Selective JWT Group Claims

Tired of bloated JWTs or exposing too much group information? Pomerium v0.29.0 gives you control over which user groups get embedded in the JWT token that it mints for upstream services. By including only the groups you care about, you can slim down tokens and limit what data gets shared. Highlights:

• Trim down token size – Some users belong to hundreds of groups, which can make the JWT payload large which can break application and server header limits. Now you can include just a subset of groups (for instance, only groups used in policy checks or with a certain prefix), avoiding hitting header size limits and improving performance.

• Per-route or global settings – Set a global default filter for JWT group claims, and override on specific routes as needed. This flexibility lets you expose broad group info to services that need it, while limiting it for others.

• Privacy by design – Only divulge the group context that’s necessary. Internal apps don’t get a long list of every group a user is in—just the ones you’ve deemed relevant.

• Simpler downstream logic – Upstream applications no longer have to handle extraneous group data. They can trust that the groups claim in the JWT is already curated to what they expect, making authorization checks more straightforward.

In short, this feature helps you send cleaner, leaner JWTs to your services without sacrificing the rich identity context Pomerium provides. It’s especially handy for organizations with complex directory structures, ensuring that Pomerium’s tokens stay efficient and purposeful.