oauth2.dev

groups

IETF

Registry Context

This claim carries a user's group memberships for use in JWT access tokens.

Technical Summary

The `groups` JWT claim is registered for authorization information derived from the SCIM User schema. RFC 9068 ties the claim to the SCIM `groups` attribute and points implementations to RFC 7643 for value encoding guidance.

When Used

When an authorization server needs to express resource-owner group memberships or other group-based authorization data in a JWT access token.

Normative Requirements

Authorization servers

SHOULD
2

  1. RFC 9068 - Section 2.2.3.1

    use the `groups` attribute of the `User` resource schema defined by RFC7643 as the claim type for such attributes in a JWT access token.

    Condition: when it wants to include such attributes in a JWT access token

    "SHOULD use the \"groups\" ... attributes of the \"User\" resource schema"

  2. RFC 9068 - Section 2.2.3.1

    encode the corresponding claim values according to the guidance defined in RFC7643.

    Condition: when it includes corresponding claim values in a JWT access token

    "SHOULD encode the corresponding claim values according to the guidance defined in [RFC7643]"

Validation Guidance

info

Verify that any `groups` claim present in a JWT access token is used for authorization-related group membership data rather than unrelated identity data.

warning

Ensure claim values follow the encoding guidance in RFC7643 when the claim is emitted.

Reference

RFC7643 - Section 4.1.2 RFC9068 - Section 2.2.3.1

Details

Entry Id
groups
Claim Name
groups
Claim Description
Groups
Change Controller
IETF
Reference
RFC7643 - Section 4.1.2, RFC9068 - Section 2.2.3.1