oauth2.dev

groups

IETF

Registry Context

This claim carries a resource owner's group memberships as authorization information in a JWT access token.

Technical Summary

The `groups` JWT claim corresponds to the `groups` attribute of the SCIM User resource schema. RFC 9068 specifies its use as a claim type for authorization attributes and directs authorization servers to encode its values according to RFC 7643.

When Used

When an authorization server includes resource-owner group memberships relevant to the resource being accessed in a JWT access token.

Normative Requirements

Authorization servers

SHOULD
2
  1. RFC 9068 - Section 2.2.3.1

    use the `groups` attribute of the User resource schema defined by RFC 7643 as a claim type.

    Condition: when wanting to include such authorization attributes in a JWT access token

    “SHOULD use the "groups", "roles", and "entitlements" attributes ... as claim types”

  2. RFC 9068 - Section 2.2.3.1

    encode the corresponding claim values according to the guidance defined in RFC 7643.

    Condition: when encoding the corresponding authorization claim values

    “SHOULD encode the corresponding claim values according to the guidance defined in [RFC7643]”

Validation Guidance

warning

When resource-owner group memberships are included as authorization attributes in a JWT access token, verify that the `groups` claim type is used.

warning

Verify that an emitted `groups` claim value follows the encoding guidance in RFC 7643.

Reference

Details

Entry Id
groups
Claim Name
groups
Claim Description
Groups
Change Controller
IETF
Reference
RFC7643 - Section 4.1.2, RFC9068 - Section 2.2.3.1