OIDC connector in dex doesn't pick up groups from id token

[ssharma2089]

We are using dex version 2.36.0.
We are trying to use OIDC connector to connect microsoft/Azure ID. Dex is not picking up the groups from the ID token and we are certain that they are sent. We tried sending them as groups and roles and configuration provided is the last one we tried.

We are using Argocd bundled dex.

data:
  dex.config: |
    oauth2:
      responseTypes: ["code","token","id_token"]
      skipApprovalScreen: true
    connectors:
      - type: oidc
        id: microsoft
        name: microsoft
        config:
          issuer: https://login.microsoftonline.com/$tenant id/v2.0
          clientID: $microsoft.clientID
          clientSecret: $microsoft.clientSecret
          redirectURI: https://argocd.dev.example.com/api/dex/callback
          scopes:
           - openid
           - profile
           - email
           - offline_access
          groups:
            - argocddevs
            - argocdadmins
          claimMapping:
            groups: "roles"
          insecureSkipEmailVerified: true
  url: https://argocd.dev.example,com

We managed to connect via OIDC but we are getting groups as empty. Here is the logs from argocd dex

time="2024-02-15T09:33:04Z" level=info msg="Notifying 1 settings subscribers: [0xc00012b2c0]"
time="2024-02-15T09:33:04Z" level=info msg="dex config modified. restarting dex"
time="2024-02-15T09:33:04Z" level=info msg="received signal terminated, shutdown now"
time="2024-02-15T09:33:04Z" level=info msg="Dex Version: , Go Version: go1.20.2, Go OS/ARCH: linux amd64"
time="2024-02-15T09:33:04Z" level=info msg="config issuer: https://argocd.dev.example.com/api/dex"
time="2024-02-15T09:33:04Z" level=info msg="config storage: memory"
time="2024-02-15T09:33:04Z" level=info msg="config static client: Argo CD"
time="2024-02-15T09:33:04Z" level=info msg="config static client: Argo CD CLI"
time="2024-02-15T09:33:04Z" level=info msg="config connector: microsoft"
time="2024-02-15T09:33:04Z" level=info msg="config response types accepted: [code token id_token]"
time="2024-02-15T09:33:04Z" level=info msg="config skipping approval screen"
time="2024-02-15T09:33:04Z" level=info msg="config refresh tokens rotation enabled: true"
time="2024-02-15T09:33:05Z" level=info msg="keys expired, rotating"
time="2024-02-15T09:33:05Z" level=info msg="keys rotated, next rotation: 2024-02-15 15:33:05.117326539 +0000 UTC"
time="2024-02-15T09:33:05Z" level=info msg="listening (telemetry) on 0.0.0.0:5558"
time="2024-02-15T09:33:05Z" level=info msg="listening (http) on 0.0.0.0:5556"
time="2024-02-15T09:33:05Z" level=info msg="listening (grpc) on 0.0.0.0:5557"
time="2024-02-15T09:33:43Z" level=info msg="login successful: connector "microsoft", username="Sagar S", preferred_username="[email protected]", email="[email protected]", groups=[]"

[ssharma2089]

In case someone else gets stuck on the same, It turns out that if you want the OIDC provider to evaluate or do anything with groups, including the claims mapping we have, you need to add the insecureEnableGroups: true which we were missing. Works ok now