Read auth0 roles and groups from app_metadata

Grafana Authentication
1

  • What Grafana version and what operating system are you using?
    Docker - v9.1.8

  • What are you trying to achieve?
    I’m trying to read the app_metadata part of auth0 users, so I can set the correct groups and role for that user based on the auth0 configuration.

  • How are you trying to achieve it?
    First I created a team in Grafana called “CNViewers” and I added the following json to the app_metadata of the user in auth0

{
  "groups": [ "CNViewers" ],
  "role": "Editor"
}

Then I updated my ini file to the following:

...
role_attribute_path = role
groups_attribute_path = groups
  • What happened?
    I get the warning that no roles or groups can be detected
logger=oauth.generic_oauth t=2022-10-12T07:27:11.8780685Z level=debug msg="Received user info response from API" raw_json="{\"sub\":\"auth0|*******\",\"nickname\":\"mi*****ni\",\"name\":\"mi********.com\",\"picture\":\"https://s.gravatar.com/...\",\"updated_at\":\"2022-10-12T07:27:11.182Z\",\"email\":\"mi******com\",\"email_verified\":false,\"<domain>/email\":\"mi*******com\",\"<domain>/firstName\":\"M***l\",\"<domain>/name\":\"R***i\",\"<domain>/groups\":[\"CNViewers\"],\"<domain>/role\":\"Editor\"}" data="Name: mi************com, Displayname: , Login: , Username: , Email: mi**************com, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2022-10-12T07:27:11.8780843Z level=debug msg="Processing external user info" source=token data="Name: mi**********com, Displayname: , Login: , Username: , Email: mi**********com, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2022-10-12T07:27:11.8780974Z level=debug msg="Setting user info name from name field"
logger=oauth.generic_oauth t=2022-10-12T07:27:11.8781021Z level=debug msg="Set user info email from extracted email" email=mi**********com
logger=oauth.generic_oauth t=2022-10-12T07:27:11.8782102Z level=warn msg="No valid role found. Skipping role sync. In Grafana 10, this will result in the user being assigned the default role and overriding manual assignment. If role sync is not desired, set oauth_skip_org_role_update_sync to false"
logger=oauth.generic_oauth t=2022-10-12T07:27:11.8782712Z level=debug msg="Processing external user info" source=API data="Name: mi**********com, Displayname: , Login: , Username: , Email: mi**********com, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2022-10-12T07:27:11.8783379Z level=warn msg="No valid role found. Skipping role sync. In Grafana 10, this will result in the user being assigned the default role and overriding manual assignment. If role sync is not desired, set oauth_skip_org_role_update_sync to false"
logger=oauth.generic_oauth t=2022-10-12T07:27:11.8784015Z level=debug msg="Defaulting to using email for user info login" email=mi**********com
logger=oauth.generic_oauth t=2022-10-12T07:27:11.878415Z level=debug msg="User info result" result="Id: , Name: mi**********com, Email: mi**********com, Login: mi**********com, Role: , Groups: []"
logger=oauth t=2022-10-12T07:59:07.9034619Z level=debug msg="Building external user info from OAuth user info"
logger=oauth t=2022-10-12T07:59:07.9034958Z level=debug msg="Syncing Grafana user with corresponding OAuth profile"
logger=login.ext_user t=2022-10-12T07:59:07.9496016Z level=debug msg="Updating user_auth info" user_id=2
logger=login.authinfo.store t=2022-10-12T07:59:07.9828591Z level=debug msg="Updated user_auth" user_id=2 auth_module=oauth_generic_oauth rows=1
logger=login.ext_user t=2022-10-12T07:59:07.9990137Z level=debug msg="Syncing organization roles" id=2 extOrgRoles=map[]
logger=login.ext_user t=2022-10-12T07:59:07.9990844Z level=debug msg="Not syncing organization roles since external user doesn't have any"

You can see that for some reason auth0 adds the domain to the role and groups property. I also tried to change my settings to the following:

...
role_attribute_path = https://<domain>/role
groups_attribute_path = https://<domain>/groups

But then I get an error that the path can not be mapped because there is a “/” inside the path ini file.

logger=oauth.generic_oauth t=2022-10-12T07:57:26.4391756Z level=warn msg="Failed to extract groups" err="failed to search user info JSON response with provided path: \"https://<domain>/groups\": SyntaxError: Unknown char: '/'"

  • What did you expect to happen?
    I was hoping that the groups and role would be mapped.

  • Can you copy/paste the configuration(s) that you are having problems with?

[server]
protocol = http
http_port = 3000
domain = localhost

[auth.generic_oauth]
enabled = true
name = AuthO
allow_sign_up = true
client_id = <client_id>
client_secret = <secret>
scopes = openid profile email groups
auth_url = https://<domain>.auth0.com/authorize
token_url = https://<domain>.auth0.com/oauth/token
api_url = https://<domain>.auth0.com/userinfo
role_attribute_path = role
groups_attribute_path = groups
use_pkce = true
  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    See logs above.

Any idea how I can fix this problem?

Thanks in advance!

2

I think I found the solution for selecting the group array. The following line will select all groups that are found in the auth0 app_metadata json.

groups_attribute_path = "https://<domain>/groups"[*]

For some reason this solution doesn’t work for roles so I fixed that with the following line:

"https://<domain>/role" == 'admin' && 'Admin' || 'Viewer'