Okta authentication with group and user attribute condition

Grafana Authentication
1
  • What Grafana version and what operating system are you using?

10.4

  • What are you trying to achieve?

okta authentication, group-based and attribute-based role

  • How are you trying to achieve it?

role_attribute_path: “(contains(groups[*], ‘Dept_X’) && data.attribute1 == ‘true’) && ‘GrafanaAdmin’ || ‘None’”

  • What happened?

I get the None condition

  • What did you expect to happen?

This is where things get interesting. I’m trying to do a combination of group membership and a user-level attribute equaling a value as the conditional decision. The idea is that we are doing using a single group, say for a bunch of devs, but we only want them to have access when a given attribute matches a value - eg more than simple group membership.

I’ve experimented with the stanza on jmespath.org - here is the query and (dummy) data for validation:

query: (contains(groups[*], 'Dept_X') && attributes.key1 == 'true') && 'GrafanaAdmin' || 'None'
data block:

{
  "groups": [
    "abc",
    "Dept_X"
  ],
  "attributes": {
    "attribute1": "x",
    "attribute2": "val2"
  }
}

If you change the value of attribute1 from “x” to “true” the result will change to GrafanaAdmin like it should

The part I am missing is how to access the custom user attribute key in the spath condition. I have set the log level of grafana to debug and I see (sorry, doctored a bit, reformatted for ease of reading)

logger=oauth.okta t=2025-03-27T18:33:24.969204252Z level=debug msg="Received user info response" 

raw_json="{
  "sub":"xxxx",
  "name":"xxxx",
  "locale":"en_US",
  "email":"xxxx",
  "preferred_username":"xxxx",
  "given_name":"xxx",
  "family_name":"xxx",
  "zoneinfo":"AmericagLos_Angeles",
  "updated_at":1234,
  "email_verified":true,
  "groups":[
    "Everyone",
    (... snip )
    "Dept_X"
  ]
  }"
  data="unsupported value type"

I’m hoping the attributes are buried somewhere in data. I can’t see the value so its hard to know what to key off of.

If I take the attribute bit out of the spath authentication works and I get the appropriate role so this is not an issue with the grafana / okta configuration.

  • Did you follow any online instructions? If so, what is the URL?
2

This is a weird userinfo response. Are you sure that data key is outside? Could you provide real example, pls?

image
image808×819 55 KB

3

All I did was remove the \ and add some new lines. That data=“unsupported value type” is how it was in the original log. Here is a redacted-only version:

logger=oauth.okta t=2025-03-28T14:02:20.277937117Z level=debug msg="Received user info response" raw_json="{\"sub\":\"xxx\",\"name\":\"xxxx\",\"locale\":\"en_US\",\"email\":\"xxxx\",\"preferred_username\":\"xxxxx\",\"given_name\":\"xxx\",\"family_name\":\"xxxx\",\"zoneinfo\":\"America/Los_Angeles\",\"updated_at\":123,\"email_verified\":true,\"groups\":[\"Everyone\",\"xxxx\",\"xxxxx\",\"xxxxx\",\"xxxx\",\"xxxxx\",\"Dept_X\"]}" data="unsupported value type"
4

OK, so userinfo is:

{
    "sub": "xxx",
    "name": "xxxx",
    "locale": "en_US",
    "email": "xxxx",
    "preferred_username": "xxxxx",
    "given_name": "xxx",
    "family_name": "xxxx",
    "zoneinfo": "America/Los_Angeles",
    "updated_at": 123,
    "email_verified": true,
    "groups": [
        "Everyone",
        "xxxx",
        "xxxxx",
        "xxxxx",
        "xxxx",
        "xxxxx",
        "Dept_X"
    ]
}

There is no attributes.key1.

5

Looking in the okta_oauth.go#L36 we can see there is an attributes element to the json which seems like what I would want. I’m trying that blind right now ( its not working either ;( )

If I’m understanding okta_oauth.go#L146-L152 if the attributes are being pulled from okta they are not preserved for the Userinfo - only group membership

6

Well there is no attributes - its more than just missing key1. The attributes themselves do not appear to be available

7

Yeah, your IDP didn’t add attributes to the userinfo response, so Grafana can’t use them. Check your IDP doc how to add that.

1 Like
8

Do you know if the attributes would be under attributes or data by chance? Has this been done before?

9

I don’t understand. You need userinfo:

{
    "sub": "xxx",
    "name": "xxxx",
    "locale": "en_US",
    "email": "xxxx",
    "preferred_username": "xxxxx",
    "given_name": "xxx",
    "family_name": "xxxx",
    "zoneinfo": "America/Los_Angeles",
    "updated_at": 123,
    "email_verified": true,
    "groups": [
        "Everyone",
        "xxxx",
        "xxxxx",
        "xxxxx",
        "xxxx",
        "xxxxx",
        "Dept_X"
    ]
   "attributes": {
     "key1": "true"
   }
}

and then you can use jmespath “attributes.key1 == 'true'

10

My expectation was that the attribute would show up as your example is written - that I would have an attributes dict with key/val pairs that I can condition off of as your response is suggesting.

I don’t have access to the okta configuration - it’s done by a different person. I’ve asked to double-check that the attribute is set and the key/val are what I expect.

I had expected that the log level being debug I would have seen that attributes element, and I don’t. So either grafana doesn’t support it in the okta configuration/provider or its not configured properly.

I’m asking if you know of others doing what I’m trying to do with attributes.

11

IMHO key/value attribute is not a standard (but that depends on your IDP team preferences and your IDP options). I would probably rather use roles (so authorization will be based on groups AND roles) - that’s sounds better to me, than attributes.

1 Like