Users with empty groups claim should be rejected when creating objects #177
Description
If a user authenticates with the fulfillment-service but has an empty groups claim ([]), they should be denied when attempting to create any objects in the service. Currently, objects are being created with no tenant.
Example claim:
{
"exp": 1762360374,
"iat": 1762360074,
"jti": "67961d08-4a24-1a23-935b-25ae438ac570",
"iss": "https://keycloak.innabox/realms/innabox",
"aud": "adam",
"sub": "4897e725-7e55-4422-becd-d89ca6c5efcf",
"typ": "ID",
"azp": "adam",
"sid": "4bd972a8-6bed-40f1-a86e-9addff00d10b",
"acr": "1",
"email_verified": false,
"groups": [],
"username": "service-account-test"
}
Creating cluster
$ fulfillment-cli login --insecure --oauth-client-id test --oauth-flow credentials --oauth-client-secret <secret> api.innabox:443
$ fulfillment-cli get clusters
There are no objects maching the given criteria.
$ fulfillment-cli create cluster --template ocp_4_17_small
Created cluster '019a54cb-cfdb-787b-b4a3-7d27933b250b'.
$ fulfillment-cli get clusters
There are no objects maching the given criteria.
$ fulfillment-cli login --insecure --oauth-client-id admin --oauth-flow credentials --oauth-client-secret <secret> --private api.innabox:443
$ fulfillment-cli get private.v1.Cluster 019a54cb-cfdb-787b-b4a3-7d27933b250b
ID NAME TEMPLATE STATE HUB API URL CONSOLE URL
019a54cb-cfdb-787b-b4a3-7d27933b250b - ocp_4_17_small UNSPECIFIED - -
$ fulfillment-cli get private.v1.Cluster 019a54cb-cfdb-787b-b4a3-7d27933b250b -o json | jq -r .metadata
{
"creation_timestamp": "2025-11-05T16:13:54.523061Z",
"creators": [
"service-account-test"
]
}