While implementing dynamic role assignment using the Mendix OIDC module with Azure AD (Entra ID), I have identified two key limitation
1. The Custom Access Token Parsing microflow only receives the access token string. Azure AD group claims are typically in the ID token, not the access token. The Java action OIDC.CallCustomMicroflow from oidc.webcallback microflow is hardcoded to pass only the access token. Suggestion : Allow configurable inputs to the microflow ( ID token, claims) instead of only the access token.
2. During the callback flow, OIDC.SUB_ChangeRoleToUserRole attempts to create System.UserRole objects from Azure AD group names. This causes failures because Special characters are not supported in mendix userrole names. valid in Entra - https://learn.microsoft.com/en-us/entra/identity/users/groups-naming-policy#prefix-suffix-naming-policy
Suggestion: Do not create temporary object in system.UserRole entity AD groups.
Provide a configurable or standard mapping approach which support mapping of Azure AD groups to existing Mendix roles.