1. Proposed title of this feature request
openid use claim as groups

2. What is the nature and description of the request?
kubernetes support the --oidc-groups-claim [1] parameter: JWT claim to use as the user’s group. If the claim is present it must be an array of strings.

From doc [2] we can specify a custom claim, and I am interested if we allow the same feature as the GroupClaims:
if specified, causes the OIDCAuthenticator to try to populate the user's, groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value must be a string or list of strings.

So It would be possible to add in the master-config.yaml in apiServerArguments section :
–
oidc-groups-claim:

• role
  –
  to benefit from kubernetes --oidc-groups-claim [1] parameter and have the user group automatically populated.
  If so, it would become not mandatory to have a separate process to synchronize groups with our Active Directory

[1] https://v1-11.docs.kubernetes.io/docs/reference/access-authn-authz/authentication/
[2] https://docs.openshift.com/container-platform/3.11/install_config/configuring_authentication.html#OpenID

3. Why does the customer need this? (List the business requirements here)
We want to centralized in our ADFS the manner how the groups/roles are retrieved for a user, and provide them in the JWT token as claims.
It offers better abstraction, instead of asking directly to on specific Active Directory.