Keycloak and grafana don't recive info user role

Hi, I have a problem with grafana and keycloak integration.

I have the setting to role attribute path, also I have roles to the user in keycloak, but grafana don’t recive it. Why?

contains(roles[*], 'Admin') && 'Admin' || contains(groups[*], 'Editor') && 'Editor' || 'Viewer'
        - name: "GF_AUTH_GENERIC_OAUTH_SCOPES"
          value: "profile email roles"
lvl=dbug msg="HTTP GET https://sso.kubernetes.local/auth/realms/master/protocol/openid-connect/userinfo: 200 OK {\"sub\":\"ac9ea49b-6f4e-48e1-ac16-b55270f488ba\",\"email_verified\":false,\"preferred_username\":\"admin\",\"email\":\"a@b.com\"}"
lvl=dbug msg="Received user info response" logger=oauth.generic_oauth raw_json="{\"sub\":\"ac9ea49b-6f4e-48e1-ac16-b55270f488ba\",\"email_verified\":false,\"preferred_username\":\"admin\",\"email\":\"a@b.com\"}" data="Name: , Displayname: , Login: , Username: , Email: a@b.com, Upn: , Attributes: map[]"
lvl=eror msg="Failed to extract role" logger=oauth.generic_oauth error="failed to search user info JSON response with provided path: \"contains(roles[*], 'Admin') && 'Admin' || contains(groups[*], 'Editor') && 'Editor' || 'Viewer'\": Invalid type for: <nil>, expected: []jmespath.jpType{\"array\", \"string\"}"
lvl=dbug msg="User info result" logger=oauth.generic_oauth result="&{Id: Name: Email:a@b.com Login:a@b.com Company: Role: Groups:[]}"
lvl=dbug msg="OAuthLogin got user info" logger=oauth userInfo="&{Id: Name: Email:a@b.com Login:a@b.com Company: Role: Groups:[]}"
lvl=dbug msg="Updating user_auth info" logger=login.ext_user user_id=2
lvl=dbug msg="Updated user_auth" logger=sqlstore user_id=2 auth_module=oauth_generic_oauth rows=10

Thanks!

You don’t have any groups, roles claim in the userinfo, but you are using them in role attribute path. Configure used OIDC client in the Keycloak: configure proper group/role mappers or create scope for them and expose their outputs in the userinfo response.

1 Like

am also facing same issue , pls help …how can i reach u faster?