Grafana OAuth with Keycloak roles mapping

Hello,

I use Keycloak 23.0.7 for SSO with Grafana v11.3.1

I’ve configured the [auth.generic_oauth] part
Users authenticate correctly with their AD user but only in Viewer.
I have a group of users who are Admin (G_Grafana_Admin) and another group who are Editor (G_Grafana_Editor) but they don’t get the right rights only Viewer.
Everyone is Viewer.

In Granafa.ini :
enabled = true
name = Keycloak-OAuth
allow_sign_up = true
auto_login = false
client_id = grafana-oauth
client_secret = 74yuhjre7u3u26yj7k8857ry
scopes = openid email profile roles
;empty_scopes = false
;email_attribute_name = email:primary
email_attribute_path = email
login_attribute_path = username
name_attribute_path = full_name
;id_token_attribute_name =
For auth_url, token_url and api_url I remove the https:// for publish my first post
;signout_redirect_url = <PROVIDER_DOMAIN>/auth/realms/test/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2F<GRAFANA_DOMAIN>%2Flogin
;signout_redirect_url = sso.test.com/realms/TEST/protocol/openid-connect/logout
;teams_url =
;allowed_domains = test.com
;team_ids =
allowed_organizations = test Inc
role_attribute_path = contains(realm_access.roles[], ‘G_Grafana_Admin’) && ‘Admin’ || contains(realm_access.roles[], ‘G_Grafana_Editor’) && ‘Editor’ || ‘Viewer’
role_attribute_strict = true
;groups_attribute_path =
;team_ids_attribute_path =
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
;tls_client_ca =
;use_pkce = false
;auth_style =
allow_assign_grafana_admin = true
;skip_org_role_sync = false

In Keycloak

In User federation, in provider Ldap, it works and I’ve activated Kerberos.
I also made a role-ldap-mapper to fetch AD groups.
In Realm roles, the AD groups have appeared and the AD groups G_Grafana_Admin, G_Grafana_Editor and G_Grafana_Viewer are there.
If I look in Users in role, the users are in the list.

If I go to Clients, grafana-oauth,Client scopes,Evaluate
I choose a user and Generated user info
{
“sub": ‘f:009a60af-faa7-4faa-951e-65355badc763:TEST’,
“email_verified": true,
“realm_access": {
“roles": [
“G_Grafana_Admin”,
“offline_access”,
“uma_authorization”,
“default-roles-test”,
]
},
“name": ‘User test’,
“preferred_username": ‘test’,
“given_name": ‘User’,
“family_name": ‘test’,
“email": ”user.test@test.qc.ca”
}

Gafana parameter web page :

Grafana_auth704×841 48.5 KB

Grafana_generic_auth_11394×1043 72.1 KB

Grafana_generic_auth_2979×532 31.4 KB

Someone has an idea for my problem ?
I’ve been trying for 5 days without success
I don’t know what else to try
Thanks for your help !

I make other test and if I switch role_attribute_path = “‘Admin’”

I find this : Configure generic OAuth2 authentication | Grafana documentation
In the menu ##### Map one role to all users######

and make in comments the line role_attribute_path = contains(realm_access.roles[], ‘G_Grafana_Admin’) && ‘Admin’ || contains(realm_access.roles[], ‘G_Grafana_Editor’) && ‘Editor’ || ‘Viewer’

That not change, the use is create Viewer access for Organization

Garana_user2229×807 50.5 KB

I’m sorry to hear that you’re experiencing difficulties.

Grafana can provide valuable information about certain issues through its own debug logs. These logs can help troubleshoot and identify the root cause of problems (especially if they are related to anything that can be configured via Grafana config file).

To enable debug logging edit the configuration file grafana.ini:

[log]
# Either "console", "file", "syslog". Default is console and file
# Use space to separate multiple modes, e.g. "console file"
mode = console file

# Either "debug", "info", "warn", "error", "critical", default is "info"
level = debug

Then restart grafana for the setting to go into effect.

Replicate the problem and check Grafana logs. However, before posting the debug logs on the community forum, it is important to sanitize any private details such as passwords, tokens, IPs, names, … By including properly formatted debug logs (with sanitized information) and details about your installations (e.g. exact Grafana version, how it was installed, OS details, …), you greatly enhance the chances of receiving accurate assistance and solutions.

hI @jangaraj

[log.console] or [log.file] for the level = debug

Thanks a lot !

debug879×345 21.3 KB