Harbor: Group ID instead of Group Name when using Azure AD OICD

It is related to the group claim setting in your OIDC provider configuration.
You need to make sure the group name is in the ID token and set the group claim to point to it.

Azure doesn't support using the group name in the id token for AAD groups because the group name might not be unique. To use group names we'd need to use the azure api to fetch the groups with their ids. I'd be willing to put a couple of days of work in to create a PR to do this, but since this would be an Azure specific solution, would it actually be considered for merging?

Edit: This would be needed to fetch all groups: https://docs.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0
Users would have to give the harbor application registration access to this api call for it to work.

I'm all for Yaron's proposal. @reasonerjt can you consider this would be useful to include?

@yaron
Thanks for the explanation, I now understand the issue.

However, for simplicity and maintainability, we want to keep a unified workflow for all OIDC providers. Such that in the pipeline we'll only test dex .

Currently there's no plan to add specific logic for different OIDC vendor.

I missed this at first, but it should be possible through dex.
https://github.com/dexidp/dex/blob/master/Documentation/connectors/microsoft.md

So there's two possibilities here

1. Dex is not implemented correctly in the case of AAD.
2. The documentation should be updated to make users do the consent part and give harbor the permissions to let dex get the groupnames.

I don't know which is the case. I hope I'll have some time to test this next week, but if you could take a look at that page and check the implementation you'd probably know much faster.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.