fix(auth): fix admin permissions and logout redirection

Author: USHER-PB

.github/workflows/deploy-lgtm-gke.yaml

@@ -37,6 +37,7 @@ permissions:
   contents: read
   pull-requests: write
   id-token: write
+  actions: write
 
 env:
   TERRAFORM_VERSION: '1.6.0'

lgtm-stack/terraform/keycloak.tf

@@ -36,7 +36,10 @@ resource "keycloak_openid_client" "grafana" {
   admin_url = "https://grafana.${var.monitoring_domain}"
 
   valid_redirect_uris = [
-    "https://grafana.${var.monitoring_domain}/login/generic_oauth"
+    "https://grafana.${var.monitoring_domain}/login/generic_oauth",
+    # Required for KC 18+ post-logout redirect — must match the URI
+    # passed in signout_redirect_url's post_logout_redirect_uri param.
+    "https://grafana.${var.monitoring_domain}/login"
   ]
 
   web_origins = [

lgtm-stack/terraform/values/grafana-values.yaml

@@ -93,9 +93,15 @@ grafana.ini:
     role_attribute_path: "contains(roles[*], 'grafana-admin') && 'Admin' || contains(roles[*], 'grafana-editor') && 'Editor' || contains(roles[*], 'grafana-viewer') && 'Viewer'"
 
     # STRICT: if a user has no matching role, their login is REJECTED.
-    # This blocks any netbird-realm user who isn't in a grafana-* group.
+    # This blocks any argocd-realm user who isn't in a grafana-* group.
     role_attribute_strict: true
 
+    # Promote OAuth Admins to Grafana Server Admin so they can manage
+    # all users via Administration → Users and access.
+    # Without this, OAuth users are only Org Admins and get
+    # 'org.users:read / org.users:add' permission errors.
+    allow_assign_grafana_admin: true
+
     # ---- Group-Based Access Control (via groups[] claim) ----
     # Only users in one of these groups can log in. Everyone else
     # in the netbird realm is completely blocked from Grafana.
@@ -106,9 +112,11 @@ grafana.ini:
     # Requires 'offline_access' in scopes (already set above).
     use_refresh_token: true
 
-    # Single Logout: after signing out of Grafana, the user is
-    # also logged out of Keycloak and redirected back to login.
-    signout_redirect_url: ${keycloak_url}/realms/${keycloak_realm}/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fgrafana.${monitoring_domain}%2Flogin
+    # Single Logout: signs the user out of Keycloak then redirects
+    # back to Grafana's login page.
+    # KC 18+ requires client_id (or id_token_hint) for post_logout_redirect_uri
+    # to be honoured — without it the user lands on a blank Keycloak page.
+    signout_redirect_url: ${keycloak_url}/realms/${keycloak_realm}/protocol/openid-connect/logout?client_id=grafana-oauth&post_logout_redirect_uri=https%3A%2F%2Fgrafana.${monitoring_domain}%2Flogin
 
 datasources:
   datasources.yaml: