Azure OIDC Group claim not found, now working but why?!?!

OK so I can see this exact thing has been discussed here before, and there are lots of convo’s in the google groups about this very issue.

So mine is actually working now, the groups are returned in the claim and I can assign policies using external groups and alias’s but I dont understand why this is working.

I spent days trying to troubleshoot this, trying weird and wonderful combinations of the auth/oidc/role/rolename config but always the same error

Groups not found in claim.

Every piece of hashicorp documentation, every KB I have found and almost every article of poor souls struggling on stackoverflow has the same piece of config for the role creation, namely this line

groups_claim="roles"

Except for this one glorious, magnificent pain saving article

Half way down there is a comment from rgevaert, and in there config they actually use

groups_claim="roles" \

instead of

groups_claim="groups" \

I have altered my config to be the same and boom its now working for me which is amazing, but why?

Why does it work with roles as the keyword and not groups?
Why is this not documented anywhere? (apologies if it is and ive missed it)
How did this magnificent human being know to switch that to be roles instead of groups?

Any clarification here would be massively appreciated.

Additionally when troubleshooting I could see users where able to locate at the JWT returned in logs. How do I also view this when troubleshooting. I have deployed vault to k8s on rancher and there are no logs in the containers within /vault/log or /var/log. I can see some logs by doing a kubectl logs pod-name but nothing shows for the token. Admittedly I may have missed some config in the helm chart to make it actually save log files but I dont think I have.

Thanks

I’m not sure what’s different about my setup than yours but I’m using groups_claim="groups" without issue.

I followed the instructions here: OIDC Provider Setup - Auth Methods | Vault by HashiCorp

And the application registration has the following permissions:

  • Directory.Read.All (I’m currently testing removing this as it’s a bit too broad for this purpose)
  • GroupMember.Read.All
  • User.Read
  • profile

FWIW, my environment is running on EC2 instances as opposed to Kube, I wouldn’t think that would matter but perhaps that makes a difference.

Thanks for the reply Jeff. Yeh that appears to be the case for 99% of users as well :slight_smile: groups just works.

For our app registration I am just using:

  • GroupMember.Read.All
  • profile

I did have the other 2 that you have when testing and trying to get the group one working but it didnt make a difference.

One difference I have that I think may different from others is I’m using UPN as the claim not email.

I’m using email as well. Perhaps you’re on to something with that!

Switched to email but still the same issue, hmmmmmm very strange one. Its weird cos I shouldn’t really be complaining as its working with:

groups_claim=“roles”

but this weekend beers will just not taste as good while I dont understand this