Roles not being assigned with integration with Keycloak for OAuth

I am trying to integrate Keycloak as OAuth provider for Grafana. I am successful in authenticating the user but not able to assign the correct role to the user. Following are the configurations that I have used.

Grafana Environment Variable:

- GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(roles[*], 'admin') && 'USER' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"

When a POST request is sent to http://{host}:{port}/auth/realms/{realm}/protocol/openid-connect/token I receive fields: access_token, expires_in, refresh_token, refresh_expires_in, token_type, id_token, not-before-policy, session_state, scope

Also id_token when decoded looks like:

  "exp": XXXXXXXXXX,
  "iat": XXXXXXXXXX,
  "auth_time": 0,
  "iss": "http://{host}:{port}/auth/realms/dev",
  "aud": "grafana",
  "typ": "ID",
  "azp": "grafana",
  "session_state": "XXXXXXXXXX-XXXXXXXXXX",
  "at_hash": "XXXXXXXXXX",
  "acr": "1",
  "email_verified": false,
  "roles": [
  "name": "admin",
  "preferred_username": "admin",
  "given_name": "abcd",
  "family_name": "admin",

Following the OAuth implementation for Grafana it looks like id_token is also considered for user info - grafana/generic_oauth.go at main · grafana/grafana · GitHub

But eventually jmespath.Search is not able to find the correct value from the role attribute path provided from the token payload. This was cross verified with path and payload and correct results were obtained.

Please help me out here. I am guessing the role attribute path needs some changes as it is passed as an environment variable to Grafana.

1.) Verify in the settings page /admin/settings if role mapping config was passed correctly from the env variable
2.) Increase Grafana log level and watch the logs
3.) I would enable role mapper for the id token/access token/userinfo in the Keycloak client config