I am having trouble getting group claims in an access token which are IDs rather than names.
My use case is that I am building a customer access control system, and want to tie groups to Role Based Access Control through the JWT. I want RBAC bindings to use IDs rather than names so the group names can change without breaking RBAC assignments. Round trips during authorization in back end microservices to convert names to IDs would add too much latency.
I have a couple of existing group claims, like
- groups: matches regex ^(?!(ACCT#U#|ACCT#CG#|ORG#).$).
How can I do something similar, but return an array of group IDs rather than an array of group name strings?