access groups with nested OIDC claims

Hi, I would like to create an access group in Cloudflare Access based on an OIDC claim that is stored within an object inside an array. For example:

{
  "email": "user@example.com",
  "oidc_fields": {
    "sub": "user-unique-id",
    "role": [
      {
        "description": "role description goes here",
        "teamId": "abcd/3412"
      }
    ]
  }
}

{
  "email": "user@example.com",
  "oidc_fields": {
    "sub": "user-unique-id",
    "role": [
      {
        "description": "role description goes here",
        "teamId": "abcd/3412"
      }
    ]
  }
}

I would like to create a rule so that only users who have a specific role description and belong to a specific team will be part of the access group. Users can have multiple roles in various teams, which is why it's an array. I don’t have control over the service providing these values, so I can't change the user identity structure even if I wanted to.
Is it possible to access the claim in the "Claim name" section in this case? Thanks in advance for any help!

Erisa•9/9/24, 8:21 PM

sadly the documenntation for custom oidc providers is pretty barebones and doesnt cover this, i had the same question when i was building out a custom provider and ended up doing what you cant (changing the claim structure)

if this is possible then its not documented, so i wouldnt know how to do it

EErisa sadly the documenntation for custom oidc providers is pretty barebones and doesn...

affinetform3dOP•9/9/24, 8:24 PM

thanks for the quick reply. i was looking for an answer earlier this day in the documentation but i could not find anything. maybe i will have to come up with a different solution