Closed choseh closed 1 month ago
Hey @choseh
for Entra ID, do not use the validation group feature in openvpn-auth-oauth2, since it has the limitations you mentation.
Additionally, the EntraID does not provide the group claim by default. It needs to be configured in the Enterprise Application as well.
-> https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims
But, Entra ID native supports restricting users and group to an application.
https://learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users
By using that, your end-users are getting an way more user-friendly error message from Entra ID directly.
It also mention on docs: https://github.com/jkroepke/openvpn-auth-oauth2/wiki/Providers#restrict-auth-to-specific-groups-in-your-directory-optional
If you still require the group claim, follow https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims but choice this:
and assign the groups to the application that openvpn should validate.
All the other solution that require to fetch the amount of group from Entra ID can be more considers as hack, because I think the configuration should be done inside Entra ID directly.
Hey @jkroepke
I can't remember exactly why we tried it the other way, but the recommended way works fine, thanks :)
Thank you for your work!
actually I just found out why we did it that way, we have several different openvpn server processes for different roles, which all use the same auth app in entra, so this would without validation of the groups then allow users of tunnel A to connect to tunnel C, etc.
Ensure that all your groups are assigned on the app. Than, configure the groups claim (https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims) and select this:
Than, the groups claim contains only the groups that assigned to the app and where the user is a member off.
Finally, re-enable the group validation feature on openvpn-auth-oauth2 again.
For cloud-only groups, I remember that Entra ID put the Object ID into the group claim. In conclusion, you have to configure the group id in openvpn-auth-oauth2, not the group name. For on premise synced groups, I have no idea.
this version is even better, thanks. works :)
Current Behavior
Hi,
I am checking if a user is in a particular group and got "user validation: missing claim: groups", whereas the user was definitely in the required groups. Found out in another script of us when querying the Graph API (Entra), that it only returns 100 groups, so I had to add pagination to the query to get them all.
Maybe there's similar behavior here that needs to be adjusted.
Thanks
Expected Behavior
get all groups of user in response and compare against required groups
Steps To Reproduce
Environment
openvpn-auth-oauth2 logs
openvpn server logs
No response
Anything else?
No response