I’ve setup an alternative Authentication method with Generic OIDC with the following config:
{
"id": "uuid",
"type": "oidc",
"uid": "uuid",
"name": "Authelia",
"version": "41dd615755d4b719504be0791d8c7b83",
"config": {
"auth_url": "https://auth.xxx/api/oidc/authorization",
"certs_url": "https://auth.xxx/jwks.json",
"claims": [
"preferred_username",
"mail",
"groups"
],
"client_id": "cloudflare-zero-trust",
"client_secret": "**********************************",
"pkce_enabled": true,
"redirect_url": "https://xxx.cloudflareaccess.com/cdn-cgi/access/callback",
"scopes": [
"openid",
"email",
"profile",
"groups"
],
"token_url": "https://auth.xxx/api/oidc/token"
},
"scim_config": {
"enabled": false,
"group_member_deprovision": false,
"seat_deprovision": false,
"secret": "**********************************",
"user_deprovision": false
}
}
I’ve managed to set the scopes specifically to include ‘groups’ because I want to use the returned claims in the Access Policy Rules.
But I discovered that the request to my idp doesn’t include the ‘groups’ scope as I hit the ‘Test’ button in the configuration page. It only returned following data:
{
"email": "[email protected]",
"oidc_fields": {
"preferred_username": "user1"
},
"amr": [
"pwd"
]
}
If you guys have any workaround, please let me know or just post a link about the info.
Much appreciated!