Grafana Generic OAuth Role Assignment

0
votes

I am trying to integrate Keycloak as OAuth provider for Grafana. I am successful in authenticating the user but not able to assign the correct role to the user. Following are the configurations that I have used.

Grafana Environment Variable:

- GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(roles[*], 'admin') && 'USER' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"

When a POST request is sent to http://{host}:{port}/auth/realms/{realm}/protocol/openid-connect/token I receive fields: access_token, expires_in, refresh_token, refresh_expires_in, token_type, id_token, not-before-policy, session_state, scope

Also id_token when decoded looks like:

{
  "exp": XXXXXXXXXX,
  "iat": XXXXXXXXXX,
  "auth_time": 0,
  "jti": "XXXXXXXXXX-XXXXXXXXXX",
  "iss": "http://{host}:{port}/auth/realms/dev",
  "aud": "grafana",
  "sub": "XXXXXXXXXX-XXXXXXXXXX",
  "typ": "ID",
  "azp": "grafana",
  "session_state": "XXXXXXXXXX-XXXXXXXXXX",
  "at_hash": "XXXXXXXXXX",
  "acr": "1",
  "email_verified": false,
  "roles": [
    "uma_protection",
    "admin"
  ],
  "name": "admin",
  "preferred_username": "admin",
  "given_name": "abcd",
  "family_name": "admin",
  "email": "[email protected]"
}

Following the OAuth implementation for Grafana it looks like id_token is also considered for user info - https://github.com/grafana/grafana/blob/main/pkg/login/social/generic_oauth.go

But eventually jmespath.Search is not able to find the correct value from the role attribute path provided from the token payload. This was cross verified jmespath.org with path and payload and correct results were obtained.

Please help me out here. I am guessing the role attribute path needs some changes as it is passed as an environment variable to Grafana.

-- Logs from Grafana (debug level) --

t=2021-08-11T11:28:00+0000 lvl=dbug msg="OAuthLogin Got token" logger=oauth token="&{AccessToken:{access_token} TokenType:Bearer RefreshToken:{refresh_token} Expiry:2021-08-11 11:33:00.669137197 +0000 UTC m=+421.124688977 raw:map[access_token:{access_token} expires_in:300 id_token:{id_token} not-before-policy:1.628681253e+09 refresh_expires_in:1800 refresh_token:{refresh_token} scope:openid email profile session_state:46f30922-8ec9-40c7-bb00-5f75106b1f35 token_type:Bearer]}"
t=2021-08-11T11:28:00+0000 lvl=dbug msg="Getting user info" logger=oauth.generic_oauth
t=2021-08-11T11:28:00+0000 lvl=dbug msg="Extracting user info from OAuth token" logger=oauth.generic_oauth
t=2021-08-11T11:28:00+0000 lvl=dbug msg="Received id_token" logger=oauth.generic_oauth raw_json="{\"exp\":1628681580,\"iat\":1628681280,\"auth_time\":1628681279,\"jti\":\"b65c1320-c594-4705-a6e4-2b9c6e3f9703\",\"iss\":\"http://10.224.92.202:8052/auth/realms/dev\",\"aud\":\"grafana\",\"sub\":\"3b0c95d5-14ca-4b5e-aa61-3759fd5ee2aa\",\"typ\":\"ID\",\"azp\":\"grafana\",\"session_state\":\"46f30922-8ec9-40c7-bb00-5f75106b1f35\",\"at_hash\":\"c7xrebZq-3lgJUQi0wX0HA\",\"acr\":\"1\",\"email_verified\":false,\"roles\":[\"admin\"],\"name\":\"admin\",\"preferred_username\":\"admin\",\"given_name\":\"abcd\",\"family_name\":\"admin\",\"email\":\"[email protected]\"}" data="Name: admin, Displayname: , Login: , Username: , Email: [email protected], Upn: , Attributes: map[]"
t=2021-08-11T11:28:00+0000 lvl=dbug msg="Getting user info from API" logger=oauth.generic_oauth
t=2021-08-11T11:28:00+0000 lvl=dbug msg="Error getting user info from API" logger=oauth.generic_oauth url=http://keycloak1:8080/auth/realms/dev/protocol/openid-connect/userinfo error="{\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}"
t=2021-08-11T11:28:00+0000 lvl=dbug msg="Processing external user info" logger=oauth.generic_oauth source=token data="Name: admin, Displayname: , Login: , Username: , Email: [email protected], Upn: , Attributes: map[]"
t=2021-08-11T11:28:00+0000 lvl=dbug msg="Setting user info name from name field" logger=oauth.generic_oauth
t=2021-08-11T11:28:00+0000 lvl=dbug msg="Set user info email from extracted email" logger=oauth.generic_oauth [email protected]
t=2021-08-11T11:28:00+0000 lvl=dbug msg="Defaulting to using email for user info login" logger=oauth.generic_oauth [email protected]
t=2021-08-11T11:28:00+0000 lvl=dbug msg="User info result" logger=oauth.generic_oauth result="&{Id: Name: admin Email:[email protected] Login:[email protected] Company: Role: Groups:[]}"
t=2021-08-11T11:28:00+0000 lvl=dbug msg="OAuthLogin got user info" logger=oauth userInfo="&{Id: Name:admin Email:[email protected] Login:[email protected] Company: Role: Groups:[]}"
t=2021-08-11T11:28:00+0000 lvl=dbug msg="Building external user info from OAuth user info" logger=oauth
keycloakgrafanajmespath
Increase Grafana log level and provide Grafana logs, pls.Jan Garaj