dont include groups in JWT

2026-04-21 14:54:19 +10:00
parent 35840697fa
commit fb7e9bdca4
3 changed files with 20 additions and 4 deletions
@@ -102,9 +102,10 @@ func (s *JWTService) IssueToken(subject string, roles []string, groups []string)

 	now := s.now().UTC()
 	claims := Claims{
-		Subject:   subject,
-		Roles:     compactTrimmedStrings(roles),
-		Groups:    compactTrimmedStrings(groups),
+		Subject: subject,
+		Roles:   compactTrimmedStrings(roles),
+		// Intentionally omit LDAP groups from JWTs; role claims are sufficient for authorization.
+		Groups:    nil,
 		Issuer:    s.issuer,
 		Audience:  s.audience,
 		IssuedAt:  now.Unix(),