Hello,
My OAUTH authentification with AWS Cognito on grafana is working well, but now i’m trying without success to map the “cognito:groups” of users to role Admin, Viewer… on grafana.
On the debug log we can see the the cognito:groups in the “raw_json” so it should work I guess. If anyone can help please 
Grafana oauth conf:
[auth]
disable_login_form = False
oauth_auto_login = False
disable_signout_menu = False
#signout_redirect_url =
[auth.generic_oauth]
name = OAuth
enabled = True
allow_sign_up = True
scopes = openid profile email
client_id = XXXXXXX
client_secret = XXXXXXXXXXXXXXXXXXXX
auth_url = https://XXXXX.auth.eu-west-1.amazoncognito.com/oauth2/authorize
token_url = https://XXXXXXXX.auth.eu-west-1.amazoncognito.com/oauth2/token
api_url = https://XXXXXX.auth.eu-west-1.amazoncognito.com/oauth2/userInfo
tls_skip_verify_insecure = False
role_attribute_path = contains('"cognito:groups[*]"', '"admin"') && 'Admin' || contains('"cognito:groups[*]"', '"editor"') && 'Editor' || 'Viewer'
Debug log:
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-05-02T14:53:19.62+0200 lvl=info msg="Request Completed" method=GET path=/login/generic_oauth status=302 remote_addr=
XX.XX.XX.XX time_ms=0 duration=224.842µs size=356 referer=https://grafana-prod.website.com/login traceID=00000000000000000000000000000000
logger=ngalert t=2022-05-02T14:53:24.21+0200 lvl=dbug msg="alert rules fetched" count=0 disabled_orgs="unsupported value type"
logger=ngalert t=2022-05-02T14:53:29.21+0200 lvl=dbug msg="recording state cache metrics" now=2022-05-02T14:53:29.219132753+02:00
logger=ngalert t=2022-05-02T14:53:34.21+0200 lvl=dbug msg="alert rules fetched" count=0 disabled_orgs="unsupported value type"
logger=oauth t=2022-05-02T14:53:38.46+0200 lvl=info msg="state check" queryState=2082ea12804b7ce9812dc00afef1f9792625b04c9ce5a1c92921acd23f0e0c87 cookieState=2082ea12804b7ce9812dc00afef1f9792625b04c9ce5a1c92921acd23f0e0c87
logger=oauth t=2022-05-02T14:53:38.64+0200 lvl=dbug msg="OAuthLogin Got token" token="unsupported value type"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.64+0200 lvl=dbug msg="Getting user info"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.64+0200 lvl=dbug msg="Extracting user info from OAuth token"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.64+0200 lvl=dbug msg="Received id_token" raw_json="{\"at_hash\":\"4Fugvgv82xph0Ws7LF-umg\",\"sub\":\"14b58c61-ac92-4417-9574-8edbc2072dec\",\"cognito:groups\":[\"admin\"],\"email_verified\":true,\"cognito:preferred_role\":\"arn:aws:iam::11111111111:role\\/monitoring-prod_grafana_admin_role\",\"iss\":\"https:\\/\\/cognito-idp.eu-west-1.amazonaws.com\\/eu-west-1_PJUUMCiyU\",\"cognito:username\":\"test\",\"origin_jti\":\"e38608f8-ec9e-4428-b280-fb24c0361bba\",\"cognito:roles\":[\"arn:aws:iam::11111111111:role\\/monitoring-prod_grafana_admin_role\"],\"aud\":\"5h7hn7als7kj5vbk3urtfmbrgk\",\"event_id\":\"2b4be420-0ec4-455a-82bc-c9c3415fb384\",\"token_use\":\"id\",\"auth_time\":1651496018,\"exp\":1651499618,\"iat\":1651496018,\"jti\":\"981bad04-b763-4343-8247-ecff80ad74f4\",\"email\":\"toto@website.com\"}" data="Name: , Displayname: , Login: , Username: , Email: toto@website.com, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.64+0200 lvl=dbug msg="Getting user info from API"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="HTTP GET" url=https://customer-monitoring.auth.eu-west-1.amazoncognito.com/oauth2/userInfo status="200 OK" response_body="{\"sub\":\"14b58c61-ac92-4417-9574-8edbc2072dec\",\"email_verified\":\"true\",\"email\":\"toto@website.com\",\"username\":\"test\"}"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="Received user info response from API" raw_json="{\"sub\":\"14b58c61-ac92-4417-9574-8edbc2072dec\",\"email_verified\":\"true\",\"email\":\"toto@website.com\",\"username\":\"test\"}" data="Name: , Displayname: , Login: , Username: test, Email: toto@website.com, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="Processing external user info" source=token data="Name: , Displayname: , Login: , Username: , Email: toto@website.com, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="Unable to find user info name"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="Set user info email from extracted email" email=toto@website.com
logger=oauth.generic_oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="Setting user info role from extracted role"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="Processing external user info" source=API data="Name: , Displayname: , Login: , Username: test, Email: toto@website.com, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="Unable to find user info name"
logger=oauth.generic_oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="Setting user info login from username field" username=test
logger=oauth.generic_oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="User info result" result="unsupported value type"
logger=oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="OAuthLogin got user info" userInfo="unsupported value type"
logger=oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="Building external user info from OAuth user info"
logger=api t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="The user has a role assignment and organization membership is auto-assigned" role=Viewer orgId=1
logger=oauth t=2022-05-02T14:53:38.82+0200 lvl=dbug msg="Syncing Grafana user with corresponding OAuth profile"
logger=login.ext_user t=2022-05-02T14:53:38.86+0200 lvl=dbug msg="Updating user_auth info" user_id=2
logger=login.authinfo.store t=2022-05-02T14:53:38.9+0200 lvl=dbug msg="Updated user_auth" user_id=2 auth_module=oauth_generic_oauth rows=1
logger=login.ext_user t=2022-05-02T14:53:38.9+0200 lvl=dbug msg="Syncing organization roles" id=2 extOrgRoles="unsupported value type"
Thanks for helping !
Regards,
Florian
