Question on using Keycloak as my IDP.
Its configure and working.
I want to have a role in keycloak that is published in the claim so I can define who is an admin.
The docs arnt quite clear about this.
I see there is a AUTH_OIDC_GROUPS_CLAIM and AUTH_OIDC_EXTRACT_GROUPS_ENABLED which means it pulls from the default groups
but how can that map to admin, edit, viewer?
https://datahubproject.io/docs/deploy/environment-vars
I’ve done this before for grafana.
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/keycloak/
in grafana you configue it too look for the GrafanaAdmin or Admin or Editor or Viewer and the default if not found is viewer.
role_attribute_path = contains(resource_access.grafana_oauth.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.grafana_oauth.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana_oauth.roles[*], 'editor') && 'Editor' || 'Viewer'
FYI. To get more advanced, my keycloak is configured using SAML so I actually pull the corp groups and can assign these to attributes of the keycloak user and then map them into actual group claim which would give me more of a AD driven admin setup… but getting the basics working 1st if my goal.
Any help would be great.
