Using "groups" OIDC Claim In Access Policy

What is the issue you’re encountering

I’m unable to get the “groups” claim to show up on the identity test page, and can’t use it in an Access Policy

What steps have you taken to resolve the issue?

I confirmed Authelia is configured to allow “groups” scope in requests, and saw in the logs (and I’m fairly sure the URL, but it goes kind of fast) that Cloudflare appears to only be requesting the “openid”, “email”, and “profile” scopes. I can successfully see e.g. “name”, “email”, and “preferred_username” and use those in Access Policies, so the end-to-end flow is working as expected other than the lack of a “groups” claim.

What are the steps to reproduce the issue?

Setup Authelia as an OpenID Connect login method in Zero Trust. Add “groups” as a claim in the configuration. Use the “Test” button to see if “groups” is available in the identity.

I just spotted this similar question here, but there are no responses there either.

How does Cloudflare Zero Trust determine which scopes to request? Even if I’m only looking at email, it still always grabs openid and profile. Is there no way to edit that list?

When you edit your OIDC configuration, down the bottom (under OIDC Claims) there’s an option for OIDC Scopes, the default ones are openid, email and profile. You can add additional scopes here.