Explain me, how to solve the problem more correctly when there are many clients in one realm, and for each clients need mapping of user groups.
But for each client need to return only groups of user relevant for client.
I’m guessing the options are:
1 - separate realms for each client
1.1 - with personalized mapping for exporting groups from the federation (ldap)
1.2 - but then there may be difficulties with “seamless authentication” of users in different applications; will cause additional difficulties in registering with third-party IDPs (Google / Facebook / etc.)
2 - a separate realm for third-party IDPs (google / facebook / etc.)
2.1 - separate realms for each client - each of which will have 1 IDP (which will be the aforementioned realm with third-party IDPs) - with personalized mapping for exporting groups from the federation (ldap).
Regarding the large JWT token - if use mapping all user groups - this one can cause problems for some users with a large number of groups - in attempts users auth - browsers cut part of token - and auth end with failure…