Happy that https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-5/#generic-oauth-role-mapping (Generic OAuth and user role mapping) got implemented in Grafana 6.5.
Along with another fix provided in Grafana 6.6, so far it works for us to assign OAuth roles to Grafana roles:
oauth_role_grafana_admin -> Grafana Org_ID 1, role “Admin”
oauth_role_grafana_viewer -> Grafana Org_ID 1, role “Viewer”
But if a user doesn’t have any of the roles “oauth_role_grafana_admin” or “oauth_role_grafana_viewer”, Grafana still allows login and creates a new organization for the user, where the user has “Admin” role.
Rather we want Grafana to reject the login completely.
Is there a way to achieve this? We could make this logic work using LDAP authentication.