Grafana Keycloak Role Mapping

Hi guys,
happy new year by the way.

I am trying to setup GF 7.3.4 with keycloak 12.0.1

I can successful login to GF over Oauth2.
But there’s two problems in that I stuck.

  1. Role Mapping. I have three roles in Keycloak Admin, Editor and Viewer. But GF does not cover this.
  2. I can’t sign out of GF with standard GF logut function. If I kill the session in keycloak it works.

My docker compose props

  MY_HOST: $MY_HOST
  GF_LOG_LEVEL: debug
  GF_LOG_CONSOLE_LEVEL: debug
  GF_SERVER_PROTOCOL: http
  GF_SERVER_DOMAIN: $MY_HOST
  GF_SERVER_ROOT_URL: http://$MY_HOST:3000
  GF_DASHBOARD_MIN_REFRESH_INTERVAL: 1s
  GF_AUTH_BASIC_ENABLED: 'false'
  GF_AUTH_DISABLE_LOGIN_FORM: 'true'
  GF_AUTH_SIGN_OUT_URL : http://${MY_HOST}:3000/auth/realms/myrealm/protocol/openid-connect/logout?redirect_uri=http://${MY_HOST}:3000/login
  GF_AUTH_OAUTH_AUTO_LOGIN: 'false'
  GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS: ''
  GF_AUTH_GENERIC_OAUTH_ENABLED: 'true'
  GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE: 'true'
  GF_AUTH_GENERIC_OAUTH_NAME: Oauth
  GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: 'true'
  GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
  GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email roles
  GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: e7595763-773d-4972-83e6-93aa4f1824fe
  GF_AUTH_GENERIC_OAUTH_AUTH_URL: http://${MY_HOST}:8085/auth/realms/myrealm/protocol/openid-connect/auth
  GF_AUTH_GENERIC_OAUTH_TOKEN_URL: http://${MY_HOST}:8085/auth/realms/myrealm/protocol/openid-connect/token
  GF_AUTH_GENERIC_OAUTH_API_URL: http://${MY_HOST}:8085/auth/realms/myrealm/protocol/openid-connect/userinfo
  GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(realm_access.roles[*], 'Admin') && 'Admin' || contains(realm_access.roles[*], 'Editor') && 'Editor' || 'Viewer'

For testing purpose I change the role_attribute_pattren with

contains(realm_access.roles[*], 'Admin') && 'Admin' || contains(realm_access.roles[*], 'Editor') && 'Editor' || 'Admin'

But even this not works. The user is always in Viewer role.

Keycloak Access Token shows IMHO correct:

 {
  "exp": 1609459920,
  "iat": 1609459620,
  "jti": "3bfb5059-d1c8-432e-a2d0-5573678fb5e6",
  "iss": "http://10.21.21.21:8085/auth/realms/myrealm",
  "aud": "account",
  "sub": "9c433bba-90a9-48fa-82fe-8b8411bc5a7e",
  "typ": "Bearer",
  "azp": "grafana",
  "session_state": "c06593a1-ca25-4d07-98be-7eabacceec7d",
  "acr": "1",
  "allowed-origins": [
    "*"
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "Admin",
      "uma_authorization",
      "cloudusers"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "email_verified": true,
  "name": "Foo Bar",
  "preferred_username": "foo",
  "given_name": "Foo",
  "family_name": "Bar",
  "email": "foo@bar.io"
}

Mapping seems to be OK. What is in the logs? I guess Grafana is trying to find roles in the ID token and not in the access token. Then make sure roles are exposed also in the id token (that’s a checkbox in the Keycloak client mapper config).

That was it.
First resolved issue this year thanks ;-).

And a happy new to yo by the way