From d96edd4656de025cdb7c5581ed041868c1005b1d Mon Sep 17 00:00:00 2001
From: Henry Avetisyan <havetisy@yahoo.com>
Date: Tue, 2 May 2023 13:56:03 -0700
Subject: [PATCH] for id tokens with group scope always use full arns (#2157)

---
 servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java | 2 +-
 .../zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
index 6d50e93af69..c1efe1c97a7 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
@@ -2012,7 +2012,7 @@ public Response getOIDCResponse(ResourceContext ctx, String responseType, String
         List<String> idTokenGroups = null;
         if (tokenRequest.isGroupsScope()) {
 
-            idTokenGroups = processIdTokenGroups(principalName, tokenRequest, domainName, fullArn,
+            idTokenGroups = processIdTokenGroups(principalName, tokenRequest, domainName, true,
                     principalDomain, caller);
 
         } else if (tokenRequest.isRolesScope()) {
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java
index b88cba60a48..0043fa57dba 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java
@@ -13488,8 +13488,8 @@ public void testGetOIDCResponseGroups() {
         List<String> userGroups = (List<String>) claims.getBody().get("groups");
         assertNotNull(userGroups);
         assertEquals(userGroups.size(), 2);
-        assertTrue(userGroups.contains("dev-team"));
-        assertTrue(userGroups.contains("pe-team"));
+        assertTrue(userGroups.contains("coretech:group.dev-team"));
+        assertTrue(userGroups.contains("coretech:group.pe-team"));
 
         // get only one of the groups and include state
 
@@ -13516,7 +13516,7 @@ public void testGetOIDCResponseGroups() {
         userGroups = (List<String>) claims.getBody().get("groups");
         assertNotNull(userGroups);
         assertEquals(userGroups.size(), 1);
-        assertTrue(userGroups.contains("dev-team"));
+        assertTrue(userGroups.contains("coretech:group.dev-team"));
 
         // requesting a group that the user is not part of