Custom OAuth Roles / Groups and Channel Map


I have Azure AD Authentication up and running on our system. We are trying to get Channels populated based on Azure Group Memberships as per

At this point I have confirmed in the logs that Azure is supplying the group information to the OAuth provider in the format:

	"groups": [

I am looking for some guidance as to what is required for the “Roles/Groups field name” and “OAuth Group Channel Map” fields.

For Roles/Groups field name I have tried variations such as “{{group}}”, “group”, etc.

OAuth Field Map Current Value:

	"<guid>": "<channel>"

If does not exist, then it is created with the user specified in “User Data Group Map” as owner, so *something" is happening in the background, but the user is never added to that channel.

Any insights as to how to read these properties would be appreciated. :slight_smile:

Server Setup Information

  • Version of Rocket.Chat Server: 3.9.1
  • Operating System: Ubuntu 20.04
  • Deployment Method:Docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog: Enabled
  • NodeJS Version:
  • MongoDB Version:
  • Proxy: NGinx
  • Firewalls involved:

Any additional Information

So after a lot of experimenting I discovered that the mapping matches EXATCLY "[\"<guid>\"]". The problem here is that if there is multiple groups, it does not break up this group listing, so you end up needing to match up the exact group listing.

For example:

User is in group1 (guid1) and group2 (guid2). Resulting Group string is:

"groups": [
	"[\"<guid1>\", \"<guid2>\"]"

The result here is that you MUST match on the entire group string, not the individual groups, ie:

	"[\"<guid1>\", \"<guid2>\"]": "<channel>"

Will join to <channel>, but any attempts to isolate to one group or the other will not.

Not sure if this is an issue with Rocket Chat not handling the internal stringified JSON being supplied by Azure, or with Azure stringifying the groups in the first place.