Create external group names claim in token builder directly

scm-webapp/src/main/java/sonia/scm/api/v2/resources/AuthenticationResource.java

@@ -8,7 +8,6 @@ import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.subject.Subject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import sonia.scm.group.GroupNames;
 import sonia.scm.security.*;
 
 import javax.servlet.http.HttpServletRequest;
@@ -92,11 +91,6 @@ public class AuthenticationResource {
         tokenBuilder.scope(Scope.valueOf(authentication.getScope()));
       }
 
-      GroupNames groupNames = subject.getPrincipals().oneByType(GroupNames.class);
-      if (groupNames != null && groupNames.isExternal()) {
-        tokenBuilder.groups(groupNames.getCollection().toArray(new String[]{}));
-      }
-
       AccessToken token = tokenBuilder.build();
 
       if (authentication.isCookie()) {

scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilder.java

@@ -50,6 +50,7 @@ import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.subject.Subject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import sonia.scm.group.GroupNames;
 
 /**
  * Jwt implementation of {@link AccessTokenBuilder}.
@@ -207,6 +208,12 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
 
     if (!groups.isEmpty()) {
       claims.put(JwtAccessToken.GROUPS_CLAIM_KEY, groups);
+    } else {
+      Subject currentSubject = SecurityUtils.getSubject();
+      GroupNames groupNames = currentSubject.getPrincipals().oneByType(GroupNames.class);
+      if (groupNames != null && groupNames.isExternal()) {
+        claims.put(JwtAccessToken.GROUPS_CLAIM_KEY, groupNames.getCollection().toArray(new String[]{}));
+      }
     }
 
     // sign token and create compact version