[oauth] group mapping parsing error from entra

Open sks opened this issue 2 months ago • 0 comments

Preflight Checklist

[x] I agree to follow the Code of Conduct that this project adheres to.
[x] I have searched the issue tracker for an issue that matches the one I want to file, without success.
[x] I am not looking for support or already pursued the available support channels without success.

Version

v2.44.0

Storage Type

Postgres

Installation Type

Official Helm chart

Expected Behavior

When connecting with Microsoft Entra using oauth mechanism, the groups must come as strings

Actual Behavior

Not sure why, but the entra is sending the group/role claims as JSON string in the userInfo response,

This causes the groups/role mapping as stringified json which is not usable

Steps To Reproduce

Create the application in entra
configure dex to use the entra

Additional Information

I am using having the manifest entry

"additionalProperties": [
					"cloud_displayname",
					"emit_as_roles"
				]

Configuration

- type: oauth
    id: Entra
    name: Entra ID
    config:
      clientSecret: "CLIENT_SECRET"
      clientID: "CLIENT_ID"
      tokenURL: "https://login.microsoftonline.com/XXXXX/oauth2/token"
      authorizationURL: "https://login.microsoftonline.com/XXXXX/oauth2/authorize"
      userInfoURL: "https://login.microsoftonline.com/XXXXX/openid/userinfo"
      scopes: ["openid", "profile", "email"]
      redirectURI: "https://tunnel.usw3.devtunnels.ms/dex/callback"
      userIDKey: "oid"
      claimMapping: { "userNameKey" : "name","groupsKey": "roles" }

Logs

Oct 18 '25 04:10 sks