Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Generic Oauth: support for team_ids, team_ids_attribute_path, teams_url #770

merged 2 commits into from Jun 7, 2022


Copy link

@weisdd weisdd commented Jun 5, 2022


Generic Oauth section of grafana configuration helps to impose additional restrictions on who is allowed to login. One of those restrictions is user presence in a particular team id (has nothing to do with teams in grafana itself). From docs:

Grafana will check for the presence of at least one of the teams specified via the team_ids configuration option using the JMESPath specified via the team_ids_attribute_path configuration option. The JSON used for the path lookup is the HTTP response obtained from querying the Teams endpoint specified via the teams_url configuration option (using /teams as a fallback endpoint). The result should be a string array of Grafana Team IDs. Using this setting ensures that only certain teams is allowed to authenticate to Grafana using your OAuth provider.


So this PR brings support to the following parameters:

team_ids = 1
team_ids_attribute_path = [*]
teams_url =

My actual use case is non-standard: In my tiny app, I'm trying to exploit this setting to get access to a user ID token (gets sent to teams_url by grafana), so I can then add the user to a team via Grafana API based on user's claims.

Type of change

  • New feature (non-breaking change which adds functionality)


  • This change requires a documentation update
  • I have added tests that prove my fix is effective or that my feature works
  • I have added a test case that will be used to verify my changes
  • Verified independently on a cluster by reviewer

Verification steps

It'd be slightly difficult to do an e2e-test as part of the configuration has to be done on IDP side (Keycloak in my case) and a web-server that would return a json with team ids. So, I'd say it's better to just check the presence of the 3 newly added fields: teams_url, team_ids_attribute_path, team_ids in grafana ConfigMap.

        disable_login_form: true
        login_maximum_inactive_lifetime_duration: 4h
        login_maximum_lifetime_duration: 8h
        oauth_auto_login: true
        signout_redirect_url: http://keycloak.localhost/auth/realms/monitoring/protocol/openid-connect/logout?redirect_uri=http://grafana.localhost
        allow_sign_up: true
        api_url: http://keycloak.localhost/auth/realms/monitoring/protocol/openid-connect/userinfo
        auth_url: http://keycloak.localhost/auth/realms/monitoring/protocol/openid-connect/auth
        client_id: grafana
        client_secret: REDACTED
        enabled: true
        role_attribute_path: contains(roles[*], 'grafana-admin') && 'Admin' || contains(roles[*],
          'grafana-editor') && 'Editor' || 'Viewer'
        scopes: email profile
        team_ids: "1"
        team_ids_attribute_path: '[*]'
        token_url: http://keycloak.localhost/auth/realms/monitoring/protocol/openid-connect/token

…r generic oauth

Signed-off-by: Igor Beliakov <>
@weisdd weisdd changed the title Feature/teams feat: Generic Oauth: support for team_ids, team_ids_attribute_path, teams_url Jun 5, 2022
Signed-off-by: Igor Beliakov <>
Copy link

@NissesSenap NissesSenap left a comment

Great PR @weisdd, thanks for the links to the original docs and a good example output.
@HubertStefanski or @pb82 any thoughts?

Copy link

HubertStefanski commented Jun 7, 2022

@weisdd LGTM! (also thanks for the docs and examples)

@NissesSenap Thanks for taking a look, LGTM'd also

@NissesSenap NissesSenap merged commit 0564d0d into grafana-operator:master Jun 7, 2022
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

3 participants