Need to handle groups, too. Basically, we need to recreate the whole token from the identity assertion on forward. Otherwise we will have the same issue when a user is removed from a group, the token will have a role on it that is no longer valid.
This is never going to work for Federation, as we will not be able to check at token validation time.
Need to handle groups, too. Basically, we need to recreate the whole token from the identity assertion on forward. Otherwise we will have the same issue when a user is removed from a group, the token will have a role on it that is no longer valid.
This is never going to work for Federation, as we will not be able to check at token validation time.