Skip to content

[oauth] group mapping parsing error from entra #4384

New issue
New issue
Open
Open
[oauth] group mapping parsing error from entra#4384
@sks

Description

@sks
sks
opened on Oct 18, 2025

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

v2.44.0

Storage Type

Postgres

Installation Type

Official Helm chart

Expected Behavior

When connecting with Microsoft Entra using oauth mechanism, the groups must come as strings

Actual Behavior

Not sure why, but the entra is sending the group/role claims as JSON string in the userInfo response,

This causes the groups/role mapping as stringified json which is not usable

Steps To Reproduce

  1. Create the application in entra
  2. configure dex to use the entra

Additional Information

  • I am using having the manifest entry
"additionalProperties": [
					"cloud_displayname",
					"emit_as_roles"
				]

Configuration

- type: oauth
    id: Entra
    name: Entra ID
    config:
      clientSecret: "CLIENT_SECRET"
      clientID: "CLIENT_ID"
      tokenURL: "https://login.microsoftonline.com/XXXXX/oauth2/token"
      authorizationURL: "https://login.microsoftonline.com/XXXXX/oauth2/authorize"
      userInfoURL: "https://login.microsoftonline.com/XXXXX/openid/userinfo"
      scopes: ["openid", "profile", "email"]
      redirectURI: "https://tunnel.usw3.devtunnels.ms/dex/callback"
      userIDKey: "oid"
      claimMapping: { "userNameKey" : "name","groupsKey": "roles" }

Logs

Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions