0D51Y0000ARJOcQSQXOkta Classic EngineAdministrationAnswered2021-02-11T07:51:16.000Z2021-02-09T21:21:04.000Z2021-02-11T07:51:16.000Z

ShayB.90154 (Customer) asked a question.

February 9, 2021 at 9:21 PM
why I groups=[] empty list in the userinfo response ?

Trying to integrate OKTA with Grafana based on this doc -> https://grafana.com/docs/grafana/latest/auth/okta/

 

it works ok but when i try to take it one step a head by setting the grafana user role (https://grafana.com/docs/grafana/latest/auth/okta/*map-roles) by using OKTA group name it fail to find the groups in the userinfo response.

 

I see the following error in the grafana login while trying to login via OKTA user:

 

```

https://redislabs.okta.com/oauth2/v1/userinfo: 200 OK {\"sub\":\"00u1lsupyoEA8iWaB357\",\"name\":\"USER1\",\"locale\":\"IL\",\"email\":\"USER1@compony.com\",\"preferred_username\":\"USER1@compony.com\",\"given_name\":\"USER1\",\"family_name\":\"\",\"zoneinfo\":\"xxxxx\",\"updated_at\":xxxx,\"email_verified\":true}"

t=2021-02-09T19:40:07+0000 lvl=dbug msg="Received user info response" logger=oauth.okta raw_json="{\"sub\":\"xxxxx\",\"name\":\"USER1\",\"locale\":\"IL\",\"email\":\"USER1@compony.com\",\"preferred_username\":\"USER1@compony.com\",\"given_name\":\"USER1\",\"family_name\":\"xxxx\",\"zoneinfo\":\"xxxxxxxxx\",\"updated_at\":xxxxx,\"email_verified\":true}" data="&{Name:USER1 DisplayName: Login: Username: Email:USER1@compony.com Upn: Attributes:map[] Groups:[]

 

t=2021-02-09T19:40:07+0000 lvl=eror msg="Failed to extract role" logger=oauth.okta error="failed to search user info JSON response with provided path: \"contains(info.groups[*], 'grafana_group_for_editors') && 'Editor'\": Invalid type for: <nil>, expected: []jmespath.jpType{\"array\", \"string\"}"

t=2021-02-09T19:40:07+0000 lvl=dbug msg="OAuthLogin got user info" logger=oauth userInfo="&{Id:00u1lsupyoEA8iWaB357 Name:USER1 Email:USER1@compony.com Login:USER1@compony.com Company: Role: Groups:[]}"

```

 

 

my grafana settings:

  [auth.okta]

  allow_sign_up = true

  api_url = https://YYY/oauth2/v1/userinfo

  auth_url = https://YYY/oauth2/v1/authorize

  enabled = true

  name = Okta

  token_url = https://YYY/oauth2/v1/token

  scopes = openid profile email groups

  role_attribute_path = contains(info.groups[*], 'grafana_group_for_editors') && 'Editor' || "Viewer"

 

 

My okta app configuration of cause with groups attached to the app but the `groups claim filters = None`.

questions:

  1. it it must to set groups clam filter to `groups and with .* regex` to get the groups in the userinfo response?
  2. Assuming the groups is empty list why do i get such error? eror msg="Failed to extract role" logger=oauth.okta error="failed to search user info JSON response with provided path: \"contains(info.groups[*], 'grafana_group_for_editors') && 'Editor'\": Invalid type for: <nil>, expected: []jmespath.jpType{\"array\", \"string\"}"

 

And another question why

  • 1 answer
  • 2.47K views

  • ShayB.90154 (Customer)

    Just to update that I resolved this issue as follow:

    1. Add to the okta app "groups clam filter" = `groups` and with regex `.*`
    2. Also I has to use `groups[*]` instead of `info.groups[*]` to make it works.

     

    Thanks

    Expand Post
This question is closed.

Recommended content

No recommended content found...