From e7b8b82c14c625a5ef883cc5cf20e797d659cdba Mon Sep 17 00:00:00 2001
From: Ron D <106610617+rgnvldr@users.noreply.github.com>
Date: Thu, 12 Jan 2023 06:41:30 -0800
Subject: [PATCH] Correct invalid groups_attribute_path option + added details
 for nested groups (#61202)

* Correct invalid groups_attribute_path option + added details for nested groups

* Update docs/sources/setup-grafana/configure-security/configure-authentication/keycloak/index.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* linting

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
---
 .../configure-authentication/keycloak/index.md           | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/keycloak/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/keycloak/index.md
index a362ac8b8fe..ac88eaad66a 100644
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/keycloak/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/keycloak/index.md
@@ -109,7 +109,14 @@ This will add the `groups` claim to the id_token. You can then use the `groups`
 
 ```ini
 [auth.generic_oauth]
-group_attribute_path = groups
+groups_attribute_path = groups
+```
+
+If you use nested groups containing special characters such as quotes or colons, the JMESPath parser can perform a harmless reverse function so Grafana can properly evaluate nested groups. The following example shows a parent group named `Global` with nested group `department` that contains a list of groups:
+
+```ini
+[auth.generic_oauth]
+groups_attribute_path = reverse("Global:department")
 ```
 
 ## Enable Single Logout