feature request: How to prevent users without a specific role from signing in to an application (Grafana) in Logto? #8196
Description
What problem did you meet?
Title: How to prevent users without a specific role from signing in to an application (Grafana) in Logto?
Hi Logto team,
I’m integrating Logto with Grafana via OIDC and I want to restrict access based on roles.
My current setup:
- I created a permission resource named
grafana - I created a role
grafana-viewerand assigned thegrafanapermission to it - User A is assigned the
grafana-viewerrole - User B has no
grafana-viewerrole
In Grafana’s OIDC configuration, I use the following scopes:
scope=openid offline_access grafana roles profile email
However, with this setup:
-
Both user A and user B can successfully sign in to Grafana
-
I expected that:
- User A (with
grafana-viewer) can sign in - User B (without
grafana-viewer) should be denied access
- User A (with
It seems that including grafana in the scope only affects what is returned in the token, but does not prevent users without that role from signing in.
My questions:
- Is
scopesupposed to control access, or only what claims/permissions are returned in the token? - What is the recommended way in Logto to restrict an Application so that only users with a specific role (e.g.
grafana-viewer) can sign in? - Is this done via Application-level access control (e.g. “Only allow users with specific roles”) rather than via scopes?
I want the authorization to fail during the Logto sign-in flow itself, so that users without the required role cannot complete the login to Grafana at all.
Thanks!
Describe what you'd like Logto to have
I want to disallow someone access one app.