OIDC connector in dex doesn't pick up groups from id token

[ssharma2089]

We are using dex version 2.36.0.
We are trying to use OIDC connector to connect microsoft/Azure ID. Dex is not picking up the groups from the ID token and we are certain that they are sent. We tried sending them as groups and roles and configuration provided is the last one we tried.

We are using Argocd bundled dex.

data:
dex.config: |
oauth2:
responseTypes: ["code","token","id_token"]
skipApprovalScreen: true
connectors:
- type: oidc
id: microsoft
name: microsoft
config:
issuer: https://login.microsoftonline.com/$tenant id/v2.0
clientID: $microsoft.clientID
clientSecret: $microsoft.clientSecret
redirectURI: https://argocd.dev.example.com/api/dex/callback
scopes:
- openid
- profile
- email
- offline_access
groups:
- argocddevs
- argocdadmins
claimMapping:
groups: "roles"
insecureSkipEmailVerified: true
url: https://argocd.dev.example,com

We managed to connect via OIDC but we are getting groups as empty. Here is the logs from argocd dex

time="2024-02-15T09:33:04Z" level=info msg="Notifying 1 settings subscribers: [0xc00012b2c0]"
time="2024-02-15T09:33:04Z" level=info msg="dex config modified. restarting dex"
time="2024-02-15T09:33:04Z" level=info msg="received signal terminated, shutdown now"
time="2024-02-15T09:33:04Z" level=info msg="Dex Version: , Go Version: go1.20.2, Go OS/ARCH: linux amd64"
time="2024-02-15T09:33:04Z" level=info msg="config issuer: https://argocd.dev.example.com/api/dex"
time="2024-02-15T09:33:04Z" level=info msg="config storage: memory"
time="2024-02-15T09:33:04Z" level=info msg="config static client: Argo CD"
time="2024-02-15T09:33:04Z" level=info msg="config static client: Argo CD CLI"
time="2024-02-15T09:33:04Z" level=info msg="config connector: microsoft"
time="2024-02-15T09:33:04Z" level=info msg="config response types accepted: [code token id_token]"
time="2024-02-15T09:33:04Z" level=info msg="config skipping approval screen"
time="2024-02-15T09:33:04Z" level=info msg="config refresh tokens rotation enabled: true"
time="2024-02-15T09:33:05Z" level=info msg="keys expired, rotating"
time="2024-02-15T09:33:05Z" level=info msg="keys rotated, next rotation: 2024-02-15 15:33:05.117326539 +0000 UTC"
time="2024-02-15T09:33:05Z" level=info msg="listening (telemetry) on 0.0.0.0:5558"
time="2024-02-15T09:33:05Z" level=info msg="listening (http) on 0.0.0.0:5556"
time="2024-02-15T09:33:05Z" level=info msg="listening (grpc) on 0.0.0.0:5557"
time="2024-02-15T09:33:43Z" level=info msg="login successful: connector "microsoft", username="Sagar S", preferred_username="[email protected]", email="[email protected]", groups=[]"

[nabokihms]

I'm not an expert in Microsoft identity provider, but it seems like you need to send the {$microsoft.clientID}/.default scope in order to receive roles.
https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc

This is only an assumption.

[ssharma2089]

Thank you @nabokihms , It turns out that if you want the OIDC provider to evaluate or do anything with groups, including the claims mapping we have, you need to add the insecureEnableGroups: true which we were missing. Works ok now