-
What Grafana version and what operating system are you using?
- grafana operator, grafana version 12.2.1
-
What are you trying to achieve?
- authorize to grafana using keycloak. Log in with user which contains role mapped from token
-
How are you trying to achieve it?
-
values.yaml for grafana.ini
-
version: 12.2.1
config:
-
auth:
disable_login_form: “false”
auth.generic_oauth:
enabled: “true”
name: “Keycloak SSO”
allow_sign_up: “true”
client_id: ${AUTH_CLIENT_ID}
client_secret: ${AUTH_CLIENT_SECRET}
scopes: “openid email profile offline_access roles”
email_attribute_path: email
login_attribute_path: username
name_attribute_path: full_name
groups_attribute_path: groups
auth_url: <auth_url>
token_url: <token_url>
api_url: <api_url>
role_attribute_path: “contains(resource_access.grafana-oauth.roles\[*\], ‘admin’) && ‘Admin’ || contains(resource_access.grafana-oauth.roles\[*\], ‘editor’) && ‘Editor’ || ‘Viewer’”
-
What happened?
- logged user always gets viewer role
-
What did you expect to happen?
- log in to grafana using keycloak sso with correct role
-
Can you copy/paste the configuration(s) that you are having problems with?Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
- no errors in info or debug mode
-
Did you follow any online instructions? If so, what is the URL?
- yeah i follow grafana oauth2 keycloak docs Configure Keycloak OAuth2 authentication | Grafana documentation