• Please check the version of image quay.io/oauth2-proxy you are using whether it is v6.1.1 as there is a known issue with this image version regarding the oidc groups claim which are not on the list. Also, currently, if you are adding a service principal to a group, and then assigning an app role to that group, Azure AD does not add the roles claim to tokens it issues.
• Thus, also please check the app manifest that has multiple attributes mapped including app roles also for any unsupported attributes that are entered in app registrations(legacy) vs normal app registrations as some crucial attributes seem to have modified in the new app registration platform such as for the app roles, it will be ‘collection’ type while for ‘groupmembershipclaims’ attribute, it is string type.
• Also, check the users claim for custom roles as below in the app manifest if you have defined any custom roles for claim assignments: -
{
"roles": ["{custom_role}"]
}
Please find the below links for more information: -
• Please check the version of image quay.io/oauth2-proxy you are using whether it is v6.1.1 as there is a known issue with this image version regarding the oidc groups claim which are not on the list. Also, currently, if you are adding a service principal to a group, and then assigning an app role to that group, Azure AD does not add the roles claim to tokens it issues.
• Thus, also please check the app manifest that has multiple attributes mapped including app roles also for any unsupported attributes that are entered in app registrations(legacy) vs normal app registrations as some crucial attributes seem to have modified in the new app registration platform such as for the app roles, it will be ‘collection’ type while for ‘groupmembershipclaims’ attribute, it is string type.
• Also, check the users claim for custom roles as below in the app manifest if you have defined any custom roles for claim assignments: -
Please find the below links for more information: -
Accessing Roles claim in Azure AD secured Web Api
https://github.com/oauth2-proxy/oauth2-proxy