Role mappings with custom IDP

weeduandreas · June 2, 2025, 7:41am

Good Day, Friends!

I have a grafana instance installed via helm install -n monitoring monitoring-stack prometheus-community/kube-prometheus-stack -f kube-prometheus-values.yaml with chart version kube-prometheus-stack-68.4.5

We have our custom IDP in place that was configured via Authentication->Generic OAuth. The users can login and will get the default role Viewer.

I tried to map IDP group to specific Grafana roles as described here:

Both settings, via chart and from the UI seem to be ignored. I deleted and recreated IDP users aswell.

grafana:
  grafana.ini:
    server:
      root_url: https://<our_idp>.de
      auth.generic_oauth:
        role_attribute_path: contains(groups.*.name, 'Monitoring') && 'Editor'

This expression evalutes as expected the string “Editor” as tested with https://jmespath.org

User info, as provided by our custom IDP

{
    "roles": [
        {
            "uuid": "250c449c-f4cd-4742-8105-1660e92a603d",
            "id": "ROLE",
            "displayName": "<>"
        },
        {
            "uuid": "94b0c717-d845-4cd3-882f-8f718012f512",
            "id": "ROLE_NBC_EXCLUDE",
            "displayName": "NBC Exclusion"
        },
        {
            "uuid": null,
            "id": "ROLE_USER",
            "displayName": "Benutzer"
        }
    ],
    "preferred_username": "test.user",
    "name": "Amanda \ud83e\udd84",
    "nickname": "Amanda",
    "given_name": "Amanda",
    "family_name": "\ud83e\udd84",
    "locale": "de-DE",
    "iss": "https:\/\/<url>.dev",
    "aud": "<>",
    "sub": "<>",
    "groups": {
        "1013": {
            "id": 1013,
            "uuid": "deee0251-ca58-4e2a-b69b-724d75f0353b",
            "act": "monitoring",
            "name": "Monitoring"
        }
    },
    "email": "test.user@idp.dev",
    "email_verified": true
}

Still every user remains in role Viewer. Even after deleting from Grafana and logging in again, using IDP.

I could verify that the config map was populated and no error from the pods were present.

Which options do I have to debug this behaviour?

jangaraj · June 2, 2025, 7:46am

I’m sorry to hear that you’re experiencing difficulties.

Grafana can provide valuable information about certain issues through its own debug logs. These logs can help troubleshoot and identify the root cause of problems (especially if they are related to anything that can be configured via Grafana config file).

To enable debug logging edit the configuration file grafana.ini:

[log]
# Either "console", "file", "syslog". Default is console and file
# Use space to separate multiple modes, e.g. "console file"
mode = console file

# Either "debug", "info", "warn", "error", "critical", default is "info"
level = debug

Then restart grafana for the setting to go into effect.

Replicate the problem and check Grafana logs. However, before posting the debug logs on the community forum, it is important to sanitize any private details such as passwords, tokens, IPs, names, … By including properly formatted debug logs (with sanitized information) and details about your installations (e.g. exact Grafana version, how it was installed, OS details, …), you greatly enhance the chances of receiving accurate assistance and solutions.

weeduandreas · June 3, 2025, 10:26am

Thank you for your reply!

Ive set and checked grafana.ini manually with kubectl -n monitoring exec monitoring-stack-grafana-5fd478858f-2hxhg -- cat /etc/grafana/grafana.ini

[analytics]
check_for_updates = true
[grafana_net]
url = https://grafana.net
[auth.generic_oauth]
role_attribute_path = contains(groups.*.name, 'Monitoring') && 'Editor'
[log]
mode = console
level = debug
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
domain = <url>
log = map[level:debug mode:console]
root_url = https://<url>

Within an incognito window, with admin accout I have deleted the user. Then I logged in with the user using the “Login with” button.

These are the logs within that action span:

logger=context userId=0 orgId=0 uname= t=2025-06-03T09:29:49.89347245Z level=info msg="Request Completed" method=GET path=/login/generic_oauth status=302 remote_addr=<ipv6> time_ms=0 duration=440.085µs size=339 referer=https://<url>/login handler=/login/:name status_source=server
logger=ngalert.scheduler t=2025-06-03T09:29:50.001625209Z level=debug msg="Alert rules fetched" rulesCount=0 foldersCount=0 updatedRules=0
logger=oauth.generic_oauth t=2025-06-03T09:29:50.835370909Z level=debug msg="Getting user info"
logger=oauth.generic_oauth t=2025-06-03T09:29:50.835424074Z level=debug msg="Extracting user info from OAuth token"
logger=oauth.generic_oauth t=2025-06-03T09:29:50.835845097Z level=debug msg="Received id_token" raw_json="{\"exp\":1748946590,\"iat\":1748942990,\"iss\":\"https:\\/\\/<idp_url>\",\"aud\":\"<redacted>\",\"sub\":\"20b81540-a5d2-438c-9a88-4c5ed537dbf2\",\"nonce\":null,\"email\":\"user.name@<idp_url>\",\"email_verified\":true,\"groups\":{\"10004\":{\"id\":10004,\"uuid\":\"1ff31004-9266-41ac-8ea6-08fedc9e3b77\",\"act\":\"<company>\",\"name\":\"<comapany>\"},\"10000\":{\"id\":10000,\"uuid\":\"2508bccb-0507-4137-ba6a-918b4eae5196\",\"act\":\"admins\",\"name\":\"Admins\"},\"10015\":{\"id\":10015,\"uuid\":\"15f378c2-c3e2-4695-a4a0-22faac02263a\",\"act\":\"monitoring\",\"name\":\"Monitoring\"}},\"roles\":[{\"uuid\":\"f66aee04-c335-4299-9cfe-ca7176cc0213\",\"id\":\"ROLE_ADMIN\",\"displayName\":\"Administrator\"},{\"uuid\":null,\"id\":\"ROLE_USER\",\"displayName\":\"Benutzer\"}],\"preferred_username\":\"user.name\",\"name\":\"User Name\",\"nickname\":\"Name\",\"given_name\":\"Name\",\"family_name\":\"Name\",\"locale\":\"de-DE\"}" data="Name: User Name, Displayname: , Login: , Username: , Email: user.name@<idp_url>, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2025-06-03T09:29:50.835915294Z level=debug msg="Getting user info from API"
logger=oauth.generic_oauth t=2025-06-03T09:29:50.929973803Z level=debug msg="HTTP GET" url=https://<idp_url>/iserv/public/oauth/userinfo status="200 OK" response_body="{\"roles\":[{\"uuid\":\"f66aee04-c335-4299-9cfe-ca7176cc0213\",\"id\":\"ROLE_ADMIN\",\"displayName\":\"Administrator\"},{\"uuid\":null,\"id\":\"ROLE_USER\",\"displayName\":\"Benutzer\"}],\"preferred_username\":\"user.name\",\"name\":\"User Name\",\"nickname\":\"Name\",\"given_name\":\"Name\",\"family_name\":\"Name\",\"locale\":\"de-DE\",\"iss\":\"https:\\/\\/<idp_url>\",\"aud\":\"<redacted>\",\"sub\":\"20b81540-a5d2-438c-9a88-4c5ed537dbf2\",\"groups\":{\"10004\":{\"id\":10004,\"uuid\":\"1ff31004-9266-41ac-8ea6-08fedc9e3b77\",\"act\":\"<company>\",\"name\":\"<comapany>\"},\"10000\":{\"id\":10000,\"uuid\":\"2508bccb-0507-4137-ba6a-918b4eae5196\",\"act\":\"admins\",\"name\":\"Admins\"},\"10015\":{\"id\":10015,\"uuid\":\"15f378c2-c3e2-4695-a4a0-22faac02263a\",\"act\":\"monitoring\",\"name\":\"Monitoring\"}},\"email\":\"user.name@<idp_url>\",\"email_verified\":true}"
logger=oauth.generic_oauth t=2025-06-03T09:29:50.930205117Z level=debug msg="Received user info response from API" raw_json="{\"roles\":[{\"uuid\":\"f66aee04-c335-4299-9cfe-ca7176cc0213\",\"id\":\"ROLE_ADMIN\",\"displayName\":\"Administrator\"},{\"uuid\":null,\"id\":\"ROLE_USER\",\"displayName\":\"Benutzer\"}],\"preferred_username\":\"user.name\",\"name\":\"User Name\",\"nickname\":\"Name\",\"given_name\":\"Name\",\"family_name\":\"Name\",\"locale\":\"de-DE\",\"iss\":\"https:\\/\\/<idp_url>\",\"aud\":\"<redacted>\",\"sub\":\"20b81540-a5d2-438c-9a88-4c5ed537dbf2\",\"groups\":{\"10004\":{\"id\":10004,\"uuid\":\"1ff31004-9266-41ac-8ea6-08fedc9e3b77\",\"act\":\"<company>\",\"name\":\"<comapany>\"},\"10000\":{\"id\":10000,\"uuid\":\"2508bccb-0507-4137-ba6a-918b4eae5196\",\"act\":\"admins\",\"name\":\"Admins\"},\"10015\":{\"id\":10015,\"uuid\":\"15f378c2-c3e2-4695-a4a0-22faac02263a\",\"act\":\"monitoring\",\"name\":\"Monitoring\"}},\"email\":\"user.name@<idp_url>\",\"email_verified\":true}" data="Name: User Name, Displayname: , Login: , Username: , Email: user.name@<idp_url>, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2025-06-03T09:29:50.930239264Z level=debug msg="Processing external user info" source=token data="Name: User Name, Displayname: , Login: , Username: , Email: user.name@<idp_url>, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2025-06-03T09:29:50.930275098Z level=debug msg="Setting user info name from name field"
logger=oauth.generic_oauth t=2025-06-03T09:29:50.930290099Z level=debug msg="Set user info email from extracted email" email=user.name@<idp_url>
logger=oauth.generic_oauth t=2025-06-03T09:29:50.930317578Z level=debug msg="Processing external user info" source=API data="Name: User Name, Displayname: , Login: , Username: , Email: user.name@<idp_url>, Upn: , Attributes: map[]"
logger=oauth.generic_oauth t=2025-06-03T09:29:50.930356104Z level=debug msg="Defaulting to using email for user info login" email=user.name@<idp_url>
logger=oauth.generic_oauth t=2025-06-03T09:29:50.930388456Z level=debug msg="User info result" result="Id: 20b81540-a5d2-438c-9a88-4c5ed537dbf2, Name: User Name, Email: user.name@<idp_url>, Login: user.name@<idp_url>, Role: , Groups: [], OrgRoles: map[]"
logger=login.authinfo t=2025-06-03T09:29:51.006380607Z level=debug msg="auth info set in cache" cacheKey=authinfo-0-oauth_generic_oauth-20b81540-a5d2-438c-9a88-4c5ed537dbf2
logger=user.sync t=2025-06-03T09:29:51.008162172Z level=debug msg="Updating auth connection for user" id=
logger=login.authinfo.store t=2025-06-03T09:29:51.048620407Z level=debug msg="Updated user_auth" user_id=15 auth_id=20b81540-a5d2-438c-9a88-4c5ed537dbf2 auth_module=oauth_generic_oauth rows=1
logger=id-service t=2025-06-03T09:29:51.099526802Z level=debug msg="Cached token found" id=user:15
logger=login.authinfo t=2025-06-03T09:29:51.110011029Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--20b81540-a5d2-438c-9a88-4c5ed537dbf2
logger=sqlstore.session t=2025-06-03T09:29:51.140516492Z level=debug msg="reusing existing session" transaction=true
logger=sqlstore.session t=2025-06-03T09:29:51.141405213Z level=debug msg="reusing existing session" transaction=true
logger=auth t=2025-06-03T09:29:51.16926477Z level=debug msg="User auth token created" tokenID=108 userID=15 clientIP=<ipv6> userAgent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36" authToken=<auth_token>
logger=context userId=0 orgId=0 uname= t=2025-06-03T09:29:51.169521175Z level=info msg="Request Completed" method=GET path=/login/generic_oauth status=302 remote_addr=<ipv6> time_ms=470 duration=470.890166ms size=24 referer= handler=/login/:name status_source=server
logger=auth t=2025-06-03T09:29:51.340876965Z level=debug msg="Seen token" tokenID=108 userID=15 clientIP=<ipv6> userAgent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36" authToken=<auth_token>
logger=login.authinfo t=2025-06-03T09:29:51.420468982Z level=debug msg="auth info set in cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:29:51.420638114Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:29:51.424034367Z level=debug msg="Cached token found" id=user:15
logger=accesscontrol t=2025-06-03T09:29:51.428762873Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(licensing:read server.stats:read)"
logger=accesscontrol t=2025-06-03T09:29:51.428845042Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="any(licensing:read server.stats:read)"
logger=accesscontrol t=2025-06-03T09:29:51.430329076Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:dashboards:read scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.431035883Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(folders:read folders:create dashboards:read dashboards:create)"
logger=accesscontrol t=2025-06-03T09:29:51.431212286Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:dashboards:create scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.431317966Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="action:dashboards:create scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.431397091Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:datasources:explore scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.431479193Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="action:datasources:explore scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.431583394Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(alert.rules:read alert.rules.external:read)"
logger=accesscontrol t=2025-06-03T09:29:51.431671396Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(alert.notifications:read alert.notifications.external:read)"
logger=accesscontrol t=2025-06-03T09:29:51.43173374Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(alert.notifications:read alert.notifications.external:read)"
logger=accesscontrol t=2025-06-03T09:29:51.431817501Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(alert.instances:read alert.instances.external:read alert.silences:read)"
logger=accesscontrol t=2025-06-03T09:29:51.431886916Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(alert.instances:read alert.instances.external:read)"
logger=accesscontrol t=2025-06-03T09:29:51.431956817Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(alert.rules:create alert.rules.external:write)"
logger=accesscontrol t=2025-06-03T09:29:51.431996691Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="any(alert.rules:create alert.rules.external:write)"
logger=accesscontrol t=2025-06-03T09:29:51.432027113Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(datasources:create all of datasources:read, any of datasources:delete, datasources:write)"
logger=accesscontrol t=2025-06-03T09:29:51.432053304Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="any(datasources:create all of datasources:read, any of datasources:delete, datasources:write)"
logger=accesscontrol t=2025-06-03T09:29:51.432080416Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(all of orgs:read, orgs:write all of orgs.preferences:read, orgs.preferences:write)"
logger=accesscontrol t=2025-06-03T09:29:51.432372633Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="any(all of orgs:read, orgs:write all of orgs.preferences:read, orgs.preferences:write)"
logger=accesscontrol t=2025-06-03T09:29:51.432424843Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:settings:read scopes:settings:*"
logger=id-service t=2025-06-03T09:29:51.434249462Z level=debug msg="Cached token found" id=user:15
logger=accesscontrol t=2025-06-03T09:29:51.434382326Z level=debug msg="Evaluating permissions" id=user:15 orgID=0 permissions="action:orgs:read scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.434698048Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=0 permissions="action:orgs:read scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.434768109Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:settings:read scopes:settings:*"
logger=accesscontrol t=2025-06-03T09:29:51.434827799Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(plugins:write plugins:install)"
logger=accesscontrol t=2025-06-03T09:29:51.434886702Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="any(plugins:write plugins:install)"
logger=accesscontrol t=2025-06-03T09:29:51.434918088Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:datasources:explore scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.434933805Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="action:datasources:explore scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.434950182Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(org.users:read users:read)"
logger=accesscontrol t=2025-06-03T09:29:51.434964278Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="any(org.users:read users:read)"
logger=accesscontrol t=2025-06-03T09:29:51.434977839Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(teams:create all of teams:read, any of teams:write, teams.permissions:write, teams.permissions:read)"
logger=accesscontrol t=2025-06-03T09:29:51.434990839Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="any(teams:create all of teams:read, any of teams:write, teams.permissions:write, teams.permissions:read)"
logger=accesscontrol t=2025-06-03T09:29:51.435001884Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(serviceaccounts:read serviceaccounts:create)"
logger=accesscontrol t=2025-06-03T09:29:51.43501181Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="any(serviceaccounts:read serviceaccounts:create)"
logger=accesscontrol t=2025-06-03T09:29:51.435419942Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:apikeys:read scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.435547736Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="action:apikeys:read scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.435654699Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(settings:read settings:write settings:read settings:write settings:read settings:write settings:read settings:write settings:read settings:write settings:read settings:write)"
logger=accesscontrol t=2025-06-03T09:29:51.435761009Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(support.bundles:read support.bundles:create)"
logger=accesscontrol t=2025-06-03T09:29:51.435834741Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="any(support.bundles:read support.bundles:create)"
logger=accesscontrol t=2025-06-03T09:29:51.436240773Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:plugins.app:access scopes:plugins:id:grafana-lokiexplore-app"
logger=accesscontrol.evaluator t=2025-06-03T09:29:51.436383114Z level=debug msg="Matched scope" userscope=plugins:* targetscope=plugins:id:grafana-lokiexplore-app
logger=accesscontrol t=2025-06-03T09:29:51.436423818Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:datasources:explore scopes:"
logger=accesscontrol t=2025-06-03T09:29:51.43643789Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="action:datasources:explore scopes:"
logger="navtree service" t=2025-06-03T09:29:51.436475759Z level=debug msg="plugin include is covered by RBAC, user doesn't have access" plugin=grafana-lokiexplore-app include=Logs
logger=accesscontrol t=2025-06-03T09:29:51.436524833Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="any(dashboards:create folders:create)"
logger=accesscontrol t=2025-06-03T09:29:51.436586751Z level=debug msg="Evaluating resolved permissions" id=user:15 orgID=1 permissions="any(dashboards:create folders:create)"
logger=login.authinfo t=2025-06-03T09:29:51.71205297Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:29:51.71217227Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:29:51.713068442Z level=debug msg="Cached token found" id=user:15
logger=login.authinfo t=2025-06-03T09:29:51.734176643Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:29:51.734248924Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:29:51.734727127Z level=debug msg="Cached token found" id=user:15
logger=login.authinfo t=2025-06-03T09:29:51.741396682Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:29:51.74178673Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:29:51.743311462Z level=debug msg="Cached token found" id=user:15
logger=login.authinfo t=2025-06-03T09:29:51.744379387Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:29:51.744428633Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:29:51.745501168Z level=debug msg="Cached token found" id=user:15
logger=login.authinfo t=2025-06-03T09:29:51.747345639Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:29:51.747413591Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:29:51.749466454Z level=debug msg="Cached token found" id=user:15
logger=context userId=15 orgId=1 uname=user.name@<idp_url> t=2025-06-03T09:29:51.750514321Z level=info msg="Request Completed" method=GET path=/api/live/ws status=-1 remote_addr=<ipv6> time_ms=17 duration=17.733389ms size=0 referer= handler=/api/live/ws status_source=server
logger=login.authinfo t=2025-06-03T09:29:51.788070156Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:29:51.788184067Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:29:51.789243801Z level=debug msg="Cached token found" id=user:15
logger=accesscontrol t=2025-06-03T09:29:51.789601073Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:plugins.app:access scopes:plugins:id:grafana-lokiexplore-app"
logger=accesscontrol.evaluator t=2025-06-03T09:29:51.78963897Z level=debug msg="Matched scope" userscope=plugins:* targetscope=plugins:id:grafana-lokiexplore-app
logger=live t=2025-06-03T09:29:51.820168135Z level=debug msg="Client connected" user=15 client=277a3070-d3f0-429e-a785-5cc0220e4b36
logger=login.authinfo t=2025-06-03T09:29:51.857073998Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:29:51.85715952Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:29:51.857928137Z level=debug msg="Cached token found" id=user:15
logger=accesscontrol t=2025-06-03T09:29:51.858290183Z level=debug msg="Evaluating permissions" id=user:15 orgID=1 permissions="action:alert.rules:read scopes:"
logger=ngalert.api t=2025-06-03T09:29:51.859655717Z level=debug msg="User does not have access to any namespaces"
logger=login.authinfo t=2025-06-03T09:29:51.869101527Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:29:51.869197299Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:29:51.86999127Z level=debug msg="Cached token found" id=user:15
logger=login.authinfo t=2025-06-03T09:29:51.875713242Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:29:51.87581108Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:29:51.876693237Z level=debug msg="Cached token found" id=user:15
logger=ngalert.scheduler t=2025-06-03T09:30:00.002603754Z level=debug msg="Alert rules fetched" rulesCount=0 foldersCount=0 updatedRules=0
logger=login.authinfo t=2025-06-03T09:30:01.676103595Z level=debug msg="auth info retrieved from cache" cacheKey=authinfo-15--
logger=oauth_token.sync userID=15 t=2025-06-03T09:30:01.676248291Z level=debug msg="Expiration check has been cached, no need to refresh"
logger=id-service t=2025-06-03T09:30:01.678815583Z level=debug msg="Cached token found" id=user:15
logger=context userId=15 orgId=1 uname=user.name@<idp_url> t=2025-06-03T09:30:01.680164008Z level=debug msg="Received unknown frontend metric" metric=frontend_awaited_plugins_preload_ms
logger=context userId=15 orgId=1 uname=user.name@<idp_url> t=2025-06-03T09:30:01.680303015Z level=debug msg="Received unknown frontend metric" metric=frontend_app_init_ms
logger=context userId=15 orgId=1 uname=user.name@<idp_url> t=2025-06-03T09:30:01.680335166Z level=debug msg="Received unknown frontend metric" metric=frontend_plugin_preload_grafana-lokiexplore-app_ms
logger=context userId=15 orgId=1 uname=user.name@<idp_url> t=2025-06-03T09:30:01.68034677Z level=debug msg="Received unknown frontend metric" metric=loadDashboardScene_ms
logger=secrets t=2025-06-03T09:30:04.655752207Z level=debug msg="Removing expired data keys from cache..."
logger=secrets t=2025-06-03T09:30:04.655860669Z level=debug msg="Removing expired data keys from cache finished successfully"
logger=ngalert.sender.router t=2025-06-03T09:30:04.659107801Z level=debug msg="Attempting to sync admin configs" count=0
logger=ngalert.sender.router t=2025-06-03T09:30:04.65919556Z level=debug msg="Finish of admin configuration sync"
logger=ssosettings.service t=2025-06-03T09:30:04.676492883Z level=debug msg="reloading SSO Settings for all providers"
logger=ngalert.multiorg.alertmanager t=2025-06-03T09:30:04.677478933Z level=debug msg="Synchronizing Alertmanagers for orgs"
logger=ssosettings.service t=2025-06-03T09:30:04.678450171Z level=debug msg="No SSO Settings found in the database, using system settings"
logger=ssosettings.service t=2025-06-03T09:30:04.678511196Z level=debug msg="No SSO Settings found in the database, using system settings"
logger=ssosettings.service t=2025-06-03T09:30:04.678553325Z level=debug msg="No SSO Settings found in the database, using system settings"
logger=ngalert.notifier.alertmanager org=1 t=2025-06-03T09:30:04.681059374Z level=debug msg="Config hasn't changed, skipping configuration sync."
logger=ngalert.multiorg.alertmanager t=2025-06-03T09:30:04.683302973Z level=debug msg="Done synchronizing Alertmanagers for orgs"
logger=ssosettings.service t=2025-06-03T09:30:04.695526567Z level=debug msg="Merging SSO Settings" dbSettings="map[allow_assign_grafana_admin:false allow_sign_up:true allowed_domains: allowed_groups: allowed_organizations: api_url:https://<idp_url>/iserv/public/oauth/userinfo auth_style:AutoDetect auth_url:https://<idp_url>/iserv/oauth/v2/auth auto_login:false client_id:<redacted> client_secret:********* define_allowed_groups:false define_allowed_teams_ids:false email_attribute_name:email:primary email_attribute_path: enabled:true groups_attribute_path: id_token_attribute_name: login_attribute_path: name:Schuldock IDP name_attribute_path: org_attribute_path: org_mapping: role_attribute_path:contains(groups.*.name, 'Monitoring') && 'Editor' role_attribute_strict:true scopes:[\"openid\",\"profile\",\"email\",\"groups\",\"roles\"] signout_redirect_url:https://monitoring.iam.schuldock.de/ skip_org_role_sync:true team_ids: team_ids_attribute_path: teams_url: tls_client_ca: tls_client_cert: tls_client_key: tls_skip_verify_insecure:false token_url:https://<idp_url>/iserv/oauth/v2/token use_pkce:false use_refresh_token:false]" systemSettings="map[allow_assign_grafana_admin:false allow_sign_up:true allowed_domains: allowed_groups: allowed_organizations: api_url: auth_style: auth_url: auto_login:false client_id:some_id client_secret: email_attribute_name:email:primary email_attribute_path: empty_scopes:false enabled:false groups_attribute_path: hosted_domain: icon:signin id_token_attribute_name: login_attribute_path: name:OAuth name_attribute_path: org_attribute_path: org_mapping: role_attribute_path:contains(groups.*.name, 'Monitoring') && 'Editor' role_attribute_strict:false scopes:user:email signout_redirect_url: skip_org_role_sync:false team_ids: team_ids_attribute_path: teams_url: tls_client_ca: tls_client_cert: tls_client_key: tls_skip_verify_insecure:false token_url: use_pkce:false use_refresh_token:false]"
logger=ssosettings.service t=2025-06-03T09:30:04.695883356Z level=debug msg="No SSO Settings found in the database, using system settings"
logger=ssosettings.service t=2025-06-03T09:30:04.695909587Z level=debug msg="No SSO Settings found in the database, using system settings"
logger=ssosettings.service t=2025-06-03T09:30:04.695929501Z level=debug msg="No SSO Settings found in the database, using system settings"
logger=ngalert.scheduler t=2025-06-03T09:30:10.003095853Z level=debug msg="Alert rules fetched" rulesCount=0 foldersCount=0 updatedRules=0
logger=provisioning.dashboard type=file name=sidecarProvider t=2025-06-03T09:30:11.830104636Z level=debug msg="Start walking disk" path=/tmp/dashboards

jangaraj · June 3, 2025, 10:46am

Are you sure that you have Grafana, which supports that - you didn’t specify version.

I would say that array, not struct is standard for groups claim - so that can be also a problem for some underlying lib

Your struct:

    "groups": {
        "10000": {
            "id": 10000,
            "uuid": "2508bccb-0507-4137-ba6a-918b4eae5196",
            "act": "admins",
            "name": "Admins"
        },
        "10004": {
            "id": 10004,
            "uuid": "1ff31004-9266-41ac-8ea6-08fedc9e3b77",
            "act": "<company>",
            "name": "<comapany>"
        },
        "10015": {
            "id": 10015,
            "uuid": "15f378c2-c3e2-4695-a4a0-22faac02263a",
            "act": "monitoring",
            "name": "Monitoring"
        }
    },

vs array:

 "groups": [
        "10000": {
            "id": 10000,
            "uuid": "2508bccb-0507-4137-ba6a-918b4eae5196",
            "act": "admins",
            "name": "Admins"
        },
        "10004": {
            "id": 10004,
            "uuid": "1ff31004-9266-41ac-8ea6-08fedc9e3b77",
            "act": "<company>",
            "name": "<comapany>"
        },
        "10015": {
            "id": 10015,
            "uuid": "15f378c2-c3e2-4695-a4a0-22faac02263a",
            "act": "monitoring",
            "name": "Monitoring"
        }
    ],

Even array of the structures is unusual. I would say good practice is an array of uuids only (so there is not a problem when group name is changed):

"groups": [ 
   "0760b6cf-170e-4a14-91b3-4b78e0739963", 
   "3b2b0c93-acd8-4208-8eba-7a48db1cd4c0" 
 ],

weeduandreas · June 3, 2025, 11:53am

Grafana Version:

logger=settings t=2025-06-03T11:27:46.971478366Z level=info msg="Starting Grafana" version=11.4.1 commit=bcb04ab63b55a5c8423b24a632e8ecded4fc254f branch=v11.4.x compiled=2025-06-03T11:27:46Z

I tried this JSMESPath expression that both yields an array of groups, further could evaluated to “Editor”

values(groups)[*].name
# OR
contains(values(groups)[*].name, 'Monitoring') && 'Editor'

groups.*.name
# OR
contains(groups.*.name, 'Monitoring') && 'Editor'

I also see in the logs that groups have an empty array, same for roles. Always.

logger=oauth.generic_oauth t=2025-06-03T09:29:50.930388456Z level=debug msg="User info result" result="Id: 20b81540-a5d2-438c-9a88-4c5ed537dbf2, Name: User Name, Email: user.name@<idp_url>, Login: user.name@<idp_url>, Role: , Groups: [], OrgRoles: map[]"

Trying to map IDP roles to Grafana roles did not yield any results.

contains(roles[*].id, 'ROLE_USER') && 'Editor'

Even some obvious expressions like

contains(email, '') && 'Editor'
contains(email, '<username>') && 'Editor'

Will not change the Grafana role.

jangaraj · June 3, 2025, 12:11pm

Focus on that simple mapping first contains(email, '<username>') && 'Editor'.

Verify that the configs are applied correctly - check UI admin/settings

weeduandreas · June 3, 2025, 12:55pm

From the UI as admin,
This expression will rename the user to “GroupIsPresent”

This wil rename the user to the existing group he is in called “Monitoring”

groups.*.name | [2]

At this point I assume, that the role mapping expression is not evaluated at all. Becuase even static expressions are not evaluated e.g.

It was always required to delete the user and sign in agian.

jangaraj · June 3, 2025, 1:24pm

Don’t mix authentication configuration via UI with configuration via config file. I recommend to start from the scratch and stick with one config option (UI or config file) only.

weeduandreas · June 3, 2025, 3:32pm

I tested both in combination and mutually exclusive.

Topic		Replies	Views
Grafana OIDC via IDP Grafana	1	640	June 23, 2022
LDAP configuration issue with Grafana Helm values.yaml Configuration	1	5555	October 30, 2020
Mapping OAuth Users to specific group	3	1882	April 18, 2018
Map OIDC group to a role without the use of Team Sync Authentication oauth	2	1673	July 28, 2022
Set custom roles over OIDC Grafana Cloud	1	514	December 13, 2023

Role mappings with custom IDP

Related topics