Lukasz

There is a PR that adds support for disabling group scope: https://github.com/weaveworks/weave-gitops/pull/2745

Duplicate: https://github.com/weaveworks/weave-gitops/issues/2507

Two issues: - impersonation for `groups` requires access to `impersonate` on `users` resource at cluster scope level (overall bad idea) - `impersonationResourceNames: ["gitops-reader"]` does not match group in logs `"groups":...

Thank you for pointer to #8344. It looks like there is a different issue with containerSet. I tested these: ```yaml apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: name: test spec: entrypoint: main...

I am running a custom build that includes PR #2745 - I am using AzureAD with AKS 1.24.6

This one can be closed - see above solution or https://github.com/weaveworks/weave-gitops/pull/2745#issuecomment-1434189481

Verified that it is working v0.17.0.

Closing. Since https://github.com/weaveworks/weave-gitops/pull/3234 you can override scopes using secret's `customScopes` or `--custom-oidc-scopes=openid,profile,email`. If you use Azure's App Roles you can also use claim's roles as groups just set secret's `claimGroups:...

@audunsolemdal Double check if authorization request has email in scope. If you use `Secret` `oidc-auth` check if you have defined: `customScopes: openid,profile,email` Is email associated with Azure AD account that...