So I’ve got grafana and authentik running nicely, but I’ve never been able to make authentik work as an oauth provider for authentik. I have the following grafana.ini config in my helm chart (I’ve redacted the domain just for a bit of privacy):
When I try to login with authentik, I am able to go through the sign in prompts, but then I get redirected to the login screen where grafana says “login sync failed”. I’m guessing this has something to do with grafana not being able to map the authentik user to the existing grafana user but I’m not sure. Both my grafana and authentik username are the same. I see you can add JMESPath expressions under the “user mapping” section on the UI, but I have no idea how these work.
If anyone could point me in the right direction, that would be appreciated.
Have you made any progress? I am currently facing the same issue.
This is the current log output I get when I attempt to log in with Authentik. (I manually created a scope named “groups” hoping this will fix the issue, but it didn’t.)
So it receives the groups also when grafana is calling the user-info endpoint, but then it assigns Groups = and as a result, the user has only Viewer rights.
Nobody will tell you why. Million variables and you exposed only a few. Provide reproducible example, logs (in text format), configs/logs properly formatted and then you will increase a change for a correct answer.
To @esascha7 if you haven’t gave up and moved on already, or for anyone else who finds this post, I found the solution. Basically, when you login through the oidc provider, it tries to create a new user instead of linking it to a existing one.
So if you already have a local user created in Grafana that has the same username as the one you are trying to log in with through the oidc provider, it will fail because it thinks the user already exists. So to fix, simply change the username of the local user (or delete it altogether if you were just using it to bootstrap the Grafana setup).
It looks like it might be possible to get Grafana to link oidc users to existing local users, but I don’t know how to do this, and could be a security risk if you are just matching them by their username or email. Even then, if you are starting up a new instance, this wouldn’t really be necessary since you probably have all your users already existing under the oidc provider.