OIDC SSO not dropping users into groups

Help / Discuss
, ,
#1

Hi,

We’ve been trying to setup group claims on XWIKI so as to use groups information from our OIDC SSO instance to drop the user into the appropriate XWIKI group.
Our XWIKI instance is running in docker and works fine for the most part.

Currently, the OIDC plugin works to login the user, but it doesn’t seem to do any sort of groups matching.

Config:

oidc.userinfoclaims=profile,groups,profile_user_groups
oidc.xwikiprovider=https://ourOIDCendpoint/oidc
oidc.endpoint.authorization=https://ourOIDCendpoint/openid/authorize
oidc.endpoint.token=https://ourOIDCendpoint/openid/token
oidc.endpoint.userinfo=https://ourOIDCendpoint/openid/userinfo
oidc.endpoint.logout=https://ourOIDCendpoint/openid/logout
oidc.scope=openid,groups,profile,email,address
oidc.user.nameFormater=${oidc.issuer.host._clean}-${oidc.user.preferredUsername._clean}
oidc.clientid=[REDACTED]
oidc.secret=[REDACTED]
oidc.endpoint.token.auth_method=client_secret_basic
oidc.skipped=false
oidc.groups.claim=groups
#oidc.groups.separator=,
#oidc.groups.mapping=xwiki_comm_customer=xwiki_comm_customer
#oidc.groups.mapping=xwiki_ps_customer=xwiki_ps_customer
#oidc.groups.mapping=xwiki_staff=xwiki_staff
#oidc.groups.mapping=xwiki_supplier=xwiki_supplier

I have tried including the oidc.goups.mapping options to no avail (this time, i commented them out in case the OIDC plugin automatically performs the matching. It didn’t work)

The groups on our OIDC endpoint are named the exact same way as the groups in XWIKI. We can login just fine to XWIKI using this, but the user account doesn’t belong to the right group. Do you guys have any tips to get this working? Greatly appreciate any response!

#2

polite bump!

#3

You might want to enable debug log to get more detail on what exactly happen behind the scene during an authentication.

#4

Thanks for the heads up, here are some debug log outputs:

xwiki-postgres-tomcat-web  | 2023-04-04 10:46:55,231 [http-nio-8080-exec-5 - http://knowledge.ourdomain.tld/bin/view/Main/] INFO  .u.i.DefaultURLSecurityManager - Domain of URL [https://workflow.ourdomain.tld/dashboard/openid/authorize?scope=openid+groups+profile+email+address&claims=%7B%22id_token%22%3A%7B%22xwiki_instance_id%22%3Anull%7D%2C%22userinfo%22%3A%7B%22profile%22%3Anull%2C%22groups%22%3Anull%2C%22profile_user_groups%22%3Anull%7D%7D&response_type=code&redirect_uri=https%3A%2F%2Fknowledge.ourdomain.tld%2Foidc%2Fauthenticator%2Fcallback&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&client_id=012158] does not belong to the list of trusted domains but it's considered as trusted since the check has been bypassed.
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,324 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG i.OIDCResourceReferenceHandler - OIDC: Reference: [path = authenticator/callback, endpoint = authenticator, pathSegments = [callback]]
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,325 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG c.o.a.i.e.CallbackOIDCEndpoint - OIDC callback: starting with request [http://192.168.16.3:8080/oidc/authenticator/callback]
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,325 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,326 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,326 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,327 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,328 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,329 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,329 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,330 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,330 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,332 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG c.o.a.i.e.CallbackOIDCEndpoint - OIDC callback: adding secret (012158 2451d22516827e895c8ad3ae16e0452b37aeeed3778aab8bc507a277)
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,332 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,332 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,336 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,336 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,337 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG c.o.a.i.e.CallbackOIDCEndpoint - OIDC Token request (https://workflow.ourdomain.tld/dashboard/openid/token?code=8c5f649055654167b1f549e43144e662&redirect_uri=https%3A%2F%2Fknowledge.ourdomain.tld%2Foidc%2Fauthenticator%2Fcallback&grant_type=authorization_code,Basic MDEyMTU4OjI0NTFkMjI1MTY4MjdlODk1YzhhZDNhZTE2ZTA0NTJiMzdhZWVlZDM3NzhhYWI4YmM1MDdhMjc3,{Authorization=[Basic MDEyMTU4OjI0NTFkMjI1MTY4MjdlODk1YzhhZDNhZTE2ZTA0NTJiMzdhZWVlZDM3NzhhYWI4YmM1MDdhMjc3], Content-Type=[application/x-www-form-urlencoded; charset=UTF-8]})
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,445 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG c.o.a.i.e.CallbackOIDCEndpoint - OIDC Token response ({"access_token": "b47fb2a47d994f57adff884acb8ae0dd", "refresh_token": "a21675264d1f43e092cc021982237037", "token_type": "bearer", "expires_in": 3600, "id_token": "eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL3dvcmtmbG93LnNtYXJ0bWF0ZS5jby9kYXNoYm9hcmQvb3BlbmlkIiwic3ViIjoiODcxY2VlYmEtNzhhMy00YTE3LTllYTQtMzE0YWQ0MjM5OWE5IiwiYXVkIjoiMDEyMTU4IiwiZXhwIjoxNjgwNjA1ODIyLCJpYXQiOjE2ODA2MDUyMjIsImF1dGhfdGltZSI6MTY4MDYwNTIyMiwiYXRfaGFzaCI6Ijl0QmJRMzJNWnVrWVZZVEV3SGwwMlEifQ.mktL7-xUzmLnzVJcC4jNOzrDil9ZkDT2S6u4uOXmGXE"}
xwiki-postgres-tomcat-web  | )
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,446 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,446 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,446 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,446 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,448 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,448 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,449 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,449 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG o.x.c.o.a.i.OIDCUserManager    - OIDC user info request (org.xwiki.contrib.oidc.auth.internal.Endpoint@405a3238,b47fb2a47d994f57adff884acb8ae0dd)
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,449 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,449 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,450 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG o.x.c.o.a.i.OIDCUserManager    - OIDC user info request (https://workflow.ourdomain.tld/dashboard/openid/userinfo?null,{Authorization=[Bearer b47fb2a47d994f57adff884acb8ae0dd], User-Agent=[OpenID Connect Authenticator/1.32.1]})
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,503 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG o.x.c.o.a.i.OIDCUserManager    - OIDC user info response ({"sub": "871ceeba-78a3-4a17-9ea4-314ad42399a9", "given_name": "FirstName", "family_name": "LastName", "email": "my.email@domain.com", "groups": ["0. Admin", "4. Staff", "xwiki_staff", "wiki_test"]}
xwiki-postgres-tomcat-web  | )
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,503 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,504 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,505 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,506 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,507 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,507 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,508 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,508 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,510 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,510 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,514 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG o.x.c.o.a.i.OIDCUserManager    - Updating XWiki claims
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,522 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,523 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,524 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,524 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,530 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,530 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,531 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,531 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,532 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG o.x.c.o.a.i.OIDCUserManager    - Getting groups sent by the provider associated with claim [profile]
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,532 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,532 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,536 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,536 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,538 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,539 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,539 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG o.x.c.o.a.i.OIDCUserManager    - The provider did not sent any group
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,540 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,540 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
xwiki-postgres-tomcat-web  | 2023-04-04 10:47:02,541 [http-nio-8080-exec-1 - http://knowledge.ourdomain.tld/oidc/authenticator/callback?code=8c5f649055654167b1f549e43144e662&state=2_yZh1MC0gZVbRhf1ocTIBiu_JnFMAobL94BOgk-MyA&session_state=03b759467e490351f26082186d21ca10691ba8800cf400bb052c05882f258b0b.dd81d67630f636dee0c6a50207bc95eb] DEBUG .o.a.i.OIDCClientConfiguration - Session: 7EAE0BDC3803E5383928189DD6B71207
#5

The log suggests that you indicated in the configuration that the group claim was profile (instead of groups according to what the provider sent back). This does not match the oidc.groups.claim configuration you pasted in the previous message, but that’s still what seems to happen, and I don’t see anything in the code that could suggest that it’s reading the wrong configuration in some case.

#6

Just wanted to say a big thank you to you mate. I changed “profile” to “groups” and the SSO groups matching started working after i cleared cache + went into incognito mode. It seems the groups matching happens only on login/authentication which is why i might’ve been having issues testing different config changes.

Again, thank you so much!