I have integrated grafana with keycloak it was successful and now how did I assign roles to the use by Oauth
Hello,
When login using OAuth, you should see in Grafana logs the raw JSON sent by Keycloak. Do you see the roles in this JSON? If not, you probably need to change some settings in Keycloak itself. If yes, you can go to your Grafana configuration file and put the path to the role field in it:
[auth.generic_oauth]
name = Keycloak
enabled = true
...
role_attribute_path = role
You’ll find more information on what to put in this field in the documentation: https://grafana.com/docs/grafana/latest/auth/generic-oauth/#jmespath-examples
Thank you so much for the reply may I know which changes I would like to do because I didn’t see any roles in json format at grafana logs and more over in that link they were showing payload file where did we get that in grafana?
Could you please help me!
Payload are examples of raw JSON data received in the token or the userinfo, you can see them in the logs.
I don’t know Keycloak really well but I found that you can have access to your roles in the token ID JSON raw data by doing this:
- Go in Client Scopes > roles > Mappers > client roles
- Check “Add to ID token”:
Now you should see the roles information in your logs.
Then, according to this configuration and with my grafana client roles being Admin, Editor or Viewer, I set this in the configuration file:
[auth.generic_oauth]
...
role_attribute_path = resource_access.grafana.roles[0]
It can be different for you if you updated the Token Claim Name
or if you have different roles.
If you have trouble setting the role_attribute_path
, you can share your JSON raw data here (hiding sensitive info) and I’ll try to help you.
thank you for the great information i have done that authorization it is working fine now. I am at level 2 that is if the user dont have any roles then grafana will stop that log in process. currently i am working on this.