Auth0 Organisation Integration with Grafana

Ready to post? First try searching for your answer. * What happened?

• We are having trouble logging in with Grafana using Generic Oauth. In Grafana’s previous version 10.2.2, we had no problems logging in with Auth0. Following the most recent Grafana upgrade, additional modifications were made to the Generic Oauth integration. When we specified the allowed_organization option in Grafana, the user associated with Auth0 Organisation was able to log in, and non-users of Auth0 Organisation were unable to do so. This allowed us to manage external clients. And now that multiple options have changed, the allowed_organization option isn’t working. Organisation mapping and Organisation attribute path are new options that have been added, and I couldn’t find any documentation explaining how to set them up.
• What did you expect to happen?
• Grafana has included additional options such as Organisation mapping and Organisation attribute path, which require users to be part of Auth0. Organisations should utilise the Generic Oauth approach to log in to Grafana. Since our goal is to allow AuthO Org user members to log in on Grafana, all users can log in even though I added the org_mapping as org_id and org_name and the org attribute path as AuthO Org name:Grafana Org Id: Role. This shouldn’t be the case, though, as the remaining users should either not be able to log in or should be under the Main Org.
• Can you copy/paste the configuration(s) that you are having problems with?
• [auth.generic_oauth]

allow_sign_up = true

api_url = https:/ourdomain.auth0.com/userinfo

auth_url = sameurl/authorize

enabled = true

name = Auth0

scopes = openid email profile

skip_org_role_sync = true

token_url = sameurl/authorize/oauth/token

use_pkce = true

use_refresh_token = true

org_mapping = [“smart-dev:16:Viewer”]

org_attribute_path = [“org_name”]

role_attribute_path = “Viewer”

• Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactlywhat they were.
• {“level”:“error”,“logger”:“orgrole.mapper”,“mapping”:“[“smart-dev:16:Viewer”]”,“msg”:“Skipping org mapping due to invalid format.”,“t”:“2025-05-09T12:38:45.”}
• 2025-04-18T00:00:24.067+02:00{“error”:“unsuccessful response status code 404: Not found.”,“level”:“error”,“logger”:“oauth.generic_oauth”,“msg”:“Error getting organizations”,“t”:“2025-04-17T22:00:24.”,“url”:“https://ourauthodomain.com/userinfo/orgs”}

Hi @kmo,

Welcome to the Auth0 Community !

I believe the issue here is related on how Grafana defines new users for auth.generic_oauth configuration that do not have a specified role. If no valid role is found, the user is assigned the role specified by the auto_assign_org_role option, which has the default option set to Viewer, so that should be the reason why non-members of the organization are able to login.

As referenced in the Configure role mapping documentation for Grafana:

You can disable this default role assignment by setting role_attribute_strict = true . This setting denies user access if no role or an invalid role is returned after evaluating the role_attribute_path and the org_mapping expressions.

The referenced documentation also provides information and examples on how to set the ole_attribute_path and the org_mapping expressions, but you can check out their specific documentation here. Additionally you might want to take a look at oauth_skip_org_role_update_sync as well.

I hope this helps!
Thanks,
Remus

@remus.ivan
I appreciate your thorough explanation. By default, the auto_assign_org_role is Viewer; if I change it to Editor, all login users will have Editor privileges, which is not what we want. I added org_attribuubute_path and org_mapping as seen below, but it appears that allowed_organizations is deprecated because I always get an error when I try to use it. In addition, the url: ourdomain.auth0/userinfo/orgs or api is no longer available. With the following configurations, is it possible for a user who is a member of the Auth0 Organisation to log in to Grafana? Additionally, we want to make it possible for members of Auth0 organisations to log in to Grfana.

Additionally, the Autzh0 user can log in to the grfana if I add them to any organisation. Additionally, I must determine whether the user should be able to log in to Grafana if he is a member of a particular organisation.

Settings:

[auth.generic_oauth]
allow_sign_up = true
allowed_organizations = charging-dev
api_url = ourdomain.auth0/userinfo
auth_url = ourdomain.auth0/authorize
enabled = true
name = Auth0
role_attribute_path = contains(resource_access.grafana.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || contains(resource_access.grafana.roles[*], 'viewer') && 'Viewer' || 'NoAccess'
org_attribute_path = organization_id 
org_mapping = org_QtVgvAC2CzD1:16:Viewer (And tried) [{"id":"org_QtVgvAC2CzD1"}]
scopes = openid email profile
skip_org_role_sync = true
token_url = ourdomain.auth0//oauth/token
use_pkce = true
use_refresh_token = true

if I enable allowed_organizations = charging-dev, the i will get error

Not found.”,“level”:“error”,“logger”:“oauth.generic_oauth”,“msg”:“Error getting organizations”

The Rawdata which i got from Auth0.

  [{"id":"org_0dafu0rSzQfn","name":"org-customization-test","display_name":"Test Organization"},{"id":"org_QtVgvAC2CzD1","name":"charging-dev","display_name":"Charging DEV"}]       

I coudlnt find the proper way to achieve with help of docs. Please assist me on this.

Hi @kmo,

I believe the issue here is related to the setting skip_org_role_sync = true, since if this option is set to false, then it will synchronize user organization role with the provider’s role, as described in this table ( you might need to scroll down to [auth.generic_oauth] ) under Grafana’s documentation.

Afterwards you can either disable the auto_assign_org_role by setting role_attribute_strict = true or assign auto_assign_org_role to None if the auto_assign_org setting is set to true.

Unfortunately all these settings and behaviors rely on Grafana’s flags and changes, so it does not fall under our scope of support, however I would recommend checking thoroughly through their examples on the matter, and if an issue persists you could also try opening a new topic on Grafana’s community forum.

Thanks,
Remus