feat: add groups_claim support to oidc-auth plugin

Support custom JWT claim-to-groups mapping via groups_claim config.
This allows applications with their own role system (e.g. roles stored
in the app database, not IdP scopes) to leverage gateway-level ACL.

When groups_claim is set, x-auth-consumer-groups is populated from the
specified claim instead of the scope claim. Supports JSON Pointer
(RFC 6901) for nested claims like /realm_access/roles (Keycloak).
Optional groups_claim_separator handles string-valued claims.

Author: ndreno

docs/rulesets/functions/barbacane-validate-middleware-config.js

@@ -167,6 +167,8 @@ const schemas = {
       jwks_refresh_seconds: { type: "integer", minimum: 10 },
       timeout: { type: "number", minimum: 0 },
       allow_query_token: { type: "boolean" },
+      groups_claim: { type: "string" },
+      groups_claim_separator: { type: "string" },
     },
     additionalProperties: false,
   },

plugins/oidc-auth/config-schema.json

@@ -46,6 +46,14 @@
       "type": "boolean",
       "description": "Allow token extraction from the access_token query parameter (RFC 6750 §2.3). Disabled by default — tokens in URLs risk leaking via logs and referer headers.",
       "default": false
+    },
+    "groups_claim": {
+      "type": "string",
+      "description": "JWT claim to extract consumer groups from, replacing scope-based groups. Supports JSON Pointer (RFC 6901) for nested claims (e.g., \"/realm_access/roles\"). A plain name like \"roles\" is treated as \"/roles\"."
+    },
+    "groups_claim_separator": {
+      "type": "string",
+      "description": "Separator for splitting a string-valued groups claim into multiple groups. Only used when the claim value is a string, not a JSON array. If omitted, a string claim is treated as a single group."
     }
   },
   "additionalProperties": false