Setting up role mapping with generic Oauth


I am trying to setup Oauth with a keycloak server.
Authentication is working fine.

No I need to do role mapping, and I can’t figure how to make this work.

I am using Grafana v6.7.2

Here is my Oauth conf :

name = OAuth
enabled = true
allow_sign_up = true
client_id = xxx
client_secret = xxxx
scopes = user:email
email_attribute_name = email:primary
email_attribute_path =
role_attribute_path = role
auth_url = xxxx/auth/realms/master/protocol/openid-connect/auth
token_url = xxxx/auth/realms/master/protocol/openid-connect/token
api_url = xxxx/auth/realms/master/protocol/openid-connect/userinfo
allowed_domains =
team_ids =
allowed_organizations =
tls_skip_verify_insecure = false
tls_client_cert =
tls_client_key =
tls_client_ca =

And here are the debug logs :

DBUG[04-17|15:59:28] Received user info response logger=oauth.generic_oauth raw_json="{“sub”:“74d45ac4-3d34-4a28-9542-9cfdb9a4ccbe”,“email_verified”:false,“role”:[“create-realm”,“offline_access”,“admin”,“uma_authorization”,“Editor”],“ldap_groups”:["/aws_monaco_tc","/reporting_product_lg","/reporting_product_dob","/reporting_monaco","/aws_remote_business_david","/grafana_ema_admins","/reporting_admins","/reporting_test","/laptop_users","/reporting_product_daa","/it"],“name”:“Xavier doe”,“preferred_username”:“xdoe”,“given_name”:“Xavier”,“family_name”:“doe”,“email”:“xxxx”}" data=“Name: Xavier doe, Displayname: , Login: , Username: , Email: xxxx, Upn: , Attributes: map[]”
EROR[04-17|15:59:28] Attribute not found when searching JSON with provided path logger=oauth.generic_oauth attributePath=role

As you can see on the GET userinfo there is a “role” field, withan Editor role, but it seems to be discarded.

Any help would be greatly appreciated ! Thanks in advance !

no one? :confused: we’re looking forward to the whole role mapping stuff too. hope it’ll be implemented in any of the next versions…