Authentik groups follow grp-{service}-{role}. Apps with claim-name-based
group sync (Wiki.js, GitLab, etc.) get a corresponding group with the
exact same name as the Authentik group; permissions are configured on
the application side. Property mapping OAuth Mapping: groups (per-app group names) emits all of a user's group names as a top-level groups
claim, so apps see every group the user is in.