When a client in RHSSO is created by registration, the resulting jwt it will emit after authenticating a user does not contain the user's groups. This means we can use rhsso to authenticate, but not authorize.
To cause it to emit groups, one needs to create a "custom mapper" as part of the client, but I don't think that can be done during a registration rest call (?).
We need to revisit how users could achieve authorization with an RHSSO client. Might be making a different rest call, finding a way to do a realm-scoped custom mapper, or seeing if there's new function in a future RHSSO operator.
When a client in RHSSO is created by registration, the resulting jwt it will emit after authenticating a user does not contain the user's groups. This means we can use rhsso to authenticate, but not authorize.
To cause it to emit groups, one needs to create a "custom mapper" as part of the client, but I don't think that can be done during a registration rest call (?).
We need to revisit how users could achieve authorization with an RHSSO client. Might be making a different rest call, finding a way to do a realm-scoped custom mapper, or seeing if there's new function in a future RHSSO operator.