Oidc filtering userinfo/groups

Has anyone else tried to create a managed group in Boundary and have a filter on the groups?

I have tried to create a managed group with either of these filters:
“1d19cca3e531” in “/userinfo/groups”

“45fbc535-4e9b-4927-8789-1d19cca3e531” in “/userinfo/groups”

Both of these don’t add any user to the group, even though they have that group in their manifest. Any ideas why Boundary cannot get the information to then add a user?

In the second filter, it won’t even let me login with oidc, it gives me an error message:

It does give information about the Callback validation failed, however, it does show in AAD.

Any ideas/solutions gratefully received.

The user group you want to use in the filter is the name that comes from your IdP in the oidc groups claim. Some providers don’t send that by default so you may need to configure extra claims for your app

I’d suggest you use a tool like GitHub - cloudentity/oauth2c: User-friendly OAuth2 CLI to get your oidc app configured correctly and be able to see the attributes and values in the claims sent by your provider.

I’m pretty sure it’s coming back as this is a part of the information that gets returned when doing a Boundary accounts read:
“amr”: “["pwd","mfa"]”,
“family_name”: “Tolley”,
“given_name”: “Mark”,
“groups”: [
“ipaddr”: “”

I can successfully filter on “mfa” in “/userinfo/amr” which does add the members to the managed group, but obviously I want to filter on the groups.

Looks like there’s a nested list inside the groups list

Is this Azure AD? For that, instead of /userinfo/groups I used /token/groups last time I did an Azure AD OIDC provider for Boundary, and my filter looked like this:
"[group GUID]" in "/token/groups"