Messages

Great thank you. I have added a feature request.
https://github.com/opnsense/core/issues/9748

Looking at the Netbird implementation it is clear now that there are additional customisations needed for Entra specifically. In the case of Netbird, they have separated the configuration page from the generic OIDC. Also reading the Microsoft documentation I found this:

"The group membership information will be included in the tokens your application receives, not as a scope in the discovery document. Your application code will then need to read this claim from the token payload to implement authorization logic"

If I had known that, I may not have purchased the business licence just for the OIDC functionality. Perhaps the OPNSense document could be made clearer to highlight your point here

Indeed thanks Monviech, with Entra you need to explicitly allow group claims to be pulled. The steps to do that are under the App Registration > Token Configuration page. Here you will need to click on Add groups claim and then be sure that Security groups is ticked. You can customise the token properties by type but I have found that leaving these options on default works perfectly with other OIDC implementations like Netbird etc. There is a limitation to note here however, by default Entra will only expose the first 200 groups that your user belongs to. If your user belongs to more than 200 groups, you may need further configurations in your Entra tenant. Entra ID limits groups to 200 in JWT tokens. If a user belongs to more groups, the claim is omitted entirely. Use Groups assigned to the application to avoid this by only including relevant groups. That is not the case in my setup however.

After that, the API permissions page should show a new Microsoft Graph permission namely "Group.Read.All" Ensure that you have granted admin consent for this permission if you need to. Alternatively the consent can be granted on a per group basis.

One would think that if Entra was confirmed to be working, that these steps would have been taken by whoever tested the plugin. I'm thinking that something else is at play here. I have Extensive log (debug) enabled however I do not see anything about the groups claim even being attempted. Others on github not using Entra have highlighted log entries which helped them identify the issue, so for example using "groups" instead of "memberOf"

My Opnsense WebGui is behind a reverse proxy but I have confirmed that my reverse proxy is correctly forwarding headers like X-Forwarded-For etc. Could the reverse proxy be an issue?

I'm reading through the terms and conditions of the business licence and as far as I can gather, zero support is offered for business licence holders. I sort of understand that, but I'm also perplexed that incomplete documentation is deemed acceptable for a product of this price. I am not asking for support, just clarification on the functionality as described in the documentation.

A simple reply to any of the github issues where I have asked for assistance or some sort of hint that what I'm doing is unsupported would be great!

Please could someone assist, I have searched everywhere.

I recently purchased a business licence explicitly to try out OIDC WebGui logins. Whatever I do I cannot seem to get the group attribute to be used when logging in. All of the info I could find says to enable debug logging in the OIDC settings which I have done however nothing about groups is shown in the logs.

I'm on 25.10 with the latest updates applied as of the time of this post.

Any help would be much appreciated

I've just purchased a business licence to try this out. I have followed the documentation I could find and am able to log in with Entra ID however I can't quite figure out how to configure group based permissions. Frustratingly I can't seem to find a specific guide for setting up OIDC with Entra ID.

So how do groups work? I don't see anything useful in the logs either