Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link?
So I struggled a bit with setting up Grafana OAuth with Authentik following the official integration docs. Once the flow was in place, I could authenticate with Authentik, but upon redirecting back to Grafana I was getting User sync error.
Grafana logs showed this:
grafana | logger=user.sync t=2026-03-29T21:24:34.648239877Z level=error msg="Failed to update user attributes" error="cannot remove last grafana admin" id= isProvisioned=false login=<my login> email= name=<my authentik name> isGrafanaAdmin=false emailVerified=null
grafana | logger=user.sync t=2026-03-29T21:24:34.648275239Z level=error msg="Failed to update user" error="cannot remove last grafana admin" auth_module=oauth_generic_oauth auth_id=dd750379cc609871e224a531d470b56b20b445b764c23e45ef3d68fc93ed2cee
grafana | logger=authn.service t=2026-03-29T21:24:34.648290282Z level=error msg="Failed to run post auth hook" client=auth.client.generic_oauth id= error="[user.sync.internal] unable to update user"
grafana | logger=context userId=0 orgId=0 uname= t=2026-03-29T21:24:34.650614575Z level=info msg="Request Completed" method=GET path=/login/generic_oauth status=302 remote_addr=172.19.0.1 time_ms=1184 duration=1.184828409s size=29 referer= handler=/login/:name status_source=server
I figured the cause is because of my setup:
- had a Grafana admin created
- tried to login and sync an Authentik admin with the same credentials
- Grafana may have some logic that for syncing existing users, triggers a check for removing last admin and fails
Link
https://integrations.goauthentik.io/monitoring/grafana/
Solution
In the Grafana OAuth settings I disabled Allow assign Grafana admin and changed the email address to other than in authentik. I then created the account via OAuth which worked! Subsequently, I logged back into the non-OAuth Grafana account, gave my new OAuth user admin rights and then deleted the non-OAuth account.
I realize it's a bit hacky, but maybe it's worth to add this workaround to the docs?
Additional context
No response
Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link?
So I struggled a bit with setting up Grafana OAuth with Authentik following the official integration docs. Once the flow was in place, I could authenticate with Authentik, but upon redirecting back to Grafana I was getting User sync error.
Grafana logs showed this:
I figured the cause is because of my setup:
Link
https://integrations.goauthentik.io/monitoring/grafana/
Solution
In the Grafana OAuth settings I disabled
Allow assign Grafana adminand changed the email address to other than in authentik. I then created the account via OAuth which worked! Subsequently, I logged back into the non-OAuth Grafana account, gave my new OAuth user admin rights and then deleted the non-OAuth account.I realize it's a bit hacky, but maybe it's worth to add this workaround to the docs?
Additional context
No response