=eror msg=“Failed to search user info JSON response with provided path” logger=oauth.generic_oauth attributePath=“contains(roles[], ‘Admin’) && ‘Admin’ || contains(roles[], ‘Editor’) && ‘Editor’ || ‘Viewer’” err="Invalid type for: , expected: []jmespath.jpType{“array”, “string”}"

Just guess: roles claim is not generated, because it is empty so JMESPath is failing. You need to improve JMESPath expression. Ensure that roles claim exists, so if not then it will use default Viewer role. Grafana doc contains link to where you can play and develop proper expression for your needs.

1 Like

Hi, I am having the same issue. I am new to Grafana and don’t know where the JMESPath is or what i need to do to configure the ini file or something else