Proper groups mapping via OpenID provider

[czomo]

Hi
I set up AKHQ via JumpCloud OpenID provider. It works fine using OIDC and their names claims however i can't map specyfic groups to roles.

---- 
             users:
                - username: [email protected]
                  groups:
                    - admin
----
DEBUG pGroup-1-4 i.m.s.t.j.v.JwtValidator   Validating signed JWT
DEBUG pGroup-1-4 .m.s.t.j.s.j.JwksSignature Key Type: RSA
DEBUG pGroup-1-4 .m.s.t.j.s.j.JwksSignature JWT Key ID: public:hydra.openid.id-token
DEBUG pGroup-1-4 .m.s.t.j.s.j.JwksSignature JWK Set Key IDs: public:hydra.openid.id-token
DEBUG pGroup-1-4 .m.s.t.j.s.j.JwksSignature Found 1 matching JWKs
TRACE pGroup-1-4 enIdTokenResponseValidator JWT signature validation succeeded. Validating claims...
TRACE pGroup-1-4 thorizationResponseHandler Token validation succeeded. Creating a user details
TRACE pGroup-1-4 o.r.DefaultOauthController Authentication succeeded. User [[email protected]] is now logged in
DEBUG pGroup-1-4 ccessRefreshTokenGenerator Skipped refresh token generation because no io.micronaut.security.token.validator.RefreshTokenValidator implementation is present
DEBUG pGroup-1-4 .g.c.JWTClaimsSetGenerator Setting expiration to 3600
DEBUG pGroup-1-4 .g.c.JWTClaimsSetGenerator Generated claim set: {[email protected], nbf=1671041244, connectsFilterRegexp=[], roles=[topic/read, topic/insert, topic/delete, topic/config/update, node/read, node/config/update, topic/data/read, topic/data/insert, topic/data/delete, group/read, group/delete, group/offsets/update, group/offsets/delete, registry/read, registry/insert, registry/update, registry/delete, registry/version/delete, acls/read, connect/read, connect/insert, connect/update, connect/delete, connect/state/update], iss=akhq, exp=1671044844, iat=1671041244, consumerGroupsFilterRegexp=[], topicsFilterRegexp=[]}

However when I am trying to map groups using snippet bellow I am receiveing empty roles. How to approach to debug this?

              groups:
                - name: oidc-admin-group
                  groups:
                    - topic-reader
  ---
 {[email protected]], nbf=1671041244, connectsFilterRegexp=[], roles=[], iss=akhq, exp=1671044844, iat=1671041244, consumerGroupsFilterRegexp=[], topicsFilterRegexp=[]}
{logged: true, username: "[email protected]"}

My full config:

    akhq:
      security:
        default-group: no-roles
        oidc:
          enabled: true
          providers:
            jumpcloud:
              label: "Login with JumpCloud"
              default-group: topic-reader
              username-field: email
              groups-field: roles
              users:
                - username: [email protected]
                  groups:
                    - admin
              groups:
                - name: oidc-admin-group
                  groups:
                    - topic-reader
    micronaut:
      security:
        enabled: true
        token:
          jwt:
            signatures:
              secret:
                generator:
                  secret: XXXXXXXXXXXXXXXX
        oauth2:
          enabled: true
          clients:
            jumpcloud:
              client-id: "XXXXXXXXXXXXXXXX"
              client-secret: "XXXXXXXXXXXXXXXX"
              scopes:
                - email
                - openid
                - groups
                - roles
                - profile
                - offline_access
              openid:
                issuer: "https://oauth.id.jumpcloud.com"
                configuration-path: "/.well-known/openid-configuration"

[tchiotludo]

Not really sure to understand your issue and didn't see what your are expected to work the group or the users mapping?
Can you enabled all logs using that? And update the question with more detail please?

[czomo]

My openID provider works fine when I am using user email(First snipped above) to map roles. However when I am trying to use groups(second snipped above) I am ending with endless redirect to login page. It seems roles=[] are empty in this scenario. I am trying to find out why
My full traceback using group mapping

T36,307 pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T36,307 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request POST, /loggers/org.akhq.configs, no token found.
T36,314 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [127.0.0.1]. Continuing request processing.
T36,315 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/loggers/org.akhq.configs] and method [POST]. Searching in patterns with no defined method.
T36,315 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern match found for path [/loggers/org.akhq.configs]. Returning unknown.
T36,315 DEBUG pGroup-1-4 .s.r.SensitiveEndpointRule loggers endpoint is not sensitive. Allowing the request.
T36,315 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request POST /loggers/org.akhq.configs. The rule provider io.micronaut.security.rules.SensitiveEndpointRule authorized the request.
T40,142 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T40,143 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /health, no token found.
T40,145 DEBUG pGroup-1-3 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T40,147 DEBUG pGroup-1-3 s.t.r.DefaultTokenResolver Request GET, /health, no token found.
T40,146 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [10.50.1.44]. Continuing request processing.
T40,148 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/health] and method [GET]. Searching in patterns with no defined method.
T40,150 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern match found for path [/health]. Returning unknown.
T40,150 DEBUG pGroup-1-3 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [10.50.1.44]. Continuing request processing.
T40,150 DEBUG pGroup-1-3 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/health] and method [GET]. Searching in patterns with no defined method.
T40,151 DEBUG pGroup-1-4 .s.r.SensitiveEndpointRule health endpoint is not sensitive. Allowing the request.
T40,151 DEBUG pGroup-1-3 .m.s.r.InterceptUrlMapRule No url map pattern match found for path [/health]. Returning unknown.
T40,151 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /health. The rule provider io.micronaut.security.rules.SensitiveEndpointRule authorized the request.
T40,151 DEBUG pGroup-1-3 .s.r.SensitiveEndpointRule health endpoint is not sensitive. Allowing the request.
T40,152 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Authorized request GET /health. The rule provider io.micronaut.security.rules.SensitiveEndpointRule authorized the request.
T44,435 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T44,436 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /oauth/callback/jumpcloud, no token found.
T44,437 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [10.54.32.3]. Continuing request processing.
T44,437 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous(), topic/read, topic/insert, topic/delete, topic/config/update, node/read, node/config/update, topic/data/read, topic/data/insert, topic/data/delete, group/read, group/delete, group/offsets/update, group/offsets/delete, registry/read, registry/insert, registry/update, registry/delete, registry/version/delete, acls/read, connect/read, connect/insert, connect/update, connect/delete, connect/state/update]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
T44,437 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /oauth/callback/jumpcloud. The rule provider org.akhq.modules.SecuredAnnotationRuleWithDefault authorized the request.
T44,437 TRACE pGroup-1-4 o.r.DefaultOauthController Received callback from oauth provider [jumpcloud]
T44,438 TRACE pGroup-1-4 .s.o.c.DefaultOpenIdClient Received a successful authorization response from provider [jumpcloud]
T44,438 TRACE pGroup-1-4 thorizationResponseHandler Validating state found in the authorization response from provider [jumpcloud]
T44,439 TRACE pGroup-1-4 DefaultTokenEndpointClient Sending request to token endpoint [https://oauth.id.jumpcloud.com/oauth2/token]
T44,440 TRACE pGroup-1-4 DefaultTokenEndpointClient The token endpoint supports [[client_secret_post, client_secret_basic, private_key_jwt, none]] authentication methods
T44,440 TRACE pGroup-1-4 DefaultTokenEndpointClient Using client_secret_basic authentication. Adding an Authorization header
T44,440 TRACE pGroup-1-4 redentialsHttpClientFilter Did not find any OAuth 2.0 client which should decorate the request with an access token received from client credentials request
T44,770 TRACE pGroup-1-3 thorizationResponseHandler Token endpoint returned a success response. Validating the JWT
T44,770 TRACE pGroup-1-3 enIdTokenResponseValidator Validating the JWT signature using the JWKS uri [https://oauth.id.jumpcloud.com/.well-known/jwks.json]
T44,771 DEBUG pGroup-1-3 i.m.s.t.j.v.JwtValidator   Validating signed JWT
T44,771 DEBUG pGroup-1-3 .m.s.t.j.s.j.JwksSignature Key Type: RSA
T44,772 DEBUG pGroup-1-3 .m.s.t.j.s.j.JwksSignature JWT Key ID: public:hydra.openid.id-token
T44,776 DEBUG pGroup-1-3 .m.s.t.j.s.j.JwksSignature JWK Set Key IDs: public:hydra.openid.id-token
T44,777 DEBUG pGroup-1-3 .m.s.t.j.s.j.JwksSignature Found 1 matching JWKs
T44,791 TRACE pGroup-1-3 enIdTokenResponseValidator JWT signature validation succeeded. Validating claims...
T44,792 TRACE pGroup-1-3 thorizationResponseHandler Token validation succeeded. Creating a user details
T44,793 TRACE pGroup-1-3 o.r.DefaultOauthController Authentication succeeded. User [[email protected]] is now logged in
T44,794 DEBUG pGroup-1-3 ccessRefreshTokenGenerator Skipped refresh token generation because no io.micronaut.security.token.validator.RefreshTokenValidator implementation is present
T44,794 DEBUG pGroup-1-3 .g.c.JWTClaimsSetGenerator Setting expiration to 3600
T44,795 DEBUG pGroup-1-3 .g.c.JWTClaimsSetGenerator Generated claim set: {[email protected], nbf=1671047024, connectsFilterRegexp=[], roles=[], iss=akhq, exp=1671050624, iat=1671047024, consumerGroupsFilterRegexp=[], topicsFilterRegexp=[]}
T45,156 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T45,156 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Token eyJhbGciOiJIUzI1NiJ9.x.x found in request GET /ui/static/css/2.1e4ddb81.chunk.css
T45,163 DEBUG pGroup-1-4 i.m.s.t.j.v.JwtValidator   Validating signed JWT
T45,184 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Attributes: sub=>[email protected], nbf=>Wed Dec 14 19:43:44 UTC 2022, connectsFilterRegexp=>[], roles=>[], iss=>akhq, exp=>Wed Dec 14 20:43:44 UTC 2022, iat=>Wed Dec 14 19:43:44 UTC 2022, consumerGroupsFilterRegexp=>[], topicsFilterRegexp=>[]
T45,186 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [10.54.32.3]. Continuing request processing.
T45,187 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui/static/css/2.1e4ddb81.chunk.css] and method [GET]. Searching in patterns with no defined method.
T45,187 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui/static/css/2.1e4ddb81.chunk.css]. Comparing roles.
T45,187 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous(), isAuthenticated()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
T45,187 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /ui/static/css/2.1e4ddb81.chunk.css. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
T45,350 DEBUG pGroup-1-3 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T45,354 DEBUG pGroup-1-3 s.t.r.DefaultTokenResolver Token eyJhbGciOiJIUzI1NiJ9.x.x found in request GET /ui/static/css/2.1e4ddb81.chunk.css.map
T45,354 DEBUG pGroup-1-3 i.m.s.t.j.v.JwtValidator   Validating signed JWT
T45,360 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Attributes: sub=>[email protected], nbf=>Wed Dec 14 19:43:44 UTC 2022, connectsFilterRegexp=>[], roles=>[], iss=>akhq, exp=>Wed Dec 14 20:43:44 UTC 2022, iat=>Wed Dec 14 19:43:44 UTC 2022, consumerGroupsFilterRegexp=>[], topicsFilterRegexp=>[]
T45,361 DEBUG pGroup-1-3 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [10.54.32.3]. Continuing request processing.
T45,361 DEBUG pGroup-1-3 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui/static/css/2.1e4ddb81.chunk.css.map] and method [GET]. Searching in patterns with no defined method.
T45,361 DEBUG pGroup-1-3 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui/static/css/2.1e4ddb81.chunk.css.map]. Comparing roles.
T45,361 DEBUG pGroup-1-3 m.s.r.AbstractSecurityRule The given roles [[isAnonymous(), isAuthenticated()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
T45,361 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Authorized request GET /ui/static/css/2.1e4ddb81.chunk.css.map. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
T45,617 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T45,618 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Token eyJhbGciOiJIUzI1NiJ9.x.x found in request GET /ui/static/js/main.ab246577.chunk.js
T45,619 DEBUG pGroup-1-4 i.m.s.t.j.v.JwtValidator   Validating signed JWT
T45,624 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Attributes: sub=>[email protected], nbf=>Wed Dec 14 19:43:44 UTC 2022, connectsFilterRegexp=>[], roles=>[], iss=>akhq, exp=>Wed Dec 14 20:43:44 UTC 2022, iat=>Wed Dec 14 19:43:44 UTC 2022, consumerGroupsFilterRegexp=>[], topicsFilterRegexp=>[]
T45,624 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [10.54.32.3]. Continuing request processing.
T45,627 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui/static/js/main.ab246577.chunk.js] and method [GET]. Searching in patterns with no defined method.
T45,627 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui/static/js/main.ab246577.chunk.js]. Comparing roles.
T45,627 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous(), isAuthenticated()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
T45,627 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /ui/static/js/main.ab246577.chunk.js. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
T45,641 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T45,642 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Token eyJhbGciOiJIUzI1NiJ9.x.x found in request GET /ui/static/js/2.31f57972.chunk.js.map
T45,642 DEBUG pGroup-1-4 i.m.s.t.j.v.JwtValidator   Validating signed JWT
T45,647 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Attributes: sub=>[email protected], nbf=>Wed Dec 14 19:43:44 UTC 2022, connectsFilterRegexp=>[], roles=>[], iss=>akhq, exp=>Wed Dec 14 20:43:44 UTC 2022, iat=>Wed Dec 14 19:43:44 UTC 2022, consumerGroupsFilterRegexp=>[], topicsFilterRegexp=>[]
T45,647 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [10.54.32.3]. Continuing request processing.
T45,648 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui/static/js/2.31f57972.chunk.js.map] and method [GET]. Searching in patterns with no defined method.
T45,648 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui/static/js/2.31f57972.chunk.js.map]. Comparing roles.
T45,648 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous(), isAuthenticated()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
T45,649 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /ui/static/js/2.31f57972.chunk.js.map. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
T45,770 DEBUG pGroup-1-3 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T45,774 DEBUG pGroup-1-3 s.t.r.DefaultTokenResolver Token eyJhbGciOiJIUzI1NiJ9.x.x found in request GET /api/me
T45,774 DEBUG pGroup-1-3 i.m.s.t.j.v.JwtValidator   Validating signed JWT
T45,806 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Attributes: sub=>[email protected], nbf=>Wed Dec 14 19:43:44 UTC 2022, connectsFilterRegexp=>[], roles=>[], iss=>akhq, exp=>Wed Dec 14 20:43:44 UTC 2022, iat=>Wed Dec 14 19:43:44 UTC 2022, consumerGroupsFilterRegexp=>[], topicsFilterRegexp=>[]
T45,813 DEBUG pGroup-1-3 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [10\.54.32.3]. Continuing request processing.
T45,823 DEBUG pGroup-1-3 m.s.r.AbstractSecurityRule The given roles [[isAnonymous(), isAuthenticated(), topic/read, topic/insert, topic/delete, topic/config/update, node/read, node/config/update, topic/data/read, topic/data/insert, topic/data/delete, group/read, group/delete, group/offsets/update, group/offsets/delete, registry/read, registry/insert, registry/update, registry/delete, registry/version/delete, acls/read, connect/read, connect/insert, connect/update, connect/delete, connect/state/update]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
T45,830 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Authorized request GET /api/me. The rule provider org.akhq.modules.SecuredAnnotationRuleWithDefault authorized the request.
T46,244 DEBUG pGroup-1-3 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T46,244 DEBUG pGroup-1-3 s.t.r.DefaultTokenResolver Token eyJhbGciOiJIUzI1NiJ9.x.x found in request GET /api/cluster
T46,245 DEBUG pGroup-1-3 i.m.s.t.j.v.JwtValidator   Validating signed JWT
T46,247 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Attributes: sub=>[email protected], nbf=>Wed Dec 14 19:43:44 UTC 2022, connectsFilterRegexp=>[], roles=>[], iss=>akhq, exp=>Wed Dec 14 20:43:44 UTC 2022, iat=>Wed Dec 14 19:43:44 UTC 2022, consumerGroupsFilterRegexp=>[], topicsFilterRegexp=>[]
T46,247 DEBUG pGroup-1-3 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [10.54.205.142]. Continuing request processing.
T46,247 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Authorized request GET /api/cluster. The rule provider org.akhq.modules.SecuredAnnotationRuleWithDefault authorized the request.
T46,406 DEBUG pGroup-1-3 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T46,416 DEBUG pGroup-1-3 s.t.r.DefaultTokenResolver Token eyJhbGciOiJIUzI1NiJ9.x.x found in request GET /ui/static/media/logo.3e63da17.svg
T46,420 DEBUG pGroup-1-3 i.m.s.t.j.v.JwtValidator   Validating signed JWT
T46,428 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Attributes: sub=>[email protected], nbf=>Wed Dec 14 19:43:44 UTC 2022, connectsFilterRegexp=>[], roles=>[], iss=>akhq, exp=>Wed Dec 14 20:43:44 UTC 2022, iat=>Wed Dec 14 19:43:44 UTC 2022, consumerGroupsFilterRegexp=>[], topicsFilterRegexp=>[]
T46,428 DEBUG pGroup-1-3 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [10\.54.205.142]. Continuing request processing.
T46,431 DEBUG pGroup-1-3 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui/static/media/logo.3e63da17.svg] and method [GET]. Searching in patterns with no defined method.
T46,432 DEBUG pGroup-1-3 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui/static/media/logo.3e63da17.svg]. Comparing roles.
T46,433 DEBUG pGroup-1-3 m.s.r.AbstractSecurityRule The given roles [[isAnonymous(), isAuthenticated()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
T46,433 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Authorized request GET /ui/static/media/logo.3e63da17.svg. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
T50,141 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T50,144 DEBUG pGroup-1-3 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
T50,145 DEBUG pGroup-1-3 s.t.r.DefaultTokenResolver Request GET, /health, no token found.
T50,141 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /health, no token found.

[czomo]

Are there any blockers to merge it?

[tchiotludo]

the time to review 🕐 😸

[czomo]

I checked what is delivered from roles claim from my OpenID provider. I am surprised because it it list [AKHQ_Administrators, AKHQ_Developers]. It is list of user groups attached to my OpenID.
Changed mapping to below code and nothing 🤔

              username-field: email
              groups-field: roles
              groups:
                - name: AKHQ_Administrators
                  groups:
                    - topic-reader

[tchiotludo]

it's merged, maybe you can make a try?

[czomo]

Today I've tried it with dev tag. Unfortunately it doesn't work. I've tried adding some quotes and so on but w/o success. I see AKHQ_Administrators under my group field, as before it works with email.

[mogopz]

Just wanted to let you know that I managed to get group mapping working using JumpCloud after quite a bit of trial and error.

Here's a quick explanation for anyone searching:

JumpCloud Configuration

• Setup a new OIDC SSO App using the Client Secret Basic authentication type
• Set your Redirect URL to:https://<YOUR_DOMAIN>/oauth/callback/<OIDC_NAME>
• Set your Login URL to: https://<YOUR_DOMAIN>/oauth/login/<OIDC_NAME>
• Setup email attribute mapping
• Tick include group attribute and use the value groups

AKHQ Configuration

configuration:
  akhq:
    security:
      default-group: no-roles
      oidc:
        enabled: true
        providers:
          jumpcloud:
            label: "Login with JumpCloud"
            username-field: email
            groups-field: groups
            default-group: no-roles
            groups:
              - name: <oidc-admin-group>
                groups:
                  - admin

secrets:
  micronaut:
    security:
      enabled: true
      oauth2:
        enabled: true
        clients:
          jumpcloud: # This is the OIDC_NAME referred to in your redirect/login URLs
            client-id: <client-id>
            client-secret: <client-secret>
            scopes:
              - email
              - openid
              - groups
              - roles
              - profile
              - offline_access
            openid:
              issuer: https://oauth.id.jumpcloud.com
              configuration-path: "/.well-known/openid-configuration"

You will also need to use the dev image until #1263 is released.