OAuth: Reject users, if they don't own specific roles

Happy that https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-5/#generic-oauth-role-mapping (Generic OAuth and user role mapping) got implemented in Grafana 6.5.

Along with another fix provided in Grafana 6.6, so far it works for us to assign OAuth roles to Grafana roles:

oauth_role_grafana_admin -> Grafana Org_ID 1, role “Admin”
oauth_role_grafana_viewer -> Grafana Org_ID 1, role “Viewer”

But if a user doesn’t have any of the roles “oauth_role_grafana_admin” or “oauth_role_grafana_viewer”, Grafana still allows login and creates a new organization for the user, where the user has “Admin” role.

Rather we want Grafana to reject the login completely.

Is there a way to achieve this? We could make this logic work using LDAP authentication.


I am also very interested in knowing how to do that.

I am using Grafana 6.6.2 configured for generic OAuth (using Keycloak). Roles mapping works as intended, but when the user roles do not match any of Grafana roles, I would like to either redirect to a “forbidden” error page, hide all dashboards/folders or reject login. For now, I managed only to fallback to an existing role.

I tried playing with the “role_attribute_path” property, but it always defaults to Viewer (in general).


We have the same problem, but we have found a workaround.

By running a keycloak Gatekeeper before Grafana and linked with the same keycloak, we allow the access to Grafana just when users have a role.

I know this is not the perfect situation, but it is quite safe :slight_smile:

1 Like

I am using 6.7.3. I have observed the same behavior - defaults to Viewer role. Can any one please help me how we can reject users if they don’t own specific roles?