dont include groups in JWT

internal/auth/jwt.go

@@ -104,7 +104,8 @@ func (s *JWTService) IssueToken(subject string, roles []string, groups []string)
 	claims := Claims{
 		Subject: subject,
 		Roles:   compactTrimmedStrings(roles),
-		Groups:    compactTrimmedStrings(groups),
+		// Intentionally omit LDAP groups from JWTs; role claims are sufficient for authorization.
+		Groups:    nil,
 		Issuer:    s.issuer,
 		Audience:  s.audience,
 		IssuedAt:  now.Unix(),

internal/auth/jwt_test.go

@@ -57,6 +57,21 @@ func TestIssueAndVerifyTokenRoundTrip(t *testing.T) {
 	if issuedClaims.ID == "" {
 		t.Fatal("expected jti to be populated")
 	}
+	if len(issuedClaims.Groups) != 0 {
+		t.Fatalf("expected groups to be omitted from issued claims, got %#v", issuedClaims.Groups)
+	}
+
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		t.Fatalf("expected jwt to have 3 parts, got %d", len(parts))
+	}
+	payloadJSON, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		t.Fatalf("failed to decode jwt payload: %v", err)
+	}
+	if strings.Contains(string(payloadJSON), `"groups"`) {
+		t.Fatalf("expected jwt payload to omit groups claim, got payload: %s", string(payloadJSON))
+	}
 
 	verifiedClaims, err := svc.VerifyToken(token)
 	if err != nil {

server/handler/auth.go

@@ -217,7 +217,7 @@ func (h *Handler) AuthLogin(w http.ResponseWriter, r *http.Request) {
 	if subject == "" {
 		subject = username
 	}
-	token, claims, err := jwtSvc.IssueToken(subject, roles, identity.Groups)
+	token, claims, err := jwtSvc.IssueToken(subject, roles, nil)
 	if err != nil {
 		h.Logger.Error("failed to issue auth token", "username", username, "error", err)
 		audit.LogAuthEvent(h.Logger, r, "login", "error", "reason", "token_issue_failed", "username", username, "error", err)