Missing Groups claim if user has a lot of groups (>100)

[choseh]

Current Behavior

Hi,

I am checking if a user is in a particular group and got "user validation: missing claim: groups", whereas the user was definitely in the required groups. Found out in another script of us when querying the Graph API (Entra), that it only returns 100 groups, so I had to add pagination to the query to get them all.

Maybe there's similar behavior here that needs to be adjusted.

Thanks

Expected Behavior

get all groups of user in response and compare against required groups

Steps To Reproduce

require groups, test with user that has 123 groups

Environment

• openvpn-auth-oauth2 Version: 1.20.1
• OpenVPN Server Version: 2.6.3-1+deb12u2~bpo11+1
• Server OS: debian
• OpenVPN Client (flavor, OS): Windows, 2.6 or connect, doesn't matter
• OIDC Provider: Entra

openvpn-auth-oauth2 logs

Jul 23 10:49:13 hostname openvpn-auth-oauth2[559548]: time=2024-07-23T10:49:13.502+02:00 level=INFO msg="deny OpenVPN client cid 13, kid 1" ip=redacted cid=13 kid=1 session_id=foo common_name=foo@bar.de idtoken.subject=bar idtoken.email="" idtoken.preferred_username=foo@bar.de user.subject=foobaruser.preferred_username=foo@bar.de

Jul 23 10:49:13 hostname openvpn-auth-oauth2[559548]: time=2024-07-23T10:49:13.503+02:00 level=WARN msg="user validation: missing claim: groups" ip=redacted cid=13 kid=1 session_id=foo common_name=foo@bar.de idtoken.subject=foobar idtoken.email="" idtoken.preferred_username=foo@bar.de user.subject=foobar user.preferred_username=foo@bar.de error_id=something

openvpn server logs

No response

Anything else?

No response

[jkroepke]

Hey @choseh

for Entra ID, do not use the validation group feature in openvpn-auth-oauth2, since it has the limitations you mentation.

Additionally, the EntraID does not provide the group claim by default. It needs to be configured in the Enterprise Application as well.

-> https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims

---

But, Entra ID native supports restricting users and group to an application.

https://learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users

By using that, your end-users are getting an way more user-friendly error message from Entra ID directly.

It also mention on docs: https://github.com/jkroepke/openvpn-auth-oauth2/wiki/Providers#restrict-auth-to-specific-groups-in-your-directory-optional

---

If you still require the group claim, follow https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims but choice this:

and assign the groups to the application that openvpn should validate.

---

All the other solution that require to fetch the amount of group from Entra ID can be more considers as hack, because I think the configuration should be done inside Entra ID directly.

[choseh]

Hey @jkroepke

I can't remember exactly why we tried it the other way, but the recommended way works fine, thanks :)

Thank you for your work!

[choseh]

actually I just found out why we did it that way, we have several different openvpn server processes for different roles, which all use the same auth app in entra, so this would without validation of the groups then allow users of tunnel A to connect to tunnel C, etc.

[jkroepke]

Ensure that all your groups are assigned on the app. Than, configure the groups claim (https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims) and select this:

Than, the groups claim contains only the groups that assigned to the app and where the user is a member off.

Finally, re-enable the group validation feature on openvpn-auth-oauth2 again.

For cloud-only groups, I remember that Entra ID put the Object ID into the group claim. In conclusion, you have to configure the group id in openvpn-auth-oauth2, not the group name. For on premise synced groups, I have no idea.

[choseh]

this version is even better, thanks. works :)