I've read the Warpgate documentation and configured a custom claim on my Entra application named warpgate_roles into which I have put the desired Entra groups.
At first, Entra return the propre custom claim in the OIDC ID token but I noticed that it didn't worked out of the box in Warpgate. I have tried to add the warpgate_roles claim in the OIDC access token, do to so, Microsoft Entra requires to do some extra configuration and add a custom scope into the configuration (hence the api:// scope above): documentation.
I am able to authenticate to warpgate and my user is created but my user is not part of the role I configured. This is what I can see in the Warpgate logs:
07.07.2025 14:00:40 ERROR HTTP: warpgate_sso::sso: Failed to fetch userinfo: Response(401, [123, 34, 101, 114, 114, 111, 114, 34, 58, 123, 34, 99, 111, 100, 101, 34, 58, 34, 73, 110, 118, 97, 108, 105, 100, 65, 117, 116, 104, 101, 110, 116, 105, 99, 97, 116, 105, 111, 110, 84, 111, 107, 101, 110, 34, 44, 34, 109, 101, 115, 115, 97, 103, 101, 34, 58, 34, 65, 99, 99, 101, 115, 115, 32, 116, 111, 107, 101, 110, 32, 118, 97, 108, 105, 100, 97, 116, 105, 111, 110, 32, 102, 97, 105, 108, 117, 114, 101, 46, 32, 73, 110, 118, 97, 108, 105, 100, 32, 97, 117, 100, 105, 101, 110, 99, 101, 46, 34, 44, 34, 105, 110, 110, 101, 114, 69, 114, 114, 111, 114, 34, 58, 123, 34, 100, 97, 116, 101, 34, 58, 34, 50, 48, 50, 53, 45, 48, 55, 45, 48, 55, 84, 49, 52, 58, 48, 48, 58, 52, 48, 34, 44, 34, 114, 101, 113, 117, 101, 115, 116, 45, 105, 100, 34, 58, 34, 51, 48, 57, 98, 100, 99, 50, 53, 45, 56, 54, 48, 101, 45, 52, 49, 57, 50, 45, 56, 100, 56, 57, 45, 97, 101, 101, 54, 100, 98, 98, 49, 51, 97, 97, 57, 34, 44, 34, 99, 108, 105, 101, 110, 116, 45, 114, 101, 113, 117, 101, 115, 116, 45, 105, 100, 34, 58, 34, 51, 48, 57, 98, 100, 99, 50, 53, 45, 56, 54, 48, 101, 45, 52, 49, 57, 50, 45, 56, 100, 56, 57, 45, 97, 101, 101, 54, 100, 98, 98, 49, 51, 97, 97, 57, 34, 125, 125, 125], "unexpected HTTP status code")
07.07.2025 14:00:40 DEBUG HTTP: warpgate_sso::request: OIDC claims: IdTokenClaims { issuer: IssuerUrl("https://login.microsoftonline.com/xxx/v2.0"), audiences: [Audience("xxx")], expiration: 2025-07-07T15:00:39Z, issue_time: 2025-07-07T13:55:39Z, auth_time: None, nonce: Some(Nonce([redacted])), auth_context_ref: None, auth_method_refs: None, authorized_party: None, access_token_hash: None, code_hash: None, standard_claims: StandardClaims { sub: SubjectIdentifier("xxx"), name: Some(LocalizedClaim({}, Some(EndUserName("xxx")))), given_name: None, family_name: None, middle_name: None, nickname: None, preferred_username: Some(EndUserUsername("xxx")), profile: None, picture: None, website: None, email: Some(EndUserEmail("xxx")), email_verified: None, gender: None, birthday: None, birthdate: None, zoneinfo: None, locale: None, phone_number: None, phone_number_verified: None, address: None, updated_at: None }, additional_claims: EmptyAdditionalClaims }
07.07.2025 14:00:40 DEBUG HTTP: warpgate_sso::request: OIDC userinfo claims: None
I am at loss as to where might be the issue here, any help would be greatly appreciated.
Hey !
I've successfully setup the
customsso_providers with my Microsoft Entra application, however, I am unable to do the proper link between my groups and the warpgate roles.I've read the Warpgate documentation and configured a custom claim on my Entra application named
warpgate_rolesinto which I have put the desired Entra groups.Below is my configuration:
At first, Entra return the propre custom claim in the OIDC ID token but I noticed that it didn't worked out of the box in Warpgate. I have tried to add the
warpgate_rolesclaim in the OIDC access token, do to so, Microsoft Entra requires to do some extra configuration and add a custom scope into the configuration (hence theapi://scope above): documentation.I am able to authenticate to warpgate and my user is created but my user is not part of the role I configured. This is what I can see in the Warpgate logs:
In the Microsoft Entra sign-in logs, I can see that the login is a success
Double checked the uuid of the Entra group and the role name I created in Warpgate, both are existing.
Running the OIDC query inside https://oidcdebugger.com works and return the expected custom claim, for expl:
Access token:
{ "aud": "xxx", "iss": "xx", "iat": xxx, "nbf": xxx, "exp": xxx, "aio": "xxx", "azp": "xxx", "azpacr": "xxx", "name": "xxx", "oid": "xxx", "preferred_username": "yx@z", "rh": "xxx", "scp": "xxx", "sid": "xxx", "sub": "xxx", "tid": "xxx", "uti": "xxx", "ver": "2.0", "wids": [ "xxx" ], "xms_ftd": "xxx", "warpgate_roles": [ "UUID_1", "UUID_2", [...] ] }ID Token:
{ "aud": "xxx", "iss": "xxx", "iat": xxx, "nbf": xxx, "exp": xxx, "aio": "xxx", "at_hash": "xxx", "email": "xxx", "name": "xxx", "nonce": "xxx", "oid": "xxx", "preferred_username": "yx@z", "rh": "xxx", "sid": "xxx", "sub": "xxx", "tid": "xxx", "uti": "xxx", "ver": "2.0", "wids": [ "xxx" ], "warpgate_roles": [ "UUID_1", "UUID_2", [...] ] }I am at loss as to where might be the issue here, any help would be greatly appreciated.
PS: Warpgate version used v0.15.0