[server]
root_url = https://grafana.example.com/

[auth.generic_oauth]
enabled = true
name = Example SSO
allow_sign_up = true
client_id = grafana-production
client_secret = replace-with-client-secret
scopes = openid profile email offline_access
auth_url = https://login.example.com/oauth2/authorize
token_url = https://login.example.com/oauth2/token
api_url = https://login.example.com/oauth2/userinfo
use_refresh_token = true
validate_id_token = true
jwk_set_url = https://login.example.com/.well-known/jwks.json
groups_attribute_path = groups
allowed_groups = grafana-admins grafana-editors grafana-viewers
allowed_domains = example.com
role_attribute_path = contains(groups[*], 'grafana-admins') && 'Admin' || contains(groups[*], 'grafana-editors') && 'Editor' || 'Viewer'