Import users for OIDC authmethod

I’m using Boundary v0.2.0 and would like to add OIDC authmethod and leave it as non-default, so users won’t be created automatically during the first ‘authenticate’. Instead of I’d like to control how I ‘import’ users, add to groups etc (using API)

I know I can add users/accounts and ‘link’ them together. I have a problem with the subject for the account.

If I use Auth0 - I can do it because sub in the token is set to userId from Auth0.
But for Azure AD (my preferred OIDC provider) it’s not possible to get sub for the user because it’s unique for each Azure AD Application (the same user will have a different sub for different Application), and not possible to get using MS Graph API.

Is there any ‘workaround’ now (or potentially in the future) to add users/accounts related to Azure AD by API without having the sub?
Or the only way to do it (today and in the future) is to set the Azure AD OIDC authmethod as the primary authmethod, wait until the user will ‘authenticate’ for the first time, and then properly ‘manipulate’ user/account/group (what won’t be the best UX)?

Good afternoon! Thank you for posting this question. You’re correct the current workflow is less than ideal and it’s something we want to address. For now, the only solution is the one you referenced: make the auth method the primary auth method.

That’s great it will be improved in the future.
Just curious, do you already know how it can be changed? I mean will the ‘subject’ be not required when creating an account (because as I wrote it’s not possible to get it from AAD)?
Also, is it worth creating an issue in the Boundary Github repo? To make it more visible to people looking for a solution there. Do you make any backlog prioritizing based on the issues created and ‘voted’ by people outside of boundary dev team?

Please note the PR description which highlights that you can’t change how the “sub” claim is mapped once the auth-method is created: https://github.com/hashicorp/boundary/pull/1186#issue-628436510

Thanks, that was really fast!
I built boundary from main branch, created auth-method with "oid=sub" claim mapping but getting error like:

upsertAccount%3A+mapping+%27claim%27+oid+to+account+subject+and+it+is+not+present+in+ID+Token%3A+unknown%3A+error+%230"%7D

It’s not indeed in id token, to get it we need to have ‘profile’ scope (Microsoft identity platform ID tokens - Microsoft identity platform | Microsoft Docs),

Request to
https://login.microsoftonline.com//oauth2/v2.0/authorize contains only scope=openid

I tried and modified the scope (adding profile) and it worked.
I don’t know if “scope=openid profile” should be added by default or also configured.

 -claims-scopes=<string>
      The optional claims scope requested. May be specified multiple times.

There’s one more PR you may be interested in, which makes all OIDC Callback URLs deterministic. FYI, all of this will be included in the 0.2.1. release.

thank you!
I missed that because I was hacking the 0.2.0 version instead of the built one…
and yes, I’ve already seen change in callback URL pattern
All of that is making OIDC much simpler to set up.