OIDC provider integration

[cnukwas]

Configured Argo with following OIDC configuration to work with our internal provider. I see user's group in scope data when tested with Postman tool, but not in the token used by Argo. Am I missing anything here?

OIDC configuration is below per Argo docs

oidcConfig: |
    name: SAFE
    issuer: https://myoidc.provider.com/
    clientID: abc123456sfsfsdfsdf
    clientSecret: sfsfsdffffffffff
    requestedScopes: ["openid", "argo-admin", "GroupA", "GroupB", "GroupC", "GroupCD1"]
    requestedIDTokenClaims:
      sub:
        essential: true
      email:
        essential: true

RBAC enforcement YAML with following configuration as per argocd-rbac.yaml

argocd-rbac-cm.yaml scopes data:

scopes: '[argo-admin GroupA, GroupB, GroupC, GroupCD1]'

I see that Argo is making following call with correct scopes as mentioned above when I click 'LOG IN VIA OIDC' button on the logon page, but the token in the argocd.token doesn't have these scopes after user is logged in. Hence getting permission denied for any calls, such as sync, or Application creation and any other Argo functionality.
I had a long call with our OIDC expert and he thinks that Argo is either not requesting the scopes or some other issue.
I really appreciate any help to make progress on this issue.

https://my.oidcprovider.com/authorize?claims=%7B%22id_token%22%3A%7B%22email%22%3A%7B%22essential%22%3Atrue%7D%2C%22sub%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&client_id=asddddddddddddddddddd&redirect_uri=https%3A%2F%2Fopenshift-gitops-server-openshift-gitops.apps.os-dev-test.com%2Fauth%2Fcallback&response_type=code&scope=openid+argo-admin+GroupA+GroupB+GroupC+GroupCD1&state=vexgRhBLqJ

Thanks

[shuker85]

In my case more fields in the config were required:

            insecureSkipEmailVerified: true
            getUserInfo: true
            insecureEnableGroups: true