pub fn extract_groups(
claims: &BTreeMap<String, Value>,
claim_path: &str,
) -> Option<Vec<String>>Expand description
Extracts group names from a JWT’s unknown-claims map.
claim_path may be a bare claim name (e.g. "groups") or a
dot-separated path into nested JSON objects (e.g.
"customClaims.groups"). Keys that contain a literal . are not
reachable; this is a known limitation matching CockroachDB’s
group_claim semantics. Empty path segments (leading/trailing/double
dots, or an empty path) yield None and emit a warn!-level log so
misconfiguration is visible.
Returns None if the claim is absent (skip sync, preserve current state),
Some(vec![]) if the claim is present but empty (revoke all sync-granted
roles), or Some(vec![...]) with deduplicated, sorted group names
(exact case preserved — matching against catalog role names is
case-sensitive).
Accepts arrays of strings, single strings, or mixed arrays (non-string elements are filtered out). Other JSON types are treated as absent.