[Bug] ClaimTypeMapping missing "groups"

[EmperorArthur]

Which version of Microsoft.IdentityModel are you using?
Latest / main

Where is the issue?

• M.IM.JsonWebTokens
• M.IM.KeyVaultExtensions
• M.IM.Logging
• M.IM.ManagedKeyVaultSecurityKey
• M.IM.Protocols
• M.IM.Protocols.OpenIdConnect
• M.IM.Protocols.SignedHttpRequest
• M.IM.Protocols.WsFederation
• M.IM.TestExtensions
• M.IM.Tokens
• M.IM.Tokens.Saml
• M.IM.Validators
• M.IM.Xml
• S.IM.Tokens.Jwt
• Other (please describe)

Is this a new or an existing app?

This app is in production, and I have worked around the issue.

Repro

var your = (code) => here;

Expected behavior
A clear and concise description of what you expected to happen (or code).

Actual behavior
"groups" claim is mapped correctly.

Possible solution
Clone the "group" claim, and change the key to "groups".

Additional context / logs / screenshots / links to code

Both Identity Platform Tokens, and the official JWT assignments list define "groups", which is not mapped.

Given "group" is mapped, but "groups" is not and both "role" and "roles" are defined, this was likely an, easily corrected, oversight.

Similar instances

There are a few similar cases, though not identical. For example, "clientip" is mapped, but "ipaddr" is referenced by the docs, and not mapped.

Work Around

The issue can be worked around, but the code is cumbersome, and not intuitive.

// No need to bind anything, since that's handled automatically from "Authentication:Schemes:Bearer" by `AddJwtBearer`.
builder.Services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme).PostConfigure(options => {
   var handler = options.TokenHandlers.OfType<JsonWebTokenHandler>().Single();
   handler.InboundClaimTypeMap.Add("groups", "http://schemas.xmlsoap.org/claims/Group");
}

Additional Comments

It may be worth noting where these the claims being mapped originate from. Perhaps by adding references to the documentation as comments in the class.