What's the output of https://yourjenkins/whoAmI/api/xml when accessed with the API token?

My guess is, the group will not be among the authorities.

What security realm is this? LDAP, Active Directory, etc.?

danielbeck Thanks for your response. I use Github Authentication Plugin. 

here is what I got from api

<whoAmI _class='hudson.security.WhoAmI'>
<anonymous>false</anonymous>
<authenticated>true</authenticated>
<authority>authenticated</authority>
<name>xxxxxxxx</name>
<toString>org.acegisecurity.providers.UsernamePasswordAuthenticationToken@a3ffddb7: Username: xxxxxxxx; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated</toString>
</whoAmI>

Yep, no group except authenticated pseudo-group among the output.

Log in on the UI and access that URL interactively. What's the output then?

Then try the above (with API token) again. Is the group visible then?

Clearly not matrix-auth's fault.

Group memberships not being correct before the first interactive login might be legitimate, not sure. Jenkins remembers them in that case (JENKINS-20064), which is why I'm asking whether it's different after an interactive login.

I know that you must login through UI first so that Jenkins can pull your groups from Github. After this, the API with token still didn't return user groups. I am not sure which plugin cause this problem, matrix-auth or github-oauth.

matrix-auth doesn't populate groups and is 100% unrelated. That's why I had you provide the whoAmI output.

This is a bug in github-oauth, specifically around https://github.com/jenkinsci/github-oauth-plugin/blob/66ae724ef7bf5b0067447ac7e14a119067c0e631/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java#L400

It is also supposed to fireLoggedIn if logged in via the UI:

http://javadoc.jenkins.io/jenkins/security/SecurityListener.html#loggedIn-java.lang.String-

This is what SecurityListener listens for to populate LastGrantedAuthoritiesProperty (which is what you need for subsequent CLI use).

danielbeck Thanks for your help. I found another issue https://issues.jenkins-ci.org/browse/JENKINS-43822. It talked about the same thing. The solution is using Github access token instead of Jenkin API token. I have tried it with Github token, the API whoAmI can return groups now. I guess it may be a problem related to API token. Thank you again. 

lowry The issue is real even if you found a workaround. A fix is in review.

danielbeck Sorry, I thought you must pass git access token so that it can pull the info from github. 

lowry Solution proposed: store the access token after a successful authentication to Github to populate correctly the future usage of API Token of that user.

Code changed in jenkins
User: Wadeck Follonier
Path:
src/main/java/org/jenkinsci/plugins/GithubAccessTokenProperty.java
src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
src/main/java/org/jenkinsci/plugins/GithubSecretStorage.java
src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
src/test/java/org/jenkinsci/plugins/GithubAccessTokenPropertyTest.java
src/test/java/org/jenkinsci/plugins/GithubSecretStorageTest.java
src/test/java/org/jenkinsci/plugins/api/GihubAPITest.java
http://jenkins-ci.org/commit/github-oauth-plugin/7e13146c96ab607301ee1993c4183569a93da0f7
Log:
JENKINS-47113 Populate the authorities after a successful authentication to Github (#87)

This change stores a GitHub token in a user property for reuse by other
authorization method. Specifically, the token in which the user authorized for
Jenkins to collect consenting through OAuth.

This issue has been fixed and will be available in the next release.

0.29 has been released.