OIDC Role Assignment over Microsoft EntraID

[ITT424VladCojocaru]

Hi!

Does anyone else have problems with the proxy role assignment over OIDC using Microsoft EntraID?

I have setup EntraID to emit my security groups as roles and also set "roles" as my OIDC claim both through environment variable and proxy.yaml but I always get: "error":"no roles in user claims" and "Error mapping role names to role ids" in my logs and an access denied in browser. But when looking at the jwt token, there definetly are both group-IDs in "roles".

Here are the environment variables I've set(Ansible):

env:
      OC_INSECURE: "true"
      PROXY_HTTP_ADDR: "0.0.0.0:9200"
      OC_URL: "https://<redacted>:9200"
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
      PROXY_AUTOPROVISION_CLAIM_USERNAME: "email"
      PROXY_AUTOPROVISION_CLAIM_EMAIL: "email"
      PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME: "name"
      PROXY_AUTOPROVISION_CLAIM_GROUPS: "groups"
      PROXY_OIDC_ISSUER: "https://login.microsoftonline.com/<redacted-tenant>/v2.0"
      OC_OIDC_ISSUER: "https://login.microsoftonline.com/<redacted-tenant>/v2.0"
      WEB_OIDC_AUTHORITY: "https://login.microsoftonline.com/<redacted-tenant>/v2.0"
      WEB_OIDC_CLIENT_ID: "<redacted-client-Id>"
      WEB_OIDC_CLIENT_SECRET: "<redacted-secret>"
      WEB_OIDC_SCOPE: "openid profile User.Read email"
      PROXY_USER_OIDC_CLAIM: "email"
      PROXY_USER_CS3_CLAIM: "mail"
      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "roles"
      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
      OC_EXCLUDE_RUN_SERVICES: "idp"
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
      GRAPH_USERNAME_MATCH: "none"
      PROXY_CSP_CONFIG_FILE_LOCATION: "/etc/opencloud/csp.yaml"
      DECOMPOSEDS3_ENDPOINT: "<redacted-endpoint>"
      DECOMPOSEDS3_REGION: "eu-central-1"
      DECOMPOSEDS3_ACCESS_KEY: "<redacted-key>"
      DECOMPOSEDS3_SECRET_KEY: "<redacted-secret>"
      DECOMPOSEDS3_BUCKET: "my-bucket"

Here's my proxy.yaml:

role_assignment:
  driver: oidc
  oidc_role_mapper:
    role_claim: roles
    role_mapping:
      - role_name: admin
        claim_value: "<Redacted-admin-group-ID>"
      - role_name: user
        claim_value: "<Redacted-user-group-ID>"

Can anyone please help me out? 😅

[0x3e4]

same.. i cant have it working with Entra ID.
but i think you have to expose an api in the app registrations and use the application id uri scope then but somehow OpenCloud doesnt accept a uri-like scope there and also configure the app roles there like you have it in your proxy.yaml:

WEB_OIDC_SCOPE='openid profile email offline_access api://UID/roles'

my error with these settings is -> "Access token validation failure. Invalid audience.