Grafana Oauth Issue with Keycloak "idP did not return a role attribute"

  • What Grafana version and what operating system are you using?
    10.4.1

  • What are you trying to achieve?
    Trying to authenticate using Keycloak 20

  • How are you trying to achieve it?
    Trough GENERIC_OAUTH

  • What happened?

Got error as idP did not return a role attribute

  • What did you expect to happen?

Smooth login

  • Can you copy/paste the configuration(s) that you are having problems with?

GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: “contains(realm_access.roles[], ‘grafana-admin’) && ‘Admin’ || contains(realm_access.roles[], ‘grafana-viewer’) && ‘Viewer’ || contains(realm_access.roles[*], ‘grafana-editor’) && ‘Editor’”

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    Login failed

IdP did not return a role attribute, please contact your administrator

  • Did you follow any online instructions? If so, what is the URL?

You didn’t follow linked doc properly.

You:

contains(realm_access.roles[], ‘grafana-admin’) && ‘Admin’ || contains(realm_access.roles[], ‘grafana-viewer’) && ‘Viewer’ || contains(realm_access.roles[*], ‘grafana-editor’) && ‘Editor’

Doc:

contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'

Do you see difference?

Thanks for the prompt response Jangaraj. With keycloak 20 the The token claim name is “realm_access.roles” so it has been used instead of roles.

Provide decoded access token, pls. I bet that claim name realm_access.roles is a problem, because that dot has special meaning in the mapping string. Use simpler realm_access_roles to avoid dot problem (or find how to escape dot in JMESPath expression).

I have tested by removing dot by replacing underscore but still no luck.

contains(realm_access_roles[], ‘grafana-admin’) && ‘Admin’ || contains(realm_access_roles[], ‘grafana-editor’) && ‘Editor’

logger=oauth.generic_oauth t=2024-06-06T09:23:16.742161171Z level=warn msg=“Failed to extract role” err=“[oauth.role_attribute_strict_violation] idP did not return a role attribute, but role_attribute_strict is set”
logger=oauth.generic_oauth t=2024-06-06T09:23:16.742257529Z level=warn msg=“Failed to extract role” err=“[oauth.role_attribute_strict_violation] idP did not return a role attribute, but role_attribute_strict is set”
logger=authn.service t=2024-06-06T09:23:16.742293543Z level=error msg=“Failed to authenticate request” client=auth.client.generic_oauth error=“[auth.oauth.userinfo.error] failed to get user info: [oauth.role_attribute_strict_violation] idP did not return a role attribute”

And use formatted text for snippets,pls.

I am using formatted text only while pasting here it was changed to Italic. Also i am not using Access token.

It was sorted by simply updating “realm_access.roles” to “roles” in Keycloak under “Token Claim Name”.