Map OIDC group to a role without the use of Team Sync

  • What Grafana version and what operating system are you using?
    Currently Using Grafana Enterprise 8.5 (free/unlicensed version)

  • What are you trying to achieve?
    Trying to map OIDC groups to roles within grafana. We have Okta set up to do Oauth authentication and it works currently but all users by default get assigned the “Viewer” role within Grafana. We want to map users to either “Viewer”, “Editor” or “Admin” based on which OIDC group they belong too. Since we don’t have a full license to Grafana Enterprise, we cannot use Team Sync.

  • How are you trying to achieve it?
    Attempted to add the following ENV variable overwrite.

value = "contains(info.groups[*], 'Admin-Group') && 'Admin' || contains(info.groups[*], 'ReadWrite-Group') && 'Editor' || 'Viewer'"
  • What happened?
    Okta authenticated users were supplied with the default “Viewer” role within Grafana

  • What did you expect to happen?
    Hoped that the Groups would map to their respective roles, ie Admin-Group to Admin.

  • Did you follow any online instructions? If so, what is the URL?
    Used info provided in the Grafana documentation here.
    Configure generic OAuth authentication | Grafana documentation

Still having this issue, so still in need of assistance. We did evaluate the role_attribute_path on JMESPath — JMESPath and the result is the proper role. Also ‘info’ was removed from the statement as that wasn’t actually in the Okta payload.

Was able to access the logs and have the following error.

logger=oauth.okta t=2022-07-27T15:24:07.39+0000 lvl=eror msg="Failed to extract role" error="failed to search user info JSON response with provided path: \"contains(groups[*], 'Admin-Group') && 'Admin' || contains(groups[*], 'ReadWrite-Group') && 'Editor' || 'Viewer'\": Invalid type for: <nil>, expected: []jmespath.jpType{\"array\", \"string\"}"

We were able to solve the issue.

groups array was originally in the access token instead of the id token.