"User Sync Failed" when using Grafana with Authentik

So I’ve got grafana and authentik running nicely, but I’ve never been able to make authentik work as an oauth provider for authentik. I have the following grafana.ini config in my helm chart (I’ve redacted the domain just for a bit of privacy):

      grafana.ini:
        users:
          auto_assign_org: true
          auto_assign_org_id: 1
          auto_assign_org_role: Viewer
        auth:
          signout_redirect_url: https://auth.*****/application/o/grafana/end-session/
          oauth_auto_login: true
        auth.generic_oauth:
          enabled: true
          name: Authentik
          client_id: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_ID}
          client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
          scopes: openid profile email
          login_attribute_path: preferred_username
          groups_attribute_path: groups
          name_attribute_path: name
          empty_scopes: false
          use_pkce: true
          icon: signin
          auth_url: https://auth.*****/application/o/authorize/
          token_url: https://auth.*****/application/o/token/
          api_url: https://auth.*****/application/o/userinfo/
          role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
        server:
          domain: grafana.*****
          root_url: https://grafana.*****

When I try to login with authentik, I am able to go through the sign in prompts, but then I get redirected to the login screen where grafana says “login sync failed”. I’m guessing this has something to do with grafana not being able to map the authentik user to the existing grafana user but I’m not sure. Both my grafana and authentik username are the same. I see you can add JMESPath expressions under the “user mapping” section on the UI, but I have no idea how these work.

If anyone could point me in the right direction, that would be appreciated.

Does anyone have any ideas?

Have you made any progress? I am currently facing the same issue.

This is the current log output I get when I attempt to log in with Authentik. (I manually created a scope named “groups” hoping this will fix the issue, but it didn’t.)

So it receives the groups also when grafana is calling the user-info endpoint, but then it assigns Groups = and as a result, the user has only Viewer rights.

That’s a wrong assumption. The role is based on JMESPath from role_attribute_path, not on the internal group field.

Thank you for the reply. My role_attribute_path looks similar to @artichoke. Shouldn’t it work? Am I missing something else?

GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: “contains(groups[], ‘admins’) && ‘Admin’ || contains(groups[], ‘Grafana Editors’) && ‘Editor’ || ‘Viewer’”

Nobody will tell you why. Million variables and you exposed only a few. Provide reproducible example, logs (in text format), configs/logs properly formatted and then you will increase a change for a correct answer.

To @esascha7 if you haven’t gave up and moved on already, or for anyone else who finds this post, I found the solution. Basically, when you login through the oidc provider, it tries to create a new user instead of linking it to a existing one.

So if you already have a local user created in Grafana that has the same username as the one you are trying to log in with through the oidc provider, it will fail because it thinks the user already exists. So to fix, simply change the username of the local user (or delete it altogether if you were just using it to bootstrap the Grafana setup).

It looks like it might be possible to get Grafana to link oidc users to existing local users, but I don’t know how to do this, and could be a security risk if you are just matching them by their username or email. Even then, if you are starting up a new instance, this wouldn’t really be necessary since you probably have all your users already existing under the oidc provider.

What happens to user permissions since they’re based on userid or useuid

Have you made any progress? I am currently facing the same issue.
你有什么进展吗?我目前面临同样的问题。

Have you made any progress? I am currently facing the same issue.
你有什么进展吗?我目前面临同样的问题。

I share the same thought with you.
我也是和你一样的思路