Role is not attached to user when using role_attribute_path for generic oauth

Hey guys,

I am trying to attach roles when users login using auth.generic_oauth. I am using Okta so wanted to know if there is something missing from her.

[auth.generic_oauth]
enabled = true
name = Okta
allow_sign_up = true
client_id = <client_id>
client_secret = <client_secret>
scopes = openid profile email
;email_attribute_name = email:primary
;email_attribute_path =
auth_url = https://<okta_url>/oauth2/v1/authorize
token_url = https://<okta_url>/oauth2/v1/token
api_url = https://<okta_url>/oauth2/v1/userinfo
;allowed_domains =
;team_ids =
;allowed_organizations =
role_attribute_path = contains(info.groups[], ‘admin’) && ‘Admin’ || contains(info.groups[], ‘editor’) && ‘Editor’ || ‘Viewer’
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
;tls_client_ca =

Thanks,

Vignesh

Increase log level to debug and check logs. You will see all received tokens/userinfo details there, so you can verify it against used JMESPath.

:roll_eyes: I didn’t ask you to post those details. I just give you hint how to debug it safely. You are exposing your identity and credentials. Not clever idea.

@jangaraj: i get the below error

t=2020-02-06T23:12:07+0000 lvl=eror msg=“Attribute not found when searching JSON with provided path” logger=oauth.generic_oauth attributePath=grafana_admin

t=2020-02-06T23:12:07+0000 lvl=eror msg=“Attribute not found when searching JSON with provided path” logger=oauth.generic_oauth attributePath=grafana_admin

I am just trying to figure out how the resourcePath is supposed to look like

Your input:

  • id_token and userinfo from logs (they are json)
  • role_attribute_path value

Both use on http://jmespath.org/ and test/evaluate your role_attribute_path value.

Note 1: use 6.6.0+ because you may need https://github.com/grafana/grafana/pull/20300
Note 2: you may need to configure your Okta OIDC client, because only you know what is returned by Okta IdP; maybe some details useful for authorization are not returned

Doc: https://grafana.com/docs/grafana/latest/auth/generic-oauth/#jmespath-examples

@jangaraj: Is this working in 6.5.x? If thats the case I can downgrade to that version?

Please read release notes.