BUG: OIDC Azure provider - There are no any groups in response

[vutkin]

The problem:

The number of groups emitted in a token is limited to 150 for SAML assertions and 200 for JWT, including nested groups. In larger organizations, the number of groups where a user is a member might exceed the limit that Azure AD will add to a token. Exceeding a limit can lead to unpredictable results.

Ref: https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/how-to-connect-fed-group-claims#group-filtering

So if some user has 150+ groups in response (included subgroups) there will be no any groups, and Azure expects that application will do a second request to GraphQL request for groups only.

Example:

DEBUG in application: Body: {"providerType":"OIDC","providerName":"azuread","username":"[email protected]"}

[tchiotludo]

it's a bug that you will need to report to micronaut project that handle all the group mapping stuff and JwT: https://github.com/micronaut-projects/micronaut-security

[vutkin]

ref - https://github.com/micronaut-projects/micronaut-security/issues/1081

[vutkin]

Switched to DEX IDP.

[justinaslelys]

@vutkin @tchiotludo Do I understand correctly that this additional call to GraphQL was implemented in Micronaut, or what else "Switched to DEX IDP." means? Does that mean you use DEX IDP to federate and do not call to Azure directly? Just tested dev branch of AKHQ and this still doesn't seem to work when user has more than 200 groups.