OIDC scopes and claims for APM

[cnukwas]

Hi,

We're using F5 APM as OIDC provider, I have followed steps mentioned here and I can login but don't see user information. Also it appears that scopes data is not being used by Argo since it's allowing users to login but doesn't allow to create any Applications thought user is in osadmin group . I am certain that I am missing something here since groups is not returned in the scopes or claims data.

Error when trying to create an Application after logging in with user part of the osadmin group:
Unable to create application: permission denied: applications, create, default/test, sub: /Common/oauth.profile.123456666, iat: 2021-06-30T00:46:45Z

Please see below configuration and let me know what needs to be changed here in order for Argo to use returned scopes/claims, display user name or email or uid for a successful login as well.
User should be allowed to login only if he/she is part of either ArgoTest(dev user), or osadmin(Argo admin) scopes.

Also noticed that Argo logout is not always going to back to Argo login page, instead some times it goes to the OIDC provider login page.

oidcConfig: |
    name: OIDC_TEST
    issuer: https://myoidcprovider.com/
    clientID: <client_Id>
    clientSecret: <client_secret>
    requestedScopes: ["openid", "profile", "email", "groups"]
    requestedIDTokenClaims:
      groups:
        essential: true
      email:
        essential: true
      uid:
        essential: true
    logoutURL: https://myoidcprovider.comlogout?id_token_hint={{token}}&post_logout_redirect_uri={{logoutRedirectURL}}

Sample OIDC token decoded data from jwt.io:

{
  "token_type": "Bearer",
  "scope": "ArgoTest osadmin",
  "scope_data": [
    {
      "id": "ArgoTest",
      "value": ""
    },
    {
      "id": "osadmin",
      "value": ""
    }
  ],
  "iss": "https://myoidcprovider.com/",
  "displayName": "First_name Last_name",
  "email": "[email protected]",
  "email_verified": true,
  "mail": "[email protected]",
  "sub": "some_data"
}

Thanks

[cnukwas]

As I stated in the question, APM is not returning groups scope, so worked with the team to return the data with a different scope name(entitlements)and used that in requestedScopes. I now see that user with osadmin OIDC group is able to create Applications, Projects, and other Argo resources.

requestedScopes: ["openid", "profile", "email", "entitlements"]

"entitlements": [
    "ArgoTest",
     "osadmin"
  ]