I’m currently running Grafana with GitLab SSO for user authentication, and I’m planning to migrate to a generic OAuth solution soon. However, I’ve encountered a problem: when I try to delete users that were automatically synced from GitLab, I receive a “failed to fetch” error, and the deletion operation fails.
This issue is preventing me from clearing out the existing user records so that I can migrate them to the new OAuth provider (which fails if an account with the same email already exists). Has anyone experienced this “failed to fetch” error when attempting to delete SSO-synced users? Are there any workarounds or configuration changes that might allow me to remove these users, or otherwise reset the user records, to facilitate a smooth migration?
Any advice or best practices would be greatly appreciated!
Generally, delete doesn’t help you. User will be recreated when he will use SSO login next time.
You need to use authorization, e.g. require that user must be member of some group, role mapping = access is still managed centrally on IDP server.
Another option is role mapping, where you as Grafana admin can map some users/group to None role, so they should be able to login, but won’t have any permissions - in this case local app (Grafana) admin manages authorization.
In my case, it would. I want to delete the user as I will migrate to a different SSO and delete the old users setup. And mapping them to none doesn’t solve it as I want them recreated with same email with the new generic Oauth setup.
Context:
I currently have a Gitlab SSO, and around ~30 users. But we decided to migrate from Gitlab all together in the next year. And as part of the process, I would like to migrate to a generic Oauth solution that I have setup. But due to having the same email Grafana gives an error: Failed to sync user, when I setup the new generic Oauth. And I noticed that this happens when a user with that email already exists. So I want to either migrate it to the new Oauth SSO or have the user deleted and recreated with the new Oauth
I would enable oauth_allow_insecure_email_lookup during migration (but test it properly, it can create mess) . Then I would wait/force all users to use new IDP. I will disable insecure email lookup and old IDP, when all users have Grafana identities created/migrated with new IDP.
