Add a new Authorize Log Fields option for logging the number of groups
removed during JWT groups filtering. This will be enabled by default.
Additionally, when the log level is Debug (or more verbose), store and
log the IDs of any groups removed during JWT groups filtering.
Change the JWT groups filtering behavior:
- to filter only by group ID (not group name)
- and only for groups sourced from directory sync (groups from a
"groups" claim will not be filtered)
This avoids the need to fetch all group names up front, which should
improve performance in specific circumstances.
Add a new option for filtering to a subset of directory groups in the
Pomerium JWT and Impersonate-Group headers. Add a JWTGroupsFilter field
to both the Options struct (for a global filter) and to the Policy
struct (for per-route filter). These will be populated only from the
config protos, and not from a config file.
If either filter is set, then for each of a user's groups, the group
name or group ID will be added to the JWT groups claim only if it is an
exact string match with one of the elements of either filter.
Make sure to serialize the JWT "groups" claim as an empty list rather
than a JSON null. This matches the behavior of Pomerium v0.27.2 and
earlier, and should provide better compatibility with some third-party
libraries.
