I am trying to integrate Keycloak as OAuth provider for Grafana. I am successful in authenticating the user but not able to assign the correct role to the user. Following are the configurations that I have used.
Grafana Environment Variable:
- GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(roles[*], 'admin') && 'USER' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
When a POST request is sent to http://{host}:{port}/auth/realms/{realm}/protocol/openid-connect/token I receive fields: access_token, expires_in, refresh_token, refresh_expires_in, token_type, id_token, not-before-policy, session_state, scope
Also id_token when decoded looks like:
{
"exp": XXXXXXXXXX,
"iat": XXXXXXXXXX,
"auth_time": 0,
"jti": "XXXXXXXXXX-XXXXXXXXXX",
"iss": "http://{host}:{port}/auth/realms/dev",
"aud": "grafana",
"sub": "XXXXXXXXXX-XXXXXXXXXX",
"typ": "ID",
"azp": "grafana",
"session_state": "XXXXXXXXXX-XXXXXXXXXX",
"at_hash": "XXXXXXXXXX",
"acr": "1",
"email_verified": false,
"roles": [
"uma_protection",
"admin"
],
"name": "admin",
"preferred_username": "admin",
"given_name": "abcd",
"family_name": "admin",
"
}
Following the OAuth implementation for Grafana it looks like id_token is also considered for user info - grafana/generic_oauth.go at main · grafana/grafana · GitHub
But eventually jmespath.Search is not able to find the correct value from the role attribute path provided from the token payload. This was cross verified jmespath.org with path and payload and correct results were obtained.
Please help me out here. I am guessing the role attribute path needs some changes as it is passed as an environment variable to Grafana.