Version: 11.3.0 on premise linux
Hi,
I am configuring Grafana SSO via oauth and the auth server is keycloak.
The idea behind it is that if the user is in the group grafana_team-admin then it should return grafana_team-admin-teamid where the teamid is not something related to Grafana but something internal. I use then this to assign the org of the teamid with the Admin right. Same thing for editor.
Here is how I am trying to get the info :
org_attribute_path = [to_string(contains(groups[*], 'grafana_team-admin') && join('-',[orgattrs.teamid,'admin']) || contains(groups[*], 'grafana_team-editor') && join('-',[orgattrs.teamid,'editor']))]
What I expect : grafana_team-admin-teamid
What I get : an error while logging in (so I cannot login) and this is what I get in the log
logger=oauth.generic_oauth t=2024-12-02T08:52:29.340363142Z level=warn msg="Failed to extract orgs" err="[json-failed-to-search] failed to search user info JSON response with provided path: \"[to_string(contains(groups[*], 'grafana_team-admin') && join('-',[orgattrs.teamid,'admin']) || contains(groups[*], 'systems_grafana_team-editor') && join('-',[orgattrs.teamid,'editor']))]\": invalid type for: [<nil> editor], expected: []functions.JpType{\"array[string]\"}"
logger=authn.service t=2024-12-02T08:52:29.340444901Z level=error msg="Failed to authenticate request" client=auth.client.generic_oauth error="[auth.oauth.userinfo.error] failed to get user info: [json-failed-to-search] failed to search u
ser info JSON response with provided path: \"[to_string(contains(groups[*], 'grafana_team-admin') && join('-',[orgattrs.teamid,'admin']) || contains(groups[*], 'systems_grafana_team-editor') && join('-',[orgattrs.teamid,'editor'])
)]\": invalid type for: [<nil> editor], expected: []functions.JpType{\"array[string]\"}"
After some investigation I noticed that orgattrs.teamid return null, then when the join function is called it raise the error.
I did the request by “hand” doing this :
curl --location --request POST 'https://mygrafana/realms/staging/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id={client_id}' \
--data-urlencode 'client_secret={client_secret}' \
--data-urlencode 'username={username}' \
--data-urlencode 'password={password}'
And I get the access_token (put only the relevant part IMO since it has some other sensitive info) :
{
"orgattrs": {
"teamid": "teamid"
},
"groups": [
"grafana_team-admin"
]
}
I tested my expression of org_attribute_path on JMESPATH website and it returns what I expect so for me it’s not about the “query”.
So my guess is that Grafana might discard structure that it does not know and only take stuff like groups,email,name etc.
Is there anyone who can confirm that? Or there is another problem?
Thanks for your help!