Describe the bug

I am running the latest dpage docker image behind an nginx reverse proxy with 443 in the proxy mapped to 5050 on the host mapped to 80 on the container. TLS Certificates are provided by the proxy, not the container. Portainer is used to manage the container deployment.

When using AzureAD as the IDP for OAuth2 with a registered application, providing OAUTH2_ADDITIONAL_CLAIMS with the groups claim results in failed authentication despite authenticating the user as a member of the assigned group. I am given the message "The user is not authorized to login based on the claims in the profile. Please contact your administrator"

To Reproduce

Steps to reproduce the behavior:

1. Successfully configure an App registration/Enterprise application in AzureAD for pgAdmin.
2. Add configurations to the in-container or mapped (my case) config_local.py file to create the OAuth2 connection. The following configuration, with corresponding App information, satisfies this.

AUTHENTICATION_SOURCES = ['oauth2', 'internal']
OAUTH2_AUTO_CREATE_USER = True
OAUTH2_CONFIG = [
  {
      'OAUTH2_NAME': 'Azure',
      'OAUTH2_DISPLAY_NAME': 'Microsoft',
      'OAUTH2_CLIENT_ID': '<CLIENT_ID>',
      'OAUTH2_CLIENT_SECRET': '<CLIENT_SECRET>',
      'OAUTH2_TOKEN_URL': 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token',
      'OAUTH2_AUTHORIZATION_URL': 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize',
      'OAUTH2_API_BASE_URL': 'https://graph.microsoft.com/<TENANT_ID>/',
      'OAUTH2_SCOPE': 'email openid profile',
      'OAUTH2_USERINFO_ENDPOINT': 'https://graph.microsoft.com/oidc/userinfo',
      'OAUTH2_BUTTON_COLOR': '#007FFF',
      'OAUTH2_ICON': 'fa-brands fa-microsoft',
      'OAUTH2_SERVER_METADATA_URL': 'https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration'
]

4. See the logged-in user with Azure as the provider. This confirms Azure with OAuth is working
   
5. Redeploy the container with the following configuration. The only change here is the inclusion of OAUTH_ADDITIONAL_CLAIMS

...

      'OAUTH2_SERVER_METADATA_URL': 'https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration',
      'OAUTH2_ADDITIONAL_CLAIMS': {
        'groups': ["22460ce8-c015-41b3-9390-1f97a298b1f4"], # GroupID included for reference screenshot
      },
  }
]

6. Ensure the Enterprise Application has the group assigned, the application registration as the group claim, the expected user is a group member, and the application's Object ID is correct inside the config_local.py config file.
   
   
   
   
7. Wait ~10 minutes for groups to fully sync, etc.
8. Attempt to login with Azure
9. Get Error
   

Expected behavior

Use successfully logs in

Error message

From the Portainer logs
2023-10-07 16:44:49,332: WARNING pgadmin: The authenticated user Eddie@REDACTED.com is not authorized to access pgAdmin based on OAUTH2 config. Reason: Profile does not have any of given additional claims.

Screenshots

Desktop (please complete the following information):

• OS: [Ubuntu 22.04]
• Version: [Latest]
• Mode: [Server]
• Browser: [Chrome]
• Package type: [Container]

Additional context

I have done robust digging in attempts to extract the JWT token for analysis. Unfortunately my knowledge is limited to that of a non-dev security practitioner. My ability to troubleshoot the data-flow is limited but I am happy to expand on this and provide any additional details as required to resolve the issue.

Based on all the documentation available to me, I feel like all the configurations are done appropriately. I accept that there may be a misconfiguration in Azure, but I have been unable to identify it here and am left hoping this is a bug in pgAdmin, or this group can help me resolve the issue and provide clearer documentation for others facing the same issue.