The documentation says that, when using this plugin, an authenticated request can either carry all the needed information in X-Forwarded-Foo HTTP headers, or it can use an API token. However, the documentation does not explain how the plugin looks up group memberships if an API token is used. Does it not grant membership in any groups at all if you use an API token? Does the API token map to a cached set of groups? If so, is that cache ever updated when the user’s group memberships change? Or is the frontend supposed to somehow query Jenkins to get the user from the API token, then look up the groups for that user and pass them in X-Forwarded-Groups (this seems improbable given that the documentation says that either the API token or the X-Forwarded-Foo headers are used but not both).

This is, of course, if I’m not using LDAP in the plugin (presumably if I am, then the plugin gets the user from the API token and then uses LDAP to find the groups).