From 66001a3e88074dae92996b63c78462e9bec513ed Mon Sep 17 00:00:00 2001
From: cornfeedhobo <cornfeedhobo@users.noreply.github.com>
Date: Tue, 9 Jan 2024 22:00:24 -0600
Subject: [PATCH] website/integrations: fix Grafana role mapping docs (#8110)

---
 .../integrations/services/grafana/index.mdx   | 37 +++----------------
 1 file changed, 6 insertions(+), 31 deletions(-)

diff --git a/website/integrations/services/grafana/index.mdx b/website/integrations/services/grafana/index.mdx
index 2de91535a..6c6cdc08f 100644
--- a/website/integrations/services/grafana/index.mdx
+++ b/website/integrations/services/grafana/index.mdx
@@ -17,29 +17,20 @@ The following placeholders will be used:
 -   `grafana.company` is the FQDN of the Grafana install.
 -   `authentik.company` is the FQDN of the authentik install.
 
-Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
+Create an OAuth2/OpenID provider with the following parameters:
 
 -   Client Type: `Confidential`
 -   Scopes: OpenID, Email and Profile
 -   Signing Key: Select any available key
 -   Redirect URIs: `https://grafana.company/login/generic_oauth`
 
-Additionally, because Grafana has its own concept of groups, we need to create a custom Scope Mapping to ensure Grafana can read the user's groups assigned within authentik. It should contain the following expression:
+Note the Client ID and Client Secret values.
 
-```json
-return {
-  "info": { "groups": [group.name for group in request.user.ak_groups.all()] },
-}
-```
-
-This ensures that groups are available under `info.groups[]`, which can be used later in [Role Mapping](#role-mappings).
-
-Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
+Create an application, using the provider you've created above. Note the slug of the application you've created.
 
 ## Terraform provider
 
 ```hcl
-
 data "authentik_flow" "default-provider-authorization-implicit-consent" {
   slug = "default-provider-authorization-implicit-consent"
 }
@@ -56,16 +47,6 @@ data "authentik_scope_mapping" "scope-openid" {
   name = "authentik default OAuth Mapping: OpenID 'openid'"
 }
 
-resource "authentik_scope_mapping" "scope-grafana-roles" {
-  name = "Grafana Groups"
-  scope_name = "grafana-groups"
-  expression = <<EOF
-return {
-  "info": { "groups": [group.name for group in request.user.ak_groups.all()] },
-}
-EOF
-}
-
 resource "authentik_provider_oauth2" "grafana" {
   name          = "Grafana"
   #  Required. You can use the output of:
@@ -83,7 +64,6 @@ resource "authentik_provider_oauth2" "grafana" {
     data.authentik_scope_mapping.scope-email.id,
     data.authentik_scope_mapping.scope-profile.id,
     data.authentik_scope_mapping.scope-openid.id,
-    authentik_scope_mapping.scope-grafana-roles.id,
   ]
 }
 
@@ -136,7 +116,7 @@ environment:
     # Optionally enable auto-login (bypasses Grafana login screen)
     GF_AUTH_OAUTH_AUTO_LOGIN: "true"
     # Optionally map user groups to Grafana roles
-    GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(info.groups[*], 'Grafana Admins') && 'Admin' || contains(info.groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
+    GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
 ```
 
   </TabItem>
@@ -159,7 +139,7 @@ auth_url = https://authentik.company/application/o/authorize/
 token_url = https://authentik.company/application/o/token/
 api_url = https://authentik.company/application/o/userinfo/
 # Optionally map user groups to Grafana roles
-role_attribute_path = contains(info.groups[*], 'Grafana Admins') && 'Admin' || contains(info.groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
+role_attribute_path = contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
 ```
 
   </TabItem>
@@ -181,7 +161,7 @@ grafana.ini:
         token_url: "https://authentik.company/application/o/token/"
         api_url: "https://authentik.company/application/o/userinfo/"
         # Optionally map user groups to Grafana roles
-        role_attribute_path: contains(info.groups[*], 'Grafana Admins') && 'Admin' || contains(info.groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
+        role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
 ```
 
 :::note
@@ -198,11 +178,6 @@ In the configuration above you can see an example of a role mapping. Upon login,
 In the example shown above, one of the specified group names is "Grafana Admins". If the user is a member of this group, they will be granted the "Admin" role in Grafana.
 If the user is not a member of the "Grafana Admins" group, it moves on to see if the user is a member of the "Grafana Editors" group. If they are, they are granted the "Editor" role. Finally, if the user is not found to be a member of either of these groups, it fails back to granting the "Viewer" role.
 
-```text
-contains(info.groups[*], 'Grafana Admins') && 'Admin' || contains(info.groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
-         ^ attribute     ^ group to search for^ role to grant                                                       ^ or grant "Viewer" role.
-```
-
 For more information on group/role mappings, see [Grafana's docs](https://grafana.com/docs/grafana/latest/auth/generic-oauth/#role-mapping).
 
 ### Grafana Configuration Considerations