Microsoft Entra ID and OIDC Group Claims

Started by opnsense_ci, February 02, 2026, 07:00:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 02, 2026, 07:00:59 PM
Please could someone assist, I have searched everywhere.

I recently purchased a business licence explicitly to try out OIDC WebGui logins. Whatever I do I cannot seem to get the group attribute to be used when logging in. All of the info I could find says to enable debug logging in the OIDC settings which I have done however nothing about groups is shown in the logs.

I'm on 25.10 with the latest updates applied as of the time of this post.

Any help would be much appreciated
February 04, 2026, 10:10:01 AM #1
I'm reading through the terms and conditions of the business licence and as far as I can gather, zero support is offered for business licence holders. I sort of understand that, but I'm also perplexed that incomplete documentation is deemed acceptable for a product of this price. I am not asking for support, just clarification on the functionality as described in the documentation.

A simple reply to any of the github issues where I have asked for assistance or some sort of hint that what I'm doing is unsupported would be great!
February 04, 2026, 10:50:41 AM #2
OpenID Connect is a standard, and there are many providers who offer an implementation of that standard.

If an identity provider implements the OpenID Connect spec, it should be usable with the OpenID Connect spec offered inside OPNsense.

How it works in detail is another question, as there are standardized claims, and custom claims by specific providers. E.g. Entra ID, I think has special group claims, which are not in the standard spec.

That's why you can select a group ID in the OPNsense GUI. What that group ID essentially is, most likely some UUID that Microsoft provides? And you most likely need to enable that EntraID includes it?
Hardware:
DEC740
Today at 10:50:48 AM #3
Indeed thanks Monviech, with Entra you need to explicitly allow group claims to be pulled. The steps to do that are under the App Registration > Token Configuration page. Here you will need to click on Add groups claim and then be sure that Security groups is ticked. You can customise the token properties by type but I have found that leaving these options on default works perfectly with other OIDC implementations like Netbird etc. There is a limitation to note here however, by default Entra will only expose the first 200 groups that your user belongs to. If your user belongs to more than 200 groups, you may need further configurations in your Entra tenant. That is not the case in my setup however.

After that, the API permissions page should show a new Microsoft Graph permission namely "Group.Read.All" Ensure that you have granted admin consent for this permission if you need to. Alternatively the consent can be granted on a per group basis.

One would think that if Entra was confirmed to be working, that these steps would have been taken by whoever tested the plugin. I'm thinking that something else is at play here. I have Extensive log (debug) enabled however I do not see anything about the groups claim even being attempted. Others on github not using Entra have highlighted log entries which helped them identify the issue, so for example using "groups" instead of "memberOf"

My Opnsense WebGui is behind a reverse proxy but I have confirmed that my reverse proxy is correctly forwarding headers like X-Forwarded-For etc. Could the reverse proxy be an issue?
Today at 11:52:37 AM #4
Looking at the Netbird implementation it is clear now that there are additional customisations needed for Entra specifically. In the case of Netbird, they have separated the configuration page from the generic OIDC. Also reading the Microsoft documentation I found this:

"The group membership information will be included in the tokens your application receives, not as a scope in the discovery document. Your application code will then need to read this claim from the token payload to implement authorization logic"

If I had known that, I may not have purchased the business licence just for the OIDC functionality. Perhaps the OPNSense document could be made clearer to highlight your point here
Today at 12:07:03 PM #5
Hello,

if something is missing and it is explainable, please open a ticket on github:

https://github.com/opnsense/core/issues

Others might have the same issue as you, but OIDC was implemented to be compliant with the published spec. (https://openid.net/specs/openid-connect-core-1_0.html). If a provider needs something special, and it's explainable what exactly, it's possible that it could be added to make this work.
Hardware:
DEC740
Today at 03:15:29 PM #6
Great thank you. I have added a feature request.
https://github.com/opnsense/core/issues/9748
Print
Go Up Pages1
User actions