What is the name of the domain?
kvikk.hu
What is the issue you’re encountering
Hi! I’m using Kinde.com as my auth provider and i setup the authentication method login method in Zero Trust using OpenID Connect. I want to create groups based on the user roles i set up in Kinde. They should be returned as an additional claim in the access token, however after auth, i can only see the e-mail address being returned for some reason. Any ideas what might be the issue?
What steps have you taken to resolve the issue?
I tried adding “roles” to both OIDC Claims and OIDC Scopes, but doesn’t seem to make any difference.
Screenshot of the error
If i add “roles” under OIDC scopes, it will say this when i test it:
{"error":"invalid_scope","error_description":"The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'roles'."}
Hi from the Cloudflare team! What happens if you remove it as a scope? That should at least resolve that error.
Are you definitely passing a “roles” claim from Kinde?
Sure, not specifying the roles claim solve the problem, just not the original issue 
I used e-mail addresses to filter users for now, but this should be just a temp solution. I believe i’m passing the roles claim from Kinde’s side:
Ok, got one thing sorted
It might be due to that fact that it’s attempting to pass an array. Could you try passing the external org ID and see if that comes through? That’d help rule out a bigger issue with Kinde passing any claim vs. an array specifically.
I will also try and get my own dev account to try it out.
