We are trying to use FusionAuth as the OIDC provider for our Kubernetes cluster. Kubernetes currently authorizes user based on either the username or a groupname associated to the user. (https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
We are creating FusionAuth groups to list all the users who have access to the cluster. However, I am not able to figure out how to make JWT token contain the list of groups which I can then ask Kubernetes to read using the flaf --oidc-groups-claim.
I saw that the user object has the list of groups ids, however, I need the list of group names. And if I understand correctly from this issue (https://github.com/FusionAuth/fusionauth-issues/issues/267), we can't even fetch the name from the id using an api call. All other OIDC providers like Okta and Auth0 have the concept of groups claim.
Is my understanding above correct or am I missing something? Would love to get past this, since otherwise we will have to give up on using FusionAuth for our Kubernetes cluster. And OIDC with Kubernetes is a pretty generic use case. One solution I could think of is to have roles on my end and then convert it to groups claim in the JWT lambda, but it sounds like a dirty hack.