-
What Grafana version and what operating system are you using?
10.4.1
-
What are you trying to achieve?
Trying to authenticate using Keycloak 20
-
How are you trying to achieve it?
Trough GENERIC_OAUTH
-
What happened?
Got error as idP did not return a role attribute
- What did you expect to happen?
Smooth login
- Can you copy/paste the configuration(s) that you are having problems with?
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: “contains(realm_access.roles[], ‘grafana-admin’) && ‘Admin’ || contains(realm_access.roles[], ‘grafana-viewer’) && ‘Viewer’ || contains(realm_access.roles[*], ‘grafana-editor’) && ‘Editor’”
- Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
Login failed
IdP did not return a role attribute, please contact your administrator
- Did you follow any online instructions? If so, what is the URL?
You didn’t follow linked doc properly.
You:
contains(realm_access.roles[], ‘grafana-admin’) && ‘Admin’ || contains(realm_access.roles[], ‘grafana-viewer’) && ‘Viewer’ || contains(realm_access.roles[*], ‘grafana-editor’) && ‘Editor’
Doc:
contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
Do you see difference?
Thanks for the prompt response Jangaraj. With keycloak 20 the The token claim name is “realm_access.roles” so it has been used instead of roles.
Provide decoded access token, pls. I bet that claim name realm_access.roles
is a problem, because that dot has special meaning in the mapping string. Use simpler realm_access_roles
to avoid dot problem (or find how to escape dot in JMESPath expression).
I have tested by removing dot by replacing underscore but still no luck.
contains(realm_access_roles[], ‘grafana-admin’) && ‘Admin’ || contains(realm_access_roles[], ‘grafana-editor’) && ‘Editor’
logger=oauth.generic_oauth t=2024-06-06T09:23:16.742161171Z level=warn msg=“Failed to extract role” err=“[oauth.role_attribute_strict_violation] idP did not return a role attribute, but role_attribute_strict is set”
logger=oauth.generic_oauth t=2024-06-06T09:23:16.742257529Z level=warn msg=“Failed to extract role” err=“[oauth.role_attribute_strict_violation] idP did not return a role attribute, but role_attribute_strict is set”
logger=authn.service t=2024-06-06T09:23:16.742293543Z level=error msg=“Failed to authenticate request” client=auth.client.generic_oauth error=“[auth.oauth.userinfo.error] failed to get user info: [oauth.role_attribute_strict_violation] idP did not return a role attribute”
And use formatted text for snippets,pls.
I am using formatted text only while pasting here it was changed to Italic. Also i am not using Access token.
It was sorted by simply updating “realm_access.roles” to “roles” in Keycloak under “Token Claim Name”.