OpenID Connect Authenticator & Azure AD Group Mapping Failing

Hi, I’m trying to get group mapping working with Azure AD using the OpenID Connect Authenticator extension.

I’m unable to tell if the issue is in Azure’s response, or in the Authenticator extension. Debug shows the following when the token is returned:

DEBUG o.x.c.o.a.i.OIDCUserManager    - The provider sent the following groups: ["[\"0c6b0227-733f-443a-bdb6-a40682153209\",\"c5f05b36-c0b7-4633-85fb-95302ff03de7\",\"f14fe87a-dec1-4582-aab2-758e3c89828e\",\"8e2151eb-9cf0-4192-a5ec-47f0c6c90fcc\"]"]

If I use:

oidc.groups.mapping=MyGroup=f14fe87a-dec1-4582-aab2-758e3c89828e

then no groups are created (I assume it’s not matching).

If oidc.groups.mapping is not used at all in xwiki.properties, then a group is added that looks like this:

This looks like it’s not able to parse the returned groups. I’ve also tried using oidc.groups.separator=, but that did not work either.

For reference, here’s a sanitized debug from the logs:

[2023-01-21 21:14:09] [info] 2023-01-21 21:14:09,367 [http-nio-8080-exec-16 - http://wiki.example.com/xwiki/oidc/authenticator/callback?code=0.ASgACsWMQLCFMFul85rO8hoaZoVDH6hyfe9Eqx3pdR2qCt8oAEA.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P9qdhOpdvWMOjTxIRzGpv14hFP88fgWnn-Yc0hc1M9fbSt3pX5NLjVpEKdUxfSSBXtN_ck_r0UVEaNVFTPCbRlawt80Z5fFPfZF6WhmnqF6HANJgCf8EPik-XflPvqQwaEP6ehFDqKzngkovvks73U_2O4qr8JgO1Lw3DRauo0suJKhAd5JK3gE57-BP_c67bw95ELQ44wFvxOwNhS2x_pq2C59I5BHzbVhEqXgo6f8fzqoQFyuwy7JUPWOUtVa8Waj77XRex-BQRpQOhB7YW4rsTVgGRcWXii3KO2nHsiw8K9nef9Ggw25ohtHmYzYNNcqO3JOW0ePMd2ar4TigKJrRRbCWqpK87x_1rousO8TZdHX4thk3TlmYIcYWN20COrWIxKslrlAXygt46GURLeo6bc7blXvPTVV0zq-dYx8IDdQYF88c7Ian86TQcJNprkWYSr1N_rQVlFlSbrx9Hvky-SHsWBk1SO19TyZEZaaiMjWfenzBCCENFKRS2HsQpK5Uf7g8O_fu8f72JiSY9XxLHlQqKC9mxgus1IXlFBvGBs6LngU4_YPnccQpY8LxeZW3cOz5DBqLWLxq-aHheditxbXtxpqtz7Xdedzvm9zgvw2q1QLFrJNOTIx&state=8TfSU3GESDUWE5rQCF9zvJwI7IXyN-7gQCWkG2ATtQ0&session_state=6b7fc416-6e44-4078-a882-6366d2236e7f] DEBUG o.x.c.o.a.i.OIDCUserManager    - OIDC user info response ({"aio":"ATQAy/8TAFdQaAwI7+qCs9yO9LXPc2f7GTKBx/ExIcWF60PhFM3McBbofCCbbwebOsB4gVzI5RU","amr":"[\"pwd\"]","family_name":"Jones","given_name":"Bob","ipaddr":"X.X.X.X","name":"Bob Jones","oid":"f8ca1bf5-2f2c-4af2-8de7-bd7af5001b03","rh":"0.ASgACsWMQLCFMUul85rO3foaZoVDH6hyfe9Eqx3pdR2qCt8oAEA.","sub":"lFZ9BXJuoO34fi63xjGRJe1vkiZJ53PhaeiWHXn-J7s","tid":"408x2c50a-85b0-4b31-a5f3-9acef21a1a66","unique_name":"bobjones@example.com","upn":"bobjones@example.com","uti":"J_DUAtsQ2EmBMdUBcXoGAA","ver":"1.0","groups":["[\"0c6b0227-733f-443a-bdb6-a40682153209\",\"c5f05b36-c0b7-4633-85fb-95302ff03de7\",\"f14fe87a-dec1-4582-aab2-758e3c89828e\",\"8e2151eb-9cf0-4192-a5ec-47f0c6c90fcc\"]"]}

If I format the received OIDC user info response, it looks like this:

OIDC user info response ({
    "aio": "ATQAy/8TAAAAQaAwI7+qCs9yO9LXPc2f7GTKBx/ExIcWF60PhFM3McBbofCCbbkebOsB4gVzI5RU",
    "amr": "[\"pwd\"]",
    "family_name": "Jones",
    "given_name": "Bob",
    "ipaddr": "X.X.X.X",
    "name": "Bob Jones",
    "oid": "f8ca1bf5-2f4c-4af2-8de7-bd7af5001b03",
    "rh": "0.ASgACsWMQLCFMUul85rO8hoaZoVDH6hyfe9Eqx3pdR2qCt8oAEA.",
    "sub": "lFZ9BXJuoO34fi63xjGRJe1vkiZN53PhaeiWHXn-J7s",
    "tid": "408cc50a-85b0-4b31-a5f3-9acef21a1a66",
    "unique_name": "bobjones@example.com",
    "upn": "bobjones@example.com",
    "uti": "J_DUAtsQ2EmBMHUBcXoGAA",
    "ver": "1.0",
    "groups": [
        "[\"0c6b0227-733f-443a-bdb6-a40682153209\",\"c5f05b36-c0b7-4633-85fb-95302ff03de7\",\"f14fe87a-dec1-4582-aab2-758e3c89828e\",\"8e2151eb-9cf0-4192-a5ec-47f0c6c90fcc\"]"
    ]
}

Is this bad JSON from Azure, or is the OpenID Connect Authenticator just not parsing it correctly? Appreciate any help!

Thanks,
Ethan