@david How hard do you think this is to do for someone who hasn’t written plugins? Is it as simple as fetching by name, the groups that come from the JWT, from discourse and assigning the query result (of the group objects) to user.groups? I’ve some familiarity with the plugin (simple as it is) and might be able to do this.
Also, should I even bother with this? If I have a JWT in hand can I authenticate through OpenID Connect?
It depends how you want it to work… you probably want to be able to create normal groups in Discourse as well, without the JWT randomly removing members from them. In our native Discourse SSO system, we solve this with two parameters: “add groups”, and “remove groups”.
In the JWT plugin, you would probably add this logic in the after_authenticate function of the authenticator. Make sure you call super, and return its response, so all the existing stuff still works correctly. An example of that kind of override is here