OIDC integration with Azure fails "NO DATA" once impersonated #4202
Description
OIDC integration with Azure fails due to missing 'groups' scope
Environment
Weave-Gitops Version 0.38.0
Flux Version 2.2.3
Kubernetes versionv 1.27.10-eks-508b6b3
To Reproduce
Steps to reproduce the behavior:
Create a new App Registration in Azure Active Directory
Configure oidc in helm chart
Deploy
Attempt to login via OIDC
No data ...
Still having issue with the no data message when usinc ODCI and AzureAD
I read and apply recomendations from this thread [(https://github.com//issues/2507)]
Group is set in optional claims and I can see them in the token. I can see the logged username and its groups in the JWT token.
Found principal {"user": "***", "groups": ["***"], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}
Another observation: I had to impersonate both the user AND it's group. Otherwhise I get the message
"error": "user namespace access: groups \"a5cce412-2d6f-4cce-******************\" is forbidden: User \"system:serviceaccount:sbx-00:weave-gitops\" cannot impersonate resource \"groups\" in API group \"\" at the cluster scope"}
Content of oidc-auth secret:
Client ID: {{ .client_id }}
Client Secret: {{ .client_secret }}
Custom Scopes: openid,profile,offline_access,email
Issuer URL: https://login.microsoftonline.com/bfce736f-*****/v2.0
Redirect URL: https://weave-gitops.sbx-00.001.wcld.************/oauth2/callback
I can see the data using the "admin" user (basic authentifcation, no OIDC)
Anyone have any ideas how to solve this issue once for all ?
Thank you !
Regards
Robert