groups
Registry Context
This claim carries a resource owner's group memberships as authorization information in a JWT access token.
Technical Summary
The `groups` JWT claim corresponds to the `groups` attribute of the SCIM User resource schema. RFC 9068 specifies its use as a claim type for authorization attributes and directs authorization servers to encode its values according to RFC 7643.
When Used
When an authorization server includes resource-owner group memberships relevant to the resource being accessed in a JWT access token.
Normative Requirements
Authorization servers
RFC 9068 - Section 2.2.3.1
use the `groups` attribute of the User resource schema defined by RFC 7643 as a claim type.
Condition: when wanting to include such authorization attributes in a JWT access token
“SHOULD use the "groups", "roles", and "entitlements" attributes ... as claim types”
RFC 9068 - Section 2.2.3.1
encode the corresponding claim values according to the guidance defined in RFC 7643.
Condition: when encoding the corresponding authorization claim values
“SHOULD encode the corresponding claim values according to the guidance defined in [RFC7643]”
Validation Guidance
When resource-owner group memberships are included as authorization attributes in a JWT access token, verify that the `groups` claim type is used.
Verify that an emitted `groups` claim value follows the encoding guidance in RFC 7643.
Reference
Details
- Entry Id
groups- Claim Name
groups- Claim Description
Groups- Change Controller
IETF- Reference
RFC7643 - Section 4.1.2, RFC9068 - Section 2.2.3.1