Fix Grafana OAuth role mapping from Authentik groups

The INI parser was stripping outer single quotes from role_attribute_path = 'Admin', causing Grafana to evaluate 'Admin' as a JMESPath field identifier instead of a string literal. This resulted in all OAuth users getting the default Viewer role. Replaced with a proper group-based expression that checks for the 'admins' Authentik group and maps to Admin/Viewer accordingly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 13:40:41 -08:00 · 2026-02-24 13:40:41 -08:00 · 495c3e8496
commit 495c3e8496
parent 4acd2e58d4
2 changed files with 3 additions and 1 deletions
--- a/argocd/manifests/grafana/configmap.yaml
+++ b/argocd/manifests/grafana/configmap.yaml
@ -21,7 +21,8 @@ data:
    client_secret = $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
    enabled = true
    name = Authentik
-    role_attribute_path = 'Admin'
+    role_attribute_path = contains(groups[*], 'admins') && 'Admin' || 'Viewer'
+    skip_org_role_sync = false
    scopes = openid profile email
    token_url = https://authentik.ops.eblu.me/application/o/token/

--- a/docs/changelog.d/fix-grafana-oauth-role.bugfix.md
+++ b/docs/changelog.d/fix-grafana-oauth-role.bugfix.md
@ -0,0 +1 @@
+Fix Grafana OAuth role mapping: INI parser was stripping quotes from `role_attribute_path = 'Admin'`, causing all Authentik users to get Viewer role instead of Admin. Now uses group-based mapping from the `admins` Authentik group.
				`@ -0,0 +1 @@`
				Fix Grafana OAuth role mapping: INI parser was stripping quotes from `role_attribute_path = 'Admin'`, causing all Authentik users to get Viewer role instead of Admin. Now uses group-based mapping from the `admins` Authentik group.