dont include groups in JWT

2026-04-21 14:54:19 +10:00
parent 35840697fa
commit fb7e9bdca4
3 changed files with 20 additions and 4 deletions
@@ -102,9 +102,10 @@ func (s *JWTService) IssueToken(subject string, roles []string, groups []string)

 	now := s.now().UTC()
 	claims := Claims{
-		Subject:   subject,
-		Roles:     compactTrimmedStrings(roles),
-		Groups:    compactTrimmedStrings(groups),
+		Subject: subject,
+		Roles:   compactTrimmedStrings(roles),
+		// Intentionally omit LDAP groups from JWTs; role claims are sufficient for authorization.
+		Groups:    nil,
 		Issuer:    s.issuer,
 		Audience:  s.audience,
 		IssuedAt:  now.Unix(),
@@ -57,6 +57,21 @@ func TestIssueAndVerifyTokenRoundTrip(t *testing.T) {
 	if issuedClaims.ID == "" {
 		t.Fatal("expected jti to be populated")
 	}
+	if len(issuedClaims.Groups) != 0 {
+		t.Fatalf("expected groups to be omitted from issued claims, got %#v", issuedClaims.Groups)
+	}
+
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		t.Fatalf("expected jwt to have 3 parts, got %d", len(parts))
+	}
+	payloadJSON, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		t.Fatalf("failed to decode jwt payload: %v", err)
+	}
+	if strings.Contains(string(payloadJSON), `"groups"`) {
+		t.Fatalf("expected jwt payload to omit groups claim, got payload: %s", string(payloadJSON))
+	}

 	verifiedClaims, err := svc.VerifyToken(token)
 	if err != nil {