Groups claim not working with kubelogin and azure AD

[RahmanBadru]

Describe the question

After setting up kubelogin and the oidc on my apiserver and creating a user with kubectl with the required parameters, i created a clusterrolebinding for the groups available and running any kubectl command still shows my user doesnt have access, it basically picks my user

To reproduce

 To configure user:
kubectl config set-credentials oidc \
          --exec-api-version=client.authentication.k8s.io/v1beta1 \
          --exec-command=kubectl \
          --exec-arg=oidc-login \
          --exec-arg=get-token \
          --exec-arg=--oidc-issuer-url=https://sts.windows.net/tenant-id/ \
          --exec-arg=--oidc-client-id=client-id \
          --exec-arg=--oidc-client-secret=secret \
          --exec-arg=--oidc-extra-scope=groups

Your environment

• OS: e.g. Linux
• kubelogin version: v1.28
• kubectl version: e.g. v1.27
• OpenID Connect provider: Azure

[jan104]

can you share the adjustments you made to the apiserver and the clusterrolebinding?

[Gabryel8818]

@jan104 I have a same problem, my github connector works fine, but Microsoft azure ADnot :/

login - OK
run kubectl kubeconfig commands - OK
authentication in cluster - FAIL

using azureAD:

clusterrolebinding:

EKS oidc config:
(This config works fine using github connector)

[cym0301]

@jan104 I have a same problem, my github connector works fine, but Microsoft azure ADnot :/

login - OK run kubectl kubeconfig commands - OK authentication in cluster - FAIL

using azureAD:

clusterrolebinding:

EKS oidc config: (This config works fine using github connector)

Try kubectl auth whoami to see what groups you actually get?