root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 150 Packages Projects Releases Wiki Activity

Docs: Add a note about email being required and the usage of sub claim (#112065) 

* Docs: Add a note about email being required and the usage of sub claim

* Update docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>

---------

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
This commit is contained in:
Vardan Torosyan 2025-10-07 17:40:50 +02:00 committed by GitHub
parent ed2cecf36e
commit f06a12717b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md
View File

@ -130,6 +130,10 @@ Grafana can resolve a user's login from the OAuth2 ID token, user information re
Grafana looks at these sources in the order listed until it finds a login.
If no login is found, then the user's login is set to user's email address.
{{< admonition type="important" >}}
Email is required for successful sign-up and login with Generic OAuth. Even if you map `login` from another claim (for example `sub`), Grafana still requires the user to have an email. Ensure your provider returns an email claim or configure `email_attribute_path` so Grafana can resolve it. Including the `email` scope is strongly recommended (for OIDC providers use `openid profile email`).
{{< /admonition >}}
Refer to the following table for information on what to configure based on how your Oauth2 provider returns a user's login:
| Source of login | Required configuration |
@ -141,6 +145,21 @@ Refer to the following table for information on what to configure based on how y
| `login` or `username` field of the OAuth2 access token. | N/A |
| Another field of the OAuth2 access token. | Set `login_attribute_path` configuration option. |
#### Use the `sub` claim for login
Most of the OAuth2 providers expose a stable subject identifier in the `sub` claim. You can use it to populate the Grafana login by setting `login_attribute_path` to `sub`. Because email is still required, also make sure Grafana can resolve the user's email (for example by including the `email` scope or mapping a custom field via `email_attribute_path`).
Example configuration:
```ini
[auth.generic_oauth]
enabled = true
scopes = openid profile email
login_attribute_path = sub
# If your provider does not return `email` at the top level, map it explicitly
# email_attribute_path = user.email
```
### Configure display name
Grafana can resolve a user's display name from the OAuth2 ID token, user information retrieved from the OAuth2 UserInfo endpoint, or the OAuth2 access token.