Unable to get "Automatic team membership" to work with Microsoft OAuth

[liquid-metal]

Ask a Question!

License: free 3 node business
Setup: Docker standalone (compose), traffic goes through a forward proxy that is specified with HTTP_PROXY/HTTPS_PROXY env vars
Version: 2.21.4 BE

I have successfully configured Microsoft OAuth - Authentication is possible. Unfortunately, the "Automatic team membership" option does not what I want/expect, and I am missing any more places to look for hints.
My ultimate goal would be to map Entra ID groups to portainer teams (ideally 1-to-many relation, but 1-to-1 would be sufficient).

For the required claim name, I'd expect that to be a field out of the OIDC ID Token: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference. The comment in https://github.com/orgs/portainer/discussions/11964 suggests that my guess about usage of the ID token is correct, and the access token claims are not available.
Unfortunately
(a) the ID token seems to not contain a claim that specifically includes information about user groups (but that is obviously not a portainer problem)
(b) I have the suspicion that portainer does not apply the claim name, even after container deletion & recreation

For the (b) suspicion, I enabled portainer debug logs (--log-level=DEBUG), and right after the OAuth login, a debug line in the log output of the container states:
DBG github.com/portainer/portainer-ee/api/oauth/oauth_resource.go:68 > failed to find group claim in resource
even though I specified my claim name to be "roles" - and suspiciously enough, "group" is the suggested default value if nothing is entered into the text field

As the OAuth provider configuration has a "Resource URL" that is technically able to provide portainer with information about the user groups (using all MS defaults), that gives me hope that the behavior I want is possible, but maybe not obvious how to achieve.

Two specific questions

1. can I somehow force applying the claim option, or is the debug message simply misleading?
2. do I have an opportunity to eavesdrop on the ID token that is returned by Microsoft?

Further, any hint towards where to look/dump/whatever are obviously welcome.
And also, if anybody has a working setup that maps Entra ID groups to portainer teams, any hint is appreciated

Thanks in advance!

[Nick-Portainer]

Hey, just to clarify, you are trying to map Entra ID groups to Portainer teams via MS OAuth?

For the “Claim Value Regex” section, you need to input the Object ID of the group. You can find this in the group’s properties in Entra ID. Then, in Portainer, map it to the corresponding Portainer team of your choice.

If you’ve tried this and it’s not working, let me know, and we can dig deeper into the issue.

[liquid-metal]

Hi
thanks for your reply! Correct, that is what I am aiming for

I did add both the group name and the Object ID in the regex field, both with and without leading .*. For the claim name, I tried group and groups, and even roles (even though I suspect the contents to be different there, hence question 2 from above).
The debug log shows these lines on login (which by itself is successful, but leaves the authenticated user without team memberships):

DBG github.com/portainer/portainer-ee/api/http/security/bouncer.go:444 > HTTP error | error=Unauthorized msg="A valid authorization token is missing" status_code=401
DBG github.com/portainer/portainer-ee/api/http/middlewares/slow_request_logger.go:33 > slow request | elapsed_ms=986.278686 method=GET url=/api/motd
DBG github.com/portainer/portainer-ee/api/http/security/bouncer.go:444 > HTTP error | error=Unauthorized msg="A valid authorization token is missing" status_code=401
DBG github.com/portainer/portainer-ee/api/http/security/bouncer.go:444 > HTTP error | error=Unauthorized msg="A valid authorization token is missing" status_code=401
DBG github.com/portainer/portainer-ee/api/oauth/oauth_resource.go:68 > failed to find group claim in resource |
DBG github.com/portainer/portainer-ee/api/http/handler/auth/oauth_team_memberships.go:119 > using oauth claim mappings to map groups to portainer teams |
DBG github.com/portainer/portainer-ee/api/http/handler/auth/oauth_team_memberships.go:17 > removing user team memberships which no longer exist |
DBG github.com/portainer/portainer-ee/api/http/middlewares/slow_request_logger.go:33 > slow request | elapsed_ms=342.557576 method=POST url=/api/auth/oauth/validate

From the OIDC flow in use (code) I figure that portainer gets access to the ID token: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference which does not have the groups claim, opposed to the access token: https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference