JWT Role Extraction for WLCG IAM JWT

[taimoorzaeem]

Discussed in #4594

^{Originally posted by merl1n0 January 8, 2026}
Hello to all,
I'm trying to derive a role from a WLCG JWT profile token.
The role should be extracted from the wlcg.groups claim which is defined an ordered list of group names prepended by a /.
Jwt Role Extraction cannot be used directly:

# {"postgrest":{"wlcg.groups": ["/groupa", "/groupb", "/groupa/subgroupa1","/groupa/subgroupa2"]}}
jwt-role-claim-key = ".postgrest.wlcg.groups[0]"

This would return /groupa, instead of groupa.

Is there any way to handle a similar case? (i.e. trim away the first character).

Alternatively, I could extract the role from the scope claim:

"scope": "foo bar role:groupa zoo xywz"

But again that would need an extraction operator more powerful than those currently provided for JWT Role Extraction.

merl1n0:
What I would need in this case would be something like: jwt-role-claim-key = '.postgrest.wlcg.groups[0][1:], i.e. ltrim('/groupa','/')

taimoorzaeem:
I understand the use case now. I think we can support a slice operator like [1:0] on string values.

steve-chavez:
Yes, agree.