From 495c3e8496886de64568237ca20d1edfad6853b1 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 24 Feb 2026 13:40:41 -0800 Subject: [PATCH] Fix Grafana OAuth role mapping from Authentik groups The INI parser was stripping outer single quotes from role_attribute_path = 'Admin', causing Grafana to evaluate 'Admin' as a JMESPath field identifier instead of a string literal. This resulted in all OAuth users getting the default Viewer role. Replaced with a proper group-based expression that checks for the 'admins' Authentik group and maps to Admin/Viewer accordingly. Co-Authored-By: Claude Opus 4.6 --- argocd/manifests/grafana/configmap.yaml | 3 ++- docs/changelog.d/fix-grafana-oauth-role.bugfix.md | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 docs/changelog.d/fix-grafana-oauth-role.bugfix.md diff --git a/argocd/manifests/grafana/configmap.yaml b/argocd/manifests/grafana/configmap.yaml index f0c00a7..077779b 100644 --- a/argocd/manifests/grafana/configmap.yaml +++ b/argocd/manifests/grafana/configmap.yaml @@ -21,7 +21,8 @@ data: client_secret = $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET} enabled = true name = Authentik - role_attribute_path = 'Admin' + role_attribute_path = contains(groups[*], 'admins') && 'Admin' || 'Viewer' + skip_org_role_sync = false scopes = openid profile email token_url = https://authentik.ops.eblu.me/application/o/token/ diff --git a/docs/changelog.d/fix-grafana-oauth-role.bugfix.md b/docs/changelog.d/fix-grafana-oauth-role.bugfix.md new file mode 100644 index 0000000..9479f1c --- /dev/null +++ b/docs/changelog.d/fix-grafana-oauth-role.bugfix.md @@ -0,0 +1 @@ +Fix Grafana OAuth role mapping: INI parser was stripping quotes from `role_attribute_path = 'Admin'`, causing all Authentik users to get Viewer role instead of Admin. Now uses group-based mapping from the `admins` Authentik group.