Unable to add user to group when using SSO (OIDC)

[AlexCherrypi]

Describe the bug
Unable to add user to group when using OIDC

To Reproduce
Steps to reproduce the behavior:

1. Go to 'My Account'
2. Click on any group
3. Click on 'Add Users'
4. Enter User Identifier of user ( ~oidc:123456789 )
5. Select 'Full Administrator'
6. Click on 'Ok'
7. Nothing happens.

Expected behavior
User gets added to list of 'User Authorisations'

Server Software (please complete the following information):

• OS: Synology Diskstation
• Virtualization: Docker
• Network: LAN
• Version: 1.1.31

Your config.json file

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "settings": {
	"_WANonly": true,
    "_LANonly": true,
    "cert": "meshcentral.domain",
    "sessionKey": "redacted",
    "port": 8443,
	"aliasPort": 443,
    "redirPort": 6680,
	"redirAliasPort": 80,
    "AgentPong": 300,
    "trustedProxy": "192.168.0.6",
    "TLSOffload": false,
    "SelfUpdate": false,
    "AllowFraming": "false",
    "WebRTC": "false",
    "AutoBackup": {
      "backupPath": "/opt/meshcentral/meshcentral-backups",
      "backupInvervalHours": 24,
      "keepLastDaysBackup": "10",
      "zippassword": "MyAwesomePasswordPleaseChangeMe"
    },
    "plugins": { "enabled": true }
  },
  "domains": {
    "": {
        "title": "Text1",
	    "title2": "Text2",
	    "minify": true,
	    "certUrl": "https://meshcentral.domain:443",
	    "showPasswordLogin": false,
	    "authStrategies": {
			"oidc": {
				"issuer": {
					"issuer": "https://auth.domain/application/o/meshcentral/",
					"authorization_endpoint": "https://auth.domain/application/o/authorize/",
					"token_endpoint": "https://auth.domain/application/o/token/",
					"endsession_endpoint": "https://auth.domain/application/o/meshcentral/end-session/",
					"jwks_uri": "https://auth.domain/application/o/meshcentral/jwks/",
					"userinfo_endpoint": "https://auth.domain/application/o/userinfo/"
				},
				"client": {
					"client_id": "redacted",
       "client_secret": "redacted messed up when redacting, actual config is fine :)",
					"redirect_uri": "https://meshcentral.domain/auth-oidc-callback", 
					"post_logout_redirect_uri": "https://auth.domain/login"
				},
				"groups": {
					"required": ["Meshcentral admins", "Meshcentral"],
					"siteadmin": ["Meshcentral admins"],
					"revokeAdmin": true,
					"scope": "groups",
					"claim": "groups"
				},
				"newAccounts": true
			}
		}
    }
  }
}

[si458]

@AlexCherrypi please can you just verify how long (character count) your user identifier value is?
my authentik oidc calculates out at 70 characters long, but the limit in meshcentral is set at 64!
~oidc:a7f75d7c30f81e712f02f0de453bbc79b40865a2efdf1b303cfdef4515c33203 my example

[AlexCherrypi]

@si458 Great point. I would love to check. Do you know a good way to do so?

It seems like my user identifier value is exactly 64 characters long (without including the ~oidc:, with it, it would be 70 characters long)

So my admin user identifier value would be:
~oidc:7948fda2c675bbe7574c3d27c019dd3d2241ba82bb28fa71527427467f38a87c

Does the ~oidc:get counted, or not?

[AlexCherrypi]

@si458 It seems like the user identifier is the "sub" in the OAuth ID Token.
An example of mine would be:

{
    "iss": "https://auth.domain/application/o/meshcentral/",
    "sub": "7948fda2c675bbe7574c3d27c019dd3d2241ba82bb28fa71527427467f38a87c",
    "aud": "hrIwOfJ9Agv4mDaeAdkkpMLNORpRF4xVvdOOiVdK",
    "exp": 1728702763,
    "iat": 1728702463,
    "auth_time": 1728701799,
    "acr": "goauthentik.io/providers/oauth2/default",
    "email": "redacted",
    "email_verified": true,
    "name": "Admin",
    "given_name": "Admin",
    "preferred_username": "admin",
    "nickname": "admin",
    "groups": [
        "authentik admins",
        "PiHole admins",
        "Nextcloud admins",
        "Wireguard admins",
        "Nginx admins",
        "no MFA required for login / Passwordless allowed",
        "Meshcentral admins"
    ]
}

I configured my authentication provider to use the User's hashed ID as a sub.
Authentik: Providers > "Provider Name" > Edit > Advanced protocol settings > Subject mode > Based on the User's hashed ID

[si458]

@AlexCherrypi ah so ur using the same provider as me Authentik!?
I will have a look see what we can do or if the is away around

[AlexCherrypi]

@si458 just to future-proof everything:
The sub can be up to 255 ASCII characters long according to the spec.

[si458]

@AlexCherrypi oh thank you for the link!
that makes it much easier! ill just change the limit to say 128 !
but only IF someone uses oidc tho

edit: my testing with google/azure dont exceed the 64 limit, its just authentik thats exceeding it because its sub IS 64 characters and we need to also include the ~oidc: for reasons

[AlexCherrypi]

@si458 why not 255 + say 10 chars for the ID provider (e.g. '~oidc:') ?