What is the issue you’re encountering
I’m unable to get the “groups” claim to show up on the identity test page, and can’t use it in an Access Policy
What steps have you taken to resolve the issue?
I confirmed Authelia is configured to allow “groups” scope in requests, and saw in the logs (and I’m fairly sure the URL, but it goes kind of fast) that Cloudflare appears to only be requesting the “openid”, “email”, and “profile” scopes. I can successfully see e.g. “name”, “email”, and “preferred_username” and use those in Access Policies, so the end-to-end flow is working as expected other than the lack of a “groups” claim.
What are the steps to reproduce the issue?
Setup Authelia as an OpenID Connect login method in Zero Trust. Add “groups” as a claim in the configuration. Use the “Test” button to see if “groups” is available in the identity.