JWT: Find login and email claims with JMESPATH (#85305)

* add function to static function to static service * find email and login claims with jmespath * rename configuration files * Replace JWTClaims struct for map * check for subclaims error
2025-02-25 18:55:37 -06:00 · 2024-03-28 10:25:26 -06:00
parent 18f3c7188b
commit e4250a72db
9 changed files with 122 additions and 21 deletions
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/jwt/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/jwt/index.md
@@ -62,6 +62,32 @@ email_claim = sub

 If `auto_sign_up` is enabled, then the `sub` claim is used as the "external Auth ID". The `name` claim is used as the user's full name if it is present.

+Additionally, if the login username or the email claims are nested inside the JWT structure, you can specify the path to the attributes using the `username_attribute_path` and `email_attribute_path` configuration options using the JMESPath syntax.
+
+JWT structure example.
+
+```json
+{
+  "user": {
+    "UID": "1234567890",
+    "name": "John Doe",
+    "username": "johndoe",
+    "emails": ["personal@email.com", "professional@email.com"]
+  }
+}
+```
+
+```ini
+# [auth.jwt]
+# ...
+
+# Specify a nested attribute to use as a username to sign in.
+username_attribute_path = user.username # user's login is johndoe
+
+# Specify a nested attribute to use as an email to sign in.
+email_attribute_path = user.emails[1] # user's email is professional@email.com
+```
+
 ## Iframe Embedding

 If you want to embed Grafana in an iframe while maintaining user identity and role checks,