You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
Grafana + keycloak as authentication provider.
Keycloak has porperty "Email as username" activated.
I log in with my keycloak account, it works fine. Then, I changed my email in keycloak, using the "account" builtin application.
Surprise, when I log in grafana I lost everything, it is a new account.
What you expected to happen:
email shouldn't be used as a user id. I expected my account unchanged exception my email address.
How to reproduce it (as minimally and precisely as possible):
keycloak as oauth provider
login with an account
change email
Anything else we need to know?:
It located in file https://github.com/grafana/grafana/blob/master/pkg/login/social/generic_oauth.go in "extractLogin" function. This function search for "login" or "username" in /userinfo endpoint.
Keycloak does not have those fields by default.
So the function returns email as user login.
workaround
In keycloak, open the client you created for grafana. Go to "mapper" and add a new one. Choose "user property" mapper type, the user property we want is "id" and add it to token claim "login".
This works perfectly
What we should have
Just like with email, we have the "email_attribute_path" configuration option. We should have the same for user_id attribute.
Environment:
Grafana version: 6.5.0
OS Grafana is installed on: docker
User OS & Browser: windows 10 & chrome
The text was updated successfully, but these errors were encountered:
Same issue with generic oauth. If user change his e-mail address, then login fails (user already exists). I thing that is quite common behavior, to change my primary e-mail. There is nothing wrong if user change his e-mail within some identity provider.
The workaround did not work for me. If the user has the same login name (username), but different e-mail address, e-mail is not updated and login attempt fails with error "User already exists".
What happened:
Grafana + keycloak as authentication provider.
Keycloak has porperty "Email as username" activated.
I log in with my keycloak account, it works fine. Then, I changed my email in keycloak, using the "account" builtin application.
Surprise, when I log in grafana I lost everything, it is a new account.
What you expected to happen:
email shouldn't be used as a user id. I expected my account unchanged exception my email address.
How to reproduce it (as minimally and precisely as possible):
keycloak as oauth provider
login with an account
change email
Anything else we need to know?:
It located in file https://github.com/grafana/grafana/blob/master/pkg/login/social/generic_oauth.go in "extractLogin" function. This function search for "login" or "username" in /userinfo endpoint.
Keycloak does not have those fields by default.
So the function returns email as user login.
workaround
In keycloak, open the client you created for grafana. Go to "mapper" and add a new one. Choose "user property" mapper type, the user property we want is "id" and add it to token claim "login".
This works perfectly
What we should have
Just like with email, we have the "email_attribute_path" configuration option. We should have the same for user_id attribute.
Environment:
The text was updated successfully, but these errors were encountered: