Keycloak and grafana don't recive info user role

satdanielglez · August 19, 2020, 11:29am

Hi, I have a problem with grafana and keycloak integration.

I have the setting to role attribute path, also I have roles to the user in keycloak, but grafana don’t recive it. Why?

contains(roles[*], 'Admin') && 'Admin' || contains(groups[*], 'Editor') && 'Editor' || 'Viewer'

        - name: "GF_AUTH_GENERIC_OAUTH_SCOPES"
          value: "profile email roles"

lvl=dbug msg="HTTP GET https://sso.kubernetes.local/auth/realms/master/protocol/openid-connect/userinfo: 200 OK {\"sub\":\"ac9ea49b-6f4e-48e1-ac16-b55270f488ba\",\"email_verified\":false,\"preferred_username\":\"admin\",\"email\":\"a@b.com\"}"
lvl=dbug msg="Received user info response" logger=oauth.generic_oauth raw_json="{\"sub\":\"ac9ea49b-6f4e-48e1-ac16-b55270f488ba\",\"email_verified\":false,\"preferred_username\":\"admin\",\"email\":\"a@b.com\"}" data="Name: , Displayname: , Login: , Username: , Email: a@b.com, Upn: , Attributes: map[]"
lvl=eror msg="Failed to extract role" logger=oauth.generic_oauth error="failed to search user info JSON response with provided path: \"contains(roles[*], 'Admin') && 'Admin' || contains(groups[*], 'Editor') && 'Editor' || 'Viewer'\": Invalid type for: <nil>, expected: []jmespath.jpType{\"array\", \"string\"}"
lvl=dbug msg="User info result" logger=oauth.generic_oauth result="&{Id: Name: Email:a@b.com Login:a@b.com Company: Role: Groups:[]}"
lvl=dbug msg="OAuthLogin got user info" logger=oauth userInfo="&{Id: Name: Email:a@b.com Login:a@b.com Company: Role: Groups:[]}"
lvl=dbug msg="Updating user_auth info" logger=login.ext_user user_id=2
lvl=dbug msg="Updated user_auth" logger=sqlstore user_id=2 auth_module=oauth_generic_oauth rows=10

Thanks!

jangaraj · September 3, 2020, 12:07pm

You don’t have any groups, roles claim in the userinfo, but you are using them in role attribute path. Configure used OIDC client in the Keycloak: configure proper group/role mappers or create scope for them and expose their outputs in the userinfo response.

gokilavani · June 30, 2021, 8:59am

am also facing same issue , pls help …how can i reach u faster?

surajkalloli123 · January 6, 2023, 10:19am

Refer this Role mapping keycloak and grafana 9.1.1 not successfull - #2 by rpartapsing
May be it will help you , because i faced the same issue and resolved

Topic		Replies	Views
Roles not being assigned with integration with Keycloak for OAuth Authentication backend-platform , oauth	1	2361	October 11, 2021
Grafana v5.2.4 role attribute path correct format Grafana	2	1162	March 31, 2022
Role management	4	2024	August 28, 2020
Issue with Role Mapping in Grafana OAuth Configuration with Keycloak Authentication auth , oauth , grafana-roles , keycloak	4	8080	June 5, 2024
Grafana Oauth Issue with Keycloak "idP did not return a role attribute" Authentication keycloak	7	853	June 6, 2024

Keycloak and grafana don't recive info user role

Related topics