"groups" claim not found in token Azure AD

[Brett Wright]

Hi There 

I've enable oidc for vault and using azure active directory most users can logging using the OIDC option. 

However I have one user that is unable to login with OIDC and gets to below error message.

Any Ideas why this isn't working?

Cheers,

Brett 

[Lasse Gaardsholt]

Just a follow-up on this, I'm a colleague of Brett's

The token we get from Azure doesn't contain the "groups", instead it contains a "_claim_sources".

Does Vault support this?

"_claim_names": {

    "groups": "src1"

  },

  "_claim_sources": {

    "src1": {

      "endpoint": "https://graph.windows.net/{TENANT_ID}/users/{USER-GUID}/getMemberObjects"

    }

  }

[Jim Kalafut]

I've not heard of one user getting a different JWT structure from the rest for the same application.

Though it sounds like you have things mostly working, you may want to double check the setup against these AAD notes: https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html#azure-active-directory-aad-

The groups claim is expected to be the list of groups. There isn't any support for currently for aggregate or distributed claims like you have in the example. Hopefully that isn't a necessary in this case. There has been a fair bit of use of AAD with Vault/OIDC so I expect there is a customization you can make to the token setup to have the groups info added directly.

Regards,

Jim

[Brett Wright]

Hi Jim

Thanks for the reply.

It turns out there is an Azure AD token limitation with the number of groups a user can be apart of. 

For JWT tokens the user can only be in 200 group this all includes nested groups after this you get the _claim_source

https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-groupclaims/ see under Groups overage claim

It would be nice to have this include in vault. As don't think this will scale with large organisations.

Brett Wright