From 4ade1b6ea4b3c799b0bfa2443759f0c1643817d5 Mon Sep 17 00:00:00 2001
From: Anatolii Bazko <abazko@redhat.com>
Date: Mon, 2 Feb 2026 17:13:48 +0100
Subject: [PATCH 1/7] feat: Support OpenShift external IDP

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
---
 .../che/DashboardRedirectionFilterTest.java   |   9 +-
 assembly/assembly-wsmaster-war/pom.xml        |   6 +-
 .../che/api/deploy/WsMasterModule.java        |  70 ++++++-----
 .../che/api/deploy/WsMasterServletModule.java |  40 +++---
 .../WEB-INF/classes/che/multiuser.properties  |  14 ++-
 .../eclipse/che/commons/subject/Subject.java  |  13 +-
 .../che/commons/subject/SubjectImpl.java      |  20 ++-
 .../core/rest/DefaultHttpJsonRequestTest.java |   5 +-
 .../commons/env/EnvironmentContextTest.java   |   7 +-
 ...ernetesPersonalAccessTokenManagerTest.java |  52 ++++++--
 .../KubernetesEnvironmentProvisioner.java     |   2 +-
 .../kubernetes/KubernetesInfraModule.java     |   5 +-
 .../authorization/AuthorizationChecker.java   |   5 +-
 .../KubernetesAuthorizationCheckerImpl.java   |  48 --------
 ...ubernetesOIDCAuthorizationCheckerImpl.java |  76 ++++++++++++
 .../namespace/KubernetesNamespaceFactory.java |  12 +-
 .../KubernetesEnvironmentProvisionerTest.java |   2 +-
 .../KubernetesNamespaceServiceTest.java       |   5 +-
 .../KubernetesAuthorizationCheckerTest.java   | 115 ++++++++++++++++--
 ...DockerRegistryCredentialsProviderTest.java |   6 +-
 ...bernetesOidcProviderConfigFactoryTest.java |   6 +-
 .../KubernetesNamespaceFactoryTest.java       |  26 ++--
 .../provision/GitConfigProvisionerTest.java   |   5 +-
 .../OpenShiftEnvironmentProvisioner.java      |   2 +-
 .../openshift/OpenShiftInfraModule.java       |   5 +-
 .../OpenShiftAuthorizationCheckerImpl.java    |   6 +-
 .../OpenshiftTokenInitializationFilter.java   |   6 +-
 .../project/OpenShiftProjectFactory.java      |   4 +-
 .../OpenShiftEnvironmentProvisionerTest.java  |   2 +-
 .../OpenShiftAuthorizationCheckerTest.java    |  42 ++++---
 .../project/OpenShiftProjectFactoryTest.java  |  24 ++--
 ...erEnvironmentInitializationFilterTest.java |  12 +-
 .../permission/server/AuthorizedSubject.java  |   8 +-
 .../api/OrganizationManagerTest.java          |   5 +-
 .../api/OrganizationServiceTest.java          |   7 +-
 ...ycloakEnvironmentInitializationFilter.java |   7 +-
 .../server/MachineLoginFilter.java            |   5 +-
 .../server/MachineLoginFilterTest.java        |   3 +-
 .../server/MachineTokenRegistryTest.java      |   2 +
 multiuser/oidc/pom.xml                        |  10 +-
 .../che/multiuser/oidc/OIDCInfoProvider.java  |   5 +-
 .../filter/OidcTokenInitializationFilter.java |  59 ++++++---
 .../OidcTokenInitializationFilterTest.java    |  92 ++++++++------
 .../devfile/server/TestObjectGenerator.java   |   5 +-
 .../devfile/server/TestObjectGenerator.java   |   5 +-
 ...eDevOpsPersonalAccessTokenFetcherTest.java |   7 +-
 ...tServerPersonalAccessTokenFetcherTest.java |   5 +-
 .../BitbucketServerUserDataFetcherTest.java   |   6 +-
 ...tbucketPersonalAccessTokenFetcherTest.java |  11 +-
 .../GithubPersonalAccessTokenFetcherTest.java |  10 +-
 .../gitlab/GitlabOAuthTokenFetcherTest.java   |  13 +-
 .../factory/server/FactoryServiceTest.java    |   7 +-
 .../che/api/logger/LoggerServiceTest.java     |   5 +-
 .../server/WorkspaceManagerTest.java          |  74 ++---------
 54 files changed, 618 insertions(+), 385 deletions(-)
 delete mode 100644 infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerImpl.java
 create mode 100644 infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesOIDCAuthorizationCheckerImpl.java

diff --git a/assembly/assembly-root-war/src/test/java/org/eclipse/che/DashboardRedirectionFilterTest.java b/assembly/assembly-root-war/src/test/java/org/eclipse/che/DashboardRedirectionFilterTest.java
index 52b920c5efd..2f92f38cbc1 100644
--- a/assembly/assembly-root-war/src/test/java/org/eclipse/che/DashboardRedirectionFilterTest.java
+++ b/assembly/assembly-root-war/src/test/java/org/eclipse/che/DashboardRedirectionFilterTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -22,6 +22,7 @@
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import java.util.Collections;
 import org.eclipse.che.commons.env.EnvironmentContext;
 import org.eclipse.che.commons.subject.SubjectImpl;
 import org.mockito.InjectMocks;
@@ -50,7 +51,8 @@ public void shouldRedirectIfGetRequestIsNotNamespaceWorkspaceName(String uri) th
     when(request.getMethod()).thenReturn("GET");
     when(request.getRequestURI()).thenReturn(uri);
     EnvironmentContext context = new EnvironmentContext();
-    context.setSubject(new SubjectImpl("id123", "name", "token123", false));
+    context.setSubject(
+        new SubjectImpl("id123", Collections.emptyList(), "name", "token123", false));
     EnvironmentContext.setCurrent(context);
 
     // when
@@ -66,7 +68,8 @@ public void shouldRedirectIfHEADRequestIsNotNamespaceWorkspaceName(String uri) t
     when(request.getMethod()).thenReturn("HEAD");
     when(request.getRequestURI()).thenReturn(uri);
     EnvironmentContext context = new EnvironmentContext();
-    context.setSubject(new SubjectImpl("id123", "name", "token123", false));
+    context.setSubject(
+        new SubjectImpl("id123", Collections.emptyList(), "name", "token123", false));
     EnvironmentContext.setCurrent(context);
 
     // when
diff --git a/assembly/assembly-wsmaster-war/pom.xml b/assembly/assembly-wsmaster-war/pom.xml
index c32a84a8130..09438b0bf37 100644
--- a/assembly/assembly-wsmaster-war/pom.xml
+++ b/assembly/assembly-wsmaster-war/pom.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2012-2025 Red Hat, Inc.
+    Copyright (c) 2012-2026 Red Hat, Inc.
     This program and the accompanying materials are made
     available under the terms of the Eclipse Public License 2.0
     which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -259,10 +259,6 @@
             <groupId>org.eclipse.che.multiuser</groupId>
             <artifactId>che-multiuser-api-workspace-activity</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-keycloak-server</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.eclipse.che.multiuser</groupId>
             <artifactId>che-multiuser-keycloak-token-provider</artifactId>
diff --git a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java
index 56f02a23a3a..3e95fea354a 100644
--- a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java
+++ b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -11,6 +11,7 @@
  */
 package org.eclipse.che.api.deploy;
 
+import static com.google.common.base.Strings.isNullOrEmpty;
 import static com.google.inject.matcher.Matchers.subclassesOf;
 import static org.eclipse.che.inject.Matchers.names;
 import static org.eclipse.che.multiuser.api.permission.server.SystemDomain.SYSTEM_DOMAIN_ACTIONS;
@@ -26,7 +27,6 @@
 import io.jsonwebtoken.SigningKeyResolver;
 import java.util.HashMap;
 import java.util.Map;
-import org.eclipse.che.api.core.notification.RemoteSubscriptionStorage;
 import org.eclipse.che.api.core.rest.CheJsonProvider;
 import org.eclipse.che.api.core.rest.MessageBodyAdapter;
 import org.eclipse.che.api.core.rest.MessageBodyAdapterInterceptor;
@@ -63,8 +63,6 @@
 import org.eclipse.che.api.user.server.spi.ProfileDao;
 import org.eclipse.che.api.user.server.spi.UserDao;
 import org.eclipse.che.api.workspace.server.WorkspaceEntityProvider;
-import org.eclipse.che.api.workspace.server.WorkspaceLockService;
-import org.eclipse.che.api.workspace.server.WorkspaceStatusCache;
 import org.eclipse.che.api.workspace.server.devfile.DevfileModule;
 import org.eclipse.che.api.workspace.server.hc.ServersCheckerFactory;
 import org.eclipse.che.api.workspace.server.spi.provision.InternalEnvironmentProvisioner;
@@ -105,6 +103,8 @@
 import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesClientConfigFactory;
 import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfraModule;
 import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfrastructure;
+import org.eclipse.che.workspace.infrastructure.kubernetes.authorization.AuthorizationChecker;
+import org.eclipse.che.workspace.infrastructure.kubernetes.authorization.KubernetesOIDCAuthorizationCheckerImpl;
 import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment;
 import org.eclipse.che.workspace.infrastructure.kubernetes.multiuser.oauth.KubernetesOidcProviderConfigFactory;
 import org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.SecureServerExposer;
@@ -118,8 +118,8 @@
 import org.eclipse.che.workspace.infrastructure.metrics.InfrastructureMetricsModule;
 import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftInfraModule;
 import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftInfrastructure;
+import org.eclipse.che.workspace.infrastructure.openshift.authorization.OpenShiftAuthorizationCheckerImpl;
 import org.eclipse.che.workspace.infrastructure.openshift.environment.OpenShiftEnvironment;
-import org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.KeycloakProviderConfigFactory;
 import org.eclipse.persistence.config.PersistenceUnitProperties;
 
 /**
@@ -319,27 +319,13 @@ protected void configure() {
 
   private void configureMultiUserMode(
       Map<String, String> persistenceProperties, String infrastructure) {
-    if (OpenShiftInfrastructure.NAME.equals(infrastructure)
-        || KubernetesInfrastructure.NAME.equals(infrastructure)) {
-      install(new ReplicationModule(persistenceProperties));
-      bind(
-          org.eclipse.che.multiuser.permission.workspace.infra.kubernetes
-              .BrokerServicePermissionFilter.class);
-      configureJwtProxySecureProvisioner(infrastructure);
-    } else {
-      bind(RemoteSubscriptionStorage.class)
-          .to(org.eclipse.che.api.core.notification.InmemoryRemoteSubscriptionStorage.class);
-      bind(WorkspaceLockService.class)
-          .to(org.eclipse.che.api.workspace.server.DefaultWorkspaceLockService.class);
-      bind(WorkspaceStatusCache.class)
-          .to(org.eclipse.che.api.workspace.server.DefaultWorkspaceStatusCache.class);
-    }
+    install(new ReplicationModule(persistenceProperties));
+    bind(
+        org.eclipse.che.multiuser.permission.workspace.infra.kubernetes
+            .BrokerServicePermissionFilter.class);
+    configureJwtProxySecureProvisioner(infrastructure);
 
-    if (Boolean.parseBoolean(System.getenv("CHE_AUTH_NATIVEUSER"))) {
-      bind(KubernetesClientConfigFactory.class).to(KubernetesOidcProviderConfigFactory.class);
-    } else if (OpenShiftInfrastructure.NAME.equals(infrastructure)) {
-      bind(KubernetesClientConfigFactory.class).to(KeycloakProviderConfigFactory.class);
-    }
+    bind(KubernetesClientConfigFactory.class).to(KubernetesOidcProviderConfigFactory.class);
 
     persistenceProperties.put(
         PersistenceUnitProperties.EXCEPTION_HANDLER_CLASS,
@@ -369,18 +355,19 @@ private void configureMultiUserMode(
 
     bind(org.eclipse.che.multiuser.permission.workspace.activity.ActivityPermissionsFilter.class);
 
-    if (Boolean.parseBoolean(System.getenv("CHE_AUTH_NATIVEUSER"))) {
-      bind(RequestTokenExtractor.class).to(HeaderRequestTokenExtractor.class);
-      if (KubernetesInfrastructure.NAME.equals(infrastructure)) {
-        bind(OIDCInfo.class).toProvider(OIDCInfoProvider.class).asEagerSingleton();
-        bind(SigningKeyResolver.class).to(OIDCSigningKeyResolver.class);
-        bind(JwtParser.class).toProvider(OIDCJwtParserProvider.class);
-        bind(JwkProvider.class).toProvider(OIDCJwkProvider.class);
-      }
-      bind(TokenValidator.class).to(NotImplementedTokenValidator.class);
-      bind(ProfileDao.class).to(JpaProfileDao.class);
-      bind(OAuthAPI.class).to(EmbeddedOAuthAPI.class).asEagerSingleton();
+    bind(RequestTokenExtractor.class).to(HeaderRequestTokenExtractor.class);
+    if (isOIDCProviderConfigured()) {
+      bind(OIDCInfo.class).toProvider(OIDCInfoProvider.class).asEagerSingleton();
+      bind(SigningKeyResolver.class).to(OIDCSigningKeyResolver.class);
+      bind(JwtParser.class).toProvider(OIDCJwtParserProvider.class);
+      bind(JwkProvider.class).toProvider(OIDCJwkProvider.class);
+      bind(AuthorizationChecker.class).to(KubernetesOIDCAuthorizationCheckerImpl.class);
+    } else {
+      bind(AuthorizationChecker.class).to(OpenShiftAuthorizationCheckerImpl.class);
     }
+    bind(TokenValidator.class).to(NotImplementedTokenValidator.class);
+    bind(ProfileDao.class).to(JpaProfileDao.class);
+    bind(OAuthAPI.class).to(EmbeddedOAuthAPI.class).asEagerSingleton();
 
     install(new MachineAuthModule());
 
@@ -483,4 +470,15 @@ private void installDefaultSecureServerExposer(String infrastructure) {
                   PassThroughProxySecureServerExposerFactory<OpenShiftEnvironment>>() {});
     }
   }
+
+  private boolean isOIDCProviderConfigured() {
+    String openShiftOAuthEnabled = System.getenv("CHE_INFRA_OPENSHIFT_OAUTH__ENABLED");
+
+    if (isNullOrEmpty(openShiftOAuthEnabled)) {
+      String infrastructure = System.getenv("CHE_INFRASTRUCTURE_ACTIVE");
+      return KubernetesInfrastructure.NAME.equals(infrastructure);
+    }
+
+    return !Boolean.valueOf(openShiftOAuthEnabled);
+  }
 }
diff --git a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterServletModule.java b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterServletModule.java
index 0bec77f78be..598af6be94d 100644
--- a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterServletModule.java
+++ b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterServletModule.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -11,17 +11,15 @@
  */
 package org.eclipse.che.api.deploy;
 
+import static com.google.common.base.Strings.isNullOrEmpty;
+
 import com.google.common.collect.ImmutableMap;
 import com.google.inject.servlet.ServletModule;
 import org.eclipse.che.api.core.cors.CheCorsFilter;
 import org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter;
-import org.eclipse.che.inject.ConfigurationException;
 import org.eclipse.che.inject.DynaModule;
-import org.eclipse.che.multiuser.keycloak.server.deploy.KeycloakServletModule;
-import org.eclipse.che.multiuser.machine.authentication.server.MachineLoginFilter;
 import org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter;
 import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfrastructure;
-import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftInfrastructure;
 import org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter;
 import org.everrest.guice.servlet.GuiceEverrestServlet;
 import org.slf4j.Logger;
@@ -50,13 +48,8 @@ protected void configureServlets() {
     serveRegex("^(?!/websocket.?)(.*)")
         .with(GuiceEverrestServlet.class, ImmutableMap.of("openapi.context.id", "org.eclipse.che"));
 
-    if (Boolean.parseBoolean(System.getenv("CHE_AUTH_NATIVEUSER"))) {
-      LOG.info("Running in native-user mode ...");
-      configureNativeUserMode();
-    } else {
-      LOG.info("Running in classic multi-user mode ...");
-      configureMultiUserMode();
-    }
+    LOG.info("Running in native-user mode ...");
+    configureNativeUserMode();
 
     if (Boolean.valueOf(System.getenv("CHE_METRICS_ENABLED"))) {
       install(new org.eclipse.che.core.metrics.MetricsServletModule());
@@ -73,19 +66,22 @@ private boolean isCheCorsEnabled() {
     }
   }
 
-  private void configureMultiUserMode() {
-    filterRegex(".*").through(MachineLoginFilter.class);
-    install(new KeycloakServletModule());
-  }
-
   private void configureNativeUserMode() {
-    final String infrastructure = System.getenv("CHE_INFRASTRUCTURE_ACTIVE");
-    if (OpenShiftInfrastructure.NAME.equals(infrastructure)) {
-      filter("/*").through(OpenshiftTokenInitializationFilter.class);
-    } else if (KubernetesInfrastructure.NAME.equals(infrastructure)) {
+    if (isOIDCProviderConfigured()) {
       filter("/*").through(OidcTokenInitializationFilter.class);
     } else {
-      throw new ConfigurationException("Native user mode is currently supported on on OpenShift.");
+      filter("/*").through(OpenshiftTokenInitializationFilter.class);
+    }
+  }
+
+  private boolean isOIDCProviderConfigured() {
+    String openShiftOAuthEnabled = System.getenv("CHE_INFRA_OPENSHIFT_OAUTH__ENABLED");
+
+    if (isNullOrEmpty(openShiftOAuthEnabled)) {
+      String infrastructure = System.getenv("CHE_INFRASTRUCTURE_ACTIVE");
+      return KubernetesInfrastructure.NAME.equals(infrastructure);
     }
+
+    return !Boolean.valueOf(openShiftOAuthEnabled);
   }
 }
diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties
index 7103fb9c0db..b67eb3ed83b 100644
--- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties
+++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2012-2023 Red Hat, Inc.
+# Copyright (c) 2012-2026 Red Hat, Inc.
 # This program and the accompanying materials are made
 # available under the terms of the Eclipse Public License 2.0
 # which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -92,6 +92,18 @@ che.oidc.allowed_clock_skew_sec=3
 # `name` in Dex installations.
 che.oidc.username_claim=NULL
 
+# Prefix to be prepended to username values extracted from the OIDC token.
+# If not defined, no prefix will be added.
+che.oidc.username_prefix=NULL
+
+# Claim to be used for extracting user group membership from the JWT token.
+# If not defined, group information will not be extracted from the token.
+che.oidc.group_claim=NULL
+
+# Prefix to be prepended to group names extracted from the OIDC token.
+# If not defined, no prefix will be added.
+che.oidc.group_prefix=NULL
+
 # Email claim to be used when parsing JWT token.
 # If not defined, the fallback value is 'email'.
 che.oidc.email_claim=NULL
diff --git a/core/che-core-api-core/src/main/java/org/eclipse/che/commons/subject/Subject.java b/core/che-core-api-core/src/main/java/org/eclipse/che/commons/subject/Subject.java
index 8729df26e24..6d003f25ba7 100644
--- a/core/che-core-api-core/src/main/java/org/eclipse/che/commons/subject/Subject.java
+++ b/core/che-core-api-core/src/main/java/org/eclipse/che/commons/subject/Subject.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -11,6 +11,7 @@
  */
 package org.eclipse.che.commons.subject;
 
+import java.util.List;
 import org.eclipse.che.api.core.ForbiddenException;
 
 /**
@@ -33,6 +34,11 @@ public String getUserName() {
           return "Anonymous";
         }
 
+        @Override
+        public List<String> getGroups() {
+          return java.util.Collections.emptyList();
+        }
+
         @Override
         public boolean hasPermission(String domain, String instance, String action) {
           return false;
@@ -81,6 +87,11 @@ public boolean isTemporary() {
    */
   String getUserName();
 
+  /**
+   * @return list of groups the user belongs to
+   */
+  List<String> getGroups();
+
   /**
    * Checks does subject have specified permission.
    *
diff --git a/core/che-core-api-core/src/main/java/org/eclipse/che/commons/subject/SubjectImpl.java b/core/che-core-api-core/src/main/java/org/eclipse/che/commons/subject/SubjectImpl.java
index 12708140fa3..45a410649df 100644
--- a/core/che-core-api-core/src/main/java/org/eclipse/che/commons/subject/SubjectImpl.java
+++ b/core/che-core-api-core/src/main/java/org/eclipse/che/commons/subject/SubjectImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2018 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -11,6 +11,8 @@
  */
 package org.eclipse.che.commons.subject;
 
+import java.util.Collections;
+import java.util.List;
 import java.util.Objects;
 import org.eclipse.che.api.core.ForbiddenException;
 
@@ -22,11 +24,14 @@
 public class SubjectImpl implements Subject {
   private final String id;
   private final String name;
+  private final List<String> groups;
   private final String token;
   private final boolean isTemporary;
 
-  public SubjectImpl(String name, String id, String token, boolean isTemporary) {
+  public SubjectImpl(
+      String name, List<String> groups, String id, String token, boolean isTemporary) {
     this.name = name;
+    this.groups = Collections.unmodifiableList(groups);
     this.id = id;
     this.token = token;
     this.isTemporary = isTemporary;
@@ -37,6 +42,11 @@ public String getUserName() {
     return name;
   }
 
+  @Override
+  public List<String> getGroups() {
+    return groups;
+  }
+
   @Override
   public boolean hasPermission(String domain, String instance, String action) {
     return false;
@@ -73,6 +83,7 @@ public boolean equals(Object obj) {
     return Objects.equals(id, other.id)
         && Objects.equals(name, other.name)
         && Objects.equals(token, other.token)
+        && Objects.equals(groups, other.groups)
         && isTemporary == other.isTemporary;
   }
 
@@ -83,18 +94,21 @@ public int hashCode() {
     hash = 31 * hash + Objects.hashCode(name);
     hash = 31 * hash + Objects.hashCode(token);
     hash = 31 * hash + Boolean.hashCode(isTemporary);
+    hash = 31 * hash + Objects.hashCode(groups);
     return hash;
   }
 
   @Override
   public String toString() {
-    return "UserImpl{"
+    return "SubjectImpl{"
         + "id='"
         + id
         + '\''
         + ", name='"
         + name
         + '\''
+        + ", groups="
+        + groups
         + ", token='"
         + token
         + '\''
diff --git a/core/che-core-api-core/src/test/java/org/eclipse/che/api/core/rest/DefaultHttpJsonRequestTest.java b/core/che-core-api-core/src/test/java/org/eclipse/che/api/core/rest/DefaultHttpJsonRequestTest.java
index 9fb7de9b8e3..1cde686ab79 100644
--- a/core/che-core-api-core/src/test/java/org/eclipse/che/api/core/rest/DefaultHttpJsonRequestTest.java
+++ b/core/che-core-api-core/src/test/java/org/eclipse/che/api/core/rest/DefaultHttpJsonRequestTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -77,7 +77,8 @@ public class DefaultHttpJsonRequestTest {
   @SuppressWarnings("unused") // used by EverrestJetty
   private static final TestService TEST_SERVICE = new TestService();
 
-  private static final Subject TEST_SUBJECT = new SubjectImpl("name", "id", "token", false);
+  private static final Subject TEST_SUBJECT =
+      new SubjectImpl("name", Collections.emptyList(), "id", "token", false);
   private static final String DEFAULT_URL = "http://localhost:8080";
 
   @Captor private ArgumentCaptor<Map<String, String>> mapCaptor;
diff --git a/core/che-core-api-core/src/test/java/org/eclipse/che/commons/env/EnvironmentContextTest.java b/core/che-core-api-core/src/test/java/org/eclipse/che/commons/env/EnvironmentContextTest.java
index e8efc2d17c8..6a101c93516 100644
--- a/core/che-core-api-core/src/test/java/org/eclipse/che/commons/env/EnvironmentContextTest.java
+++ b/core/che-core-api-core/src/test/java/org/eclipse/che/commons/env/EnvironmentContextTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2018 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -14,6 +14,7 @@
 import static org.testng.Assert.assertEquals;
 import static org.testng.Assert.assertFalse;
 
+import java.util.Collections;
 import org.eclipse.che.commons.subject.Subject;
 import org.eclipse.che.commons.subject.SubjectImpl;
 import org.testng.annotations.Test;
@@ -24,7 +25,7 @@ public class EnvironmentContextTest {
   public void shouldBeAbleToSetEnvContextInSameThread() {
     // given
     EnvironmentContext expected = EnvironmentContext.getCurrent();
-    expected.setSubject(new SubjectImpl("user", "id", "token", false));
+    expected.setSubject(new SubjectImpl("user", Collections.emptyList(), "id", "token", false));
 
     EnvironmentContext actual = EnvironmentContext.getCurrent();
     Subject actualSubject = actual.getSubject();
@@ -55,7 +56,7 @@ public void shouldReturnAnonymousSubjectWhenThereIsNoSubject() {
   public void shouldNotBeAbleToSeeContextInOtherThread() {
     // given
     final EnvironmentContext expected = EnvironmentContext.getCurrent();
-    expected.setSubject(new SubjectImpl("user", "id", "token", false));
+    expected.setSubject(new SubjectImpl("user", Collections.emptyList(), "id", "token", false));
 
     Thread otherThread =
         new Thread() {
diff --git a/infrastructures/infrastructure-factory/src/test/java/org/eclipse/che/api/factory/server/scm/kubernetes/KubernetesPersonalAccessTokenManagerTest.java b/infrastructures/infrastructure-factory/src/test/java/org/eclipse/che/api/factory/server/scm/kubernetes/KubernetesPersonalAccessTokenManagerTest.java
index 140639c78b0..357c351d73f 100644
--- a/infrastructures/infrastructure-factory/src/test/java/org/eclipse/che/api/factory/server/scm/kubernetes/KubernetesPersonalAccessTokenManagerTest.java
+++ b/infrastructures/infrastructure-factory/src/test/java/org/eclipse/che/api/factory/server/scm/kubernetes/KubernetesPersonalAccessTokenManagerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -39,6 +39,7 @@
 import io.fabric8.kubernetes.client.dsl.Resource;
 import java.util.Arrays;
 import java.util.Base64;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -125,7 +126,11 @@ public void shouldTrimBlankCharsInToken() throws Exception {
     // when
     PersonalAccessToken token =
         personalAccessTokenManager
-            .get(new SubjectImpl("user", "user", "t1", false), null, "http://host1", null)
+            .get(
+                new SubjectImpl("user", Collections.emptyList(), "user", "t1", false),
+                null,
+                "http://host1",
+                null)
             .get();
 
     // then
@@ -236,7 +241,11 @@ public void testGetTokenFromNamespace() throws Exception {
     // when
     PersonalAccessToken token =
         personalAccessTokenManager
-            .get(new SubjectImpl("user", "user1", "t1", false), null, "http://host1", null)
+            .get(
+                new SubjectImpl("user", Collections.emptyList(), "user1", "t1", false),
+                null,
+                "http://host1",
+                null)
             .get();
 
     // then
@@ -281,7 +290,10 @@ public void shouldGetTokenFromASecretWithSCMUsername() throws Exception {
     // when
     Optional<PersonalAccessToken> tokenOptional =
         personalAccessTokenManager.get(
-            new SubjectImpl("user", "user1", "t1", false), null, "http://host1", null);
+            new SubjectImpl("user", Collections.emptyList(), "user1", "t1", false),
+            null,
+            "http://host1",
+            null);
     // then
     assertTrue(tokenOptional.isPresent());
     assertEquals(tokenOptional.get().getCheUserId(), "user1");
@@ -323,7 +335,10 @@ public void shouldGetTokenFromASecretWithoutSCMUsername() throws Exception {
     // when
     Optional<PersonalAccessToken> tokenOptional =
         personalAccessTokenManager.get(
-            new SubjectImpl("user", "user1", "t1", false), null, "http://host1", null);
+            new SubjectImpl("user", Collections.emptyList(), "user1", "t1", false),
+            null,
+            "http://host1",
+            null);
 
     // then
     assertTrue(tokenOptional.isPresent());
@@ -382,11 +397,19 @@ public void testGetTokenFromNamespaceWithTrailingSlashMismatch() throws Exceptio
     // when
     PersonalAccessToken token1 =
         personalAccessTokenManager
-            .get(new SubjectImpl("user", "user1", "t1", false), null, "http://host1.com", null)
+            .get(
+                new SubjectImpl("user", Collections.emptyList(), "user1", "t1", false),
+                null,
+                "http://host1.com",
+                null)
             .get();
     PersonalAccessToken token2 =
         personalAccessTokenManager
-            .get(new SubjectImpl("user", "user1", "t1", false), null, "http://host2.com/", null)
+            .get(
+                new SubjectImpl("user", Collections.emptyList(), "user1", "t1", false),
+                null,
+                "http://host2.com/",
+                null)
             .get();
 
     // then
@@ -423,7 +446,10 @@ public void shouldDeleteMisconfiguredTokensOnGet() throws Exception {
     // when
     Optional<PersonalAccessToken> token =
         personalAccessTokenManager.get(
-            new SubjectImpl("user", "user1", "t1", false), null, "http://host1", null);
+            new SubjectImpl("user", Collections.emptyList(), "user1", "t1", false),
+            null,
+            "http://host1",
+            null);
     // then
     assertFalse(token.isPresent());
     verify(nonNamespaceOperation, times(1)).delete(eq(secret1));
@@ -461,7 +487,10 @@ public void shouldDeleteInvalidTokensOnGet() throws Exception {
     // when
     Optional<PersonalAccessToken> token =
         personalAccessTokenManager.get(
-            new SubjectImpl("user", "user1", "t1", false), null, "http://host1", null);
+            new SubjectImpl("user", Collections.emptyList(), "user1", "t1", false),
+            null,
+            "http://host1",
+            null);
     // then
     assertFalse(token.isPresent());
     verify(nonNamespaceOperation, times(1)).delete(eq(secret1));
@@ -527,7 +556,10 @@ public void shouldReturnFirstValidTokenAndDeleteTheInvalidOne() throws Exception
     // when
     Optional<PersonalAccessToken> token =
         personalAccessTokenManager.get(
-            new SubjectImpl("user", "user1", "t1", false), null, "http://host1", null);
+            new SubjectImpl("user", Collections.emptyList(), "user1", "t1", false),
+            null,
+            "http://host1",
+            null);
     // then
     assertTrue(token.isPresent());
     assertEquals(token.get().getScmTokenId(), "id2");
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisioner.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisioner.java
index ef0f3420935..9fa57feef56 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisioner.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisioner.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesInfraModule.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesInfraModule.java
index 8e26d80a6d0..07428b769b4 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesInfraModule.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesInfraModule.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -36,8 +36,6 @@
 import org.eclipse.che.api.workspace.server.wsplugins.ChePluginsApplier;
 import org.eclipse.che.api.workspace.shared.Constants;
 import org.eclipse.che.workspace.infrastructure.kubernetes.api.server.KubernetesNamespaceService;
-import org.eclipse.che.workspace.infrastructure.kubernetes.authorization.AuthorizationChecker;
-import org.eclipse.che.workspace.infrastructure.kubernetes.authorization.KubernetesAuthorizationCheckerImpl;
 import org.eclipse.che.workspace.infrastructure.kubernetes.authorization.PermissionsCleaner;
 import org.eclipse.che.workspace.infrastructure.kubernetes.cache.jpa.JpaKubernetesRuntimeCacheModule;
 import org.eclipse.che.workspace.infrastructure.kubernetes.devfile.DockerimageComponentToWorkspaceApplier;
@@ -113,7 +111,6 @@ protected void configure() {
     namespaceConfigurators.addBinding().to(UserPreferencesConfigurator.class);
     namespaceConfigurators.addBinding().to(GitconfigConfigurator.class);
 
-    bind(AuthorizationChecker.class).to(KubernetesAuthorizationCheckerImpl.class);
     bind(PermissionsCleaner.class).asEagerSingleton();
 
     bind(KubernetesNamespaceService.class);
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/AuthorizationChecker.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/AuthorizationChecker.java
index 73b238c1dec..6801103c847 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/AuthorizationChecker.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/AuthorizationChecker.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -12,9 +12,10 @@
 package org.eclipse.che.workspace.infrastructure.kubernetes.authorization;
 
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
+import org.eclipse.che.commons.subject.Subject;
 
 /** This {@link AuthorizationChecker} checks if user is allowed to use Che. */
 public interface AuthorizationChecker {
 
-  boolean isAuthorized(String username) throws InfrastructureException;
+  boolean isAuthorized(Subject subject) throws InfrastructureException;
 }
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerImpl.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerImpl.java
deleted file mode 100644
index 16f9893ea5d..00000000000
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerImpl.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (c) 2012-2023 Red Hat, Inc.
- * This program and the accompanying materials are made
- * available under the terms of the Eclipse Public License 2.0
- * which is available at https://www.eclipse.org/legal/epl-2.0/
- *
- * SPDX-License-Identifier: EPL-2.0
- *
- * Contributors:
- *   Red Hat, Inc. - initial API and implementation
- */
-package org.eclipse.che.workspace.infrastructure.kubernetes.authorization;
-
-import static org.eclipse.che.commons.lang.StringUtils.strToSet;
-
-import java.util.Set;
-import javax.inject.Inject;
-import javax.inject.Named;
-import javax.inject.Singleton;
-import org.eclipse.che.commons.annotation.Nullable;
-
-/** This {@link KubernetesAuthorizationCheckerImpl} checks if user is allowed to use Che. */
-@Singleton
-public class KubernetesAuthorizationCheckerImpl implements AuthorizationChecker {
-
-  private final Set<String> allowUsers;
-  private final Set<String> denyUsers;
-
-  @Inject
-  public KubernetesAuthorizationCheckerImpl(
-      @Nullable @Named("che.infra.kubernetes.advanced_authorization.allow_users") String allowUsers,
-      @Nullable @Named("che.infra.kubernetes.advanced_authorization.deny_users") String denyUsers) {
-    this.allowUsers = strToSet(allowUsers);
-    this.denyUsers = strToSet(denyUsers);
-  }
-
-  public boolean isAuthorized(String username) {
-    return isAllowedUser(username) && !isDeniedUser(username);
-  }
-
-  private boolean isAllowedUser(String username) {
-    return allowUsers.isEmpty() || allowUsers.contains(username);
-  }
-
-  private boolean isDeniedUser(String username) {
-    return !denyUsers.isEmpty() && denyUsers.contains(username);
-  }
-}
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesOIDCAuthorizationCheckerImpl.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesOIDCAuthorizationCheckerImpl.java
new file mode 100644
index 00000000000..a22d0d75608
--- /dev/null
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesOIDCAuthorizationCheckerImpl.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2012-2026 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.che.workspace.infrastructure.kubernetes.authorization;
+
+import static org.eclipse.che.commons.lang.StringUtils.strToSet;
+
+import java.util.Collections;
+import java.util.Set;
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+import org.eclipse.che.commons.annotation.Nullable;
+import org.eclipse.che.commons.subject.Subject;
+
+/** This {@link KubernetesOIDCAuthorizationCheckerImpl} checks if user is allowed to use Che. */
+@Singleton
+public class KubernetesOIDCAuthorizationCheckerImpl implements AuthorizationChecker {
+
+  private final Set<String> allowUsers;
+  private final Set<String> allowGroups;
+  private final Set<String> denyUsers;
+  private final Set<String> denyGroups;
+
+  @Inject
+  public KubernetesOIDCAuthorizationCheckerImpl(
+      @Nullable @Named("che.infra.kubernetes.advanced_authorization.allow_users") String allowUsers,
+      @Nullable @Named("che.infra.kubernetes.advanced_authorization.allow_groups")
+          String allowGroups,
+      @Nullable @Named("che.infra.kubernetes.advanced_authorization.deny_users") String denyUsers,
+      @Nullable @Named("che.infra.kubernetes.advanced_authorization.deny_groups")
+          String denyGroups) {
+    this.allowUsers = strToSet(allowUsers);
+    this.allowGroups = strToSet(allowGroups);
+    this.denyUsers = strToSet(denyUsers);
+    this.denyGroups = strToSet(denyGroups);
+  }
+
+  public boolean isAuthorized(Subject subject) {
+    return isAllowedUser(subject) && !isDeniedUser(subject);
+  }
+
+  private boolean isAllowedUser(Subject subject) {
+    // All users from all groups are allowed by default
+    if (allowUsers.isEmpty() && allowGroups.isEmpty()) {
+      return true;
+    }
+
+    if (allowUsers.contains(subject.getUserName())) {
+      return true;
+    }
+
+    return !Collections.disjoint(allowGroups, subject.getGroups());
+  }
+
+  private boolean isDeniedUser(Subject subject) {
+    // All users from all groups are allowed by default
+    if (denyUsers.isEmpty() && denyGroups.isEmpty()) {
+      return false;
+    }
+
+    if (denyUsers.contains(subject.getUserName())) {
+      return true;
+    }
+
+    return !Collections.disjoint(denyGroups, subject.getGroups());
+  }
+}
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactory.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactory.java
index 319d1b8770e..621fbdee657 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactory.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -291,7 +291,7 @@ public KubernetesNamespace getOrCreate(RuntimeIdentity identity) throws Infrastr
     var subject = EnvironmentContext.getCurrent().getSubject();
     var userName = subject.getUserName();
 
-    validateAuthorization(namespace.getName(), userName);
+    validateAuthorization(namespace.getName(), subject);
 
     NamespaceResolutionContext resolutionCtx =
         new NamespaceResolutionContext(identity.getWorkspaceId(), subject.getUserId(), userName);
@@ -585,15 +585,15 @@ public void deleteIfManaged(Workspace workspace) throws InfrastructureException
     }
   }
 
-  protected void validateAuthorization(String namespaceName, String username)
+  protected void validateAuthorization(String namespaceName, Subject subject)
       throws InfrastructureException {
-    if (!authorizationChecker.isAuthorized(username)) {
+    if (!authorizationChecker.isAuthorized(subject)) {
       try {
         permissionsCleaner.cleanUp(namespaceName);
       } catch (InfrastructureException | KubernetesClientException e) {
         LOG.error(
             "Failed to clean up permissions for user '{}' in namespace '{}'. Cause: {}",
-            username,
+            subject.getUserName(),
             namespaceName,
             e.getMessage(),
             e);
@@ -602,7 +602,7 @@ protected void validateAuthorization(String namespaceName, String username)
       throw new AuthorizationException(
           format(
               "User '%s' is not authorized to create a project. Please contact your system administrator.",
-              username));
+              subject.getUserName()));
     }
   }
 
diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisionerTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisionerTest.java
index 3a990e3ed80..8c41c2abfb0 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisionerTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisionerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/api/server/KubernetesNamespaceServiceTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/api/server/KubernetesNamespaceServiceTest.java
index 1ed81fd830f..fc008a23e40 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/api/server/KubernetesNamespaceServiceTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/api/server/KubernetesNamespaceServiceTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -62,7 +62,8 @@ public class KubernetesNamespaceServiceTest {
   @SuppressWarnings("unused")
   private static final EnvironmentFilter FILTER = new EnvironmentFilter();
 
-  private static final Subject SUBJECT = new SubjectImpl("john", "id-123", "token", false);
+  private static final Subject SUBJECT =
+      new SubjectImpl("john", Collections.emptyList(), "id-123", "token", false);
 
   @SuppressWarnings("unused") // is declared for deploying by everrest-assured
   private CheJsonProvider jsonProvider = new CheJsonProvider(Collections.emptySet());
diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerTest.java
index 3c5d0a5b4a4..6a560c70ad7 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -11,7 +11,14 @@
  */
 package org.eclipse.che.workspace.infrastructure.kubernetes.authorization;
 
+import static org.mockito.Mockito.*;
+
+import java.util.*;
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
+import org.eclipse.che.commons.subject.Subject;
+import org.eclipse.che.commons.subject.SubjectImpl;
+import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory;
+import org.mockito.Mock;
 import org.mockito.testng.MockitoTestNGListener;
 import org.testng.Assert;
 import org.testng.annotations.DataProvider;
@@ -20,16 +27,27 @@
 
 @Listeners(MockitoTestNGListener.class)
 public class KubernetesAuthorizationCheckerTest {
+
+  @Mock private CheServerKubernetesClientFactory clientFactory;
+  private static Subject user1 =
+      new SubjectImpl("user1", Arrays.asList("group1"), "id", "token", false);
+
   @Test(dataProvider = "advancedAuthorizationData")
   public void advancedAuthorization(
-      String testUserName, String allowedUsers, String deniedUsers, boolean expectedIsAuthorized)
+      Subject subject,
+      String allowedUsers,
+      String allowedGroups,
+      String deniedUsers,
+      String deniedGroups,
+      boolean expectedIsAuthorized)
       throws InfrastructureException {
     // give
-    AuthorizationChecker authorizationChecker =
-        new KubernetesAuthorizationCheckerImpl(allowedUsers, deniedUsers);
+    KubernetesOIDCAuthorizationCheckerImpl authorizationChecker =
+        new KubernetesOIDCAuthorizationCheckerImpl(
+            allowedUsers, allowedGroups, deniedUsers, deniedGroups);
 
     // when
-    boolean isAuthorized = authorizationChecker.isAuthorized(testUserName);
+    boolean isAuthorized = authorizationChecker.isAuthorized(subject);
 
     // then
     Assert.assertEquals(isAuthorized, expectedIsAuthorized);
@@ -38,12 +56,87 @@ public void advancedAuthorization(
   @DataProvider
   public static Object[][] advancedAuthorizationData() {
     return new Object[][] {
-      {"user1", "", "", true},
-      {"user1", "user1", "", true},
-      {"user1", "user1", "user2", true},
-      {"user1", "user1", "user1", false},
-      {"user2", "user1", "", false},
-      {"user2", "user1", "user2", false},
+      {user1, "", "", "", "", true},
+      {user1, "", "", "", "group1", false},
+      {user1, "", "", "", "group2", true},
+      {user1, "", "", "user1", "", false},
+      {user1, "", "", "user1", "group1", false},
+      {user1, "", "", "user1", "group2", false},
+      {user1, "", "", "user2", "", true},
+      {user1, "", "", "user2", "group1", false},
+      {user1, "", "", "user2", "group2", true},
+      {user1, "", "group1", "", "", true},
+      {user1, "", "group1", "", "group1", false},
+      {user1, "", "group1", "", "group2", true},
+      {user1, "", "group1", "user1", "", false},
+      {user1, "", "group1", "user1", "group1", false},
+      {user1, "", "group1", "user1", "group2", false},
+      {user1, "", "group1", "user2", "", true},
+      {user1, "", "group1", "user2", "group1", false},
+      {user1, "", "group1", "user2", "group2", true},
+      {user1, "", "group2", "", "", false},
+      {user1, "", "group2", "", "group1", false},
+      {user1, "", "group2", "", "group2", false},
+      {user1, "", "group2", "user1", "", false},
+      {user1, "", "group2", "user1", "group1", false},
+      {user1, "", "group2", "user1", "group2", false},
+      {user1, "", "group2", "user2", "", false},
+      {user1, "", "group2", "user2", "group1", false},
+      {user1, "", "group2", "user2", "group2", false},
+      {user1, "user1", "", "", "", true},
+      {user1, "user1", "", "", "group1", false},
+      {user1, "user1", "", "", "group2", true},
+      {user1, "user1", "", "user1", "", false},
+      {user1, "user1", "", "user1", "group1", false},
+      {user1, "user1", "", "user1", "group2", false},
+      {user1, "user1", "", "user2", "", true},
+      {user1, "user1", "", "user2", "group1", false},
+      {user1, "user1", "", "user2", "group2", true},
+      {user1, "user1", "group1", "", "", true},
+      {user1, "user1", "group1", "", "group1", false},
+      {user1, "user1", "group1", "", "group2", true},
+      {user1, "user1", "group1", "user1", "", false},
+      {user1, "user1", "group1", "user1", "group1", false},
+      {user1, "user1", "group1", "user1", "group2", false},
+      {user1, "user1", "group1", "user2", "", true},
+      {user1, "user1", "group1", "user2", "group1", false},
+      {user1, "user1", "group1", "user2", "group2", true},
+      {user1, "user1", "group2", "", "", true},
+      {user1, "user1", "group2", "", "group1", false},
+      {user1, "user1", "group2", "", "group2", true},
+      {user1, "user1", "group2", "user1", "", false},
+      {user1, "user1", "group2", "user1", "group1", false},
+      {user1, "user1", "group2", "user1", "group2", false},
+      {user1, "user1", "group2", "user2", "", true},
+      {user1, "user1", "group2", "user2", "group1", false},
+      {user1, "user1", "group2", "user2", "group2", true},
+      {user1, "user2", "", "", "", false},
+      {user1, "user2", "", "", "group1", false},
+      {user1, "user2", "", "", "group2", false},
+      {user1, "user2", "", "user1", "", false},
+      {user1, "user2", "", "user1", "group1", false},
+      {user1, "user2", "", "user1", "group2", false},
+      {user1, "user2", "", "user2", "", false},
+      {user1, "user2", "", "user2", "group1", false},
+      {user1, "user2", "", "user2", "group2", false},
+      {user1, "user2", "group1", "", "", true},
+      {user1, "user2", "group1", "", "group1", false},
+      {user1, "user2", "group1", "", "group2", true},
+      {user1, "user2", "group1", "user1", "", false},
+      {user1, "user2", "group1", "user1", "group1", false},
+      {user1, "user2", "group1", "user1", "group2", false},
+      {user1, "user2", "group1", "user2", "", true},
+      {user1, "user2", "group1", "user2", "group1", false},
+      {user1, "user2", "group1", "user2", "group2", true},
+      {user1, "user2", "group2", "", "", false},
+      {user1, "user2", "group2", "", "group1", false},
+      {user1, "user2", "group2", "", "group2", false},
+      {user1, "user2", "group2", "user1", "", false},
+      {user1, "user2", "group2", "user1", "group1", false},
+      {user1, "user2", "group2", "user1", "group2", false},
+      {user1, "user2", "group2", "user2", "", false},
+      {user1, "user2", "group2", "user2", "group1", false},
+      {user1, "user2", "group2", "user2", "group2", false},
     };
   }
 }
diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/docker/auth/UserSpecificDockerRegistryCredentialsProviderTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/docker/auth/UserSpecificDockerRegistryCredentialsProviderTest.java
index 4c67fbef0da..5becd67f5b5 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/docker/auth/UserSpecificDockerRegistryCredentialsProviderTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/docker/auth/UserSpecificDockerRegistryCredentialsProviderTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -17,6 +17,7 @@
 import static org.testng.Assert.assertNotNull;
 import static org.testng.Assert.assertNull;
 
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import org.eclipse.che.api.core.ServerException;
@@ -103,7 +104,8 @@ private void setCredentialsIntoPreferences(String base64encodedCredentials)
     Map<String, String> preferences = new HashMap<>();
     preferences.put(DOCKER_REGISTRY_CREDENTIALS_KEY, base64encodedCredentials);
 
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("name", "id", "token1234", false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("name", Collections.emptyList(), "id", "token1234", false));
     when(preferenceManager.find(anyObject(), anyObject())).thenReturn(preferences);
   }
 }
diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/multiuser/oauth/KubernetesOidcProviderConfigFactoryTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/multiuser/oauth/KubernetesOidcProviderConfigFactoryTest.java
index d2fcd3ebb20..9f72577d61f 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/multiuser/oauth/KubernetesOidcProviderConfigFactoryTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/multiuser/oauth/KubernetesOidcProviderConfigFactoryTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -15,6 +15,7 @@
 
 import io.fabric8.kubernetes.client.Config;
 import io.fabric8.kubernetes.client.ConfigBuilder;
+import java.util.Collections;
 import org.eclipse.che.commons.env.EnvironmentContext;
 import org.eclipse.che.commons.subject.SubjectImpl;
 import org.mockito.testng.MockitoTestNGListener;
@@ -47,7 +48,8 @@ public void getDefaultConfigWhenNoTokenSet() {
   @Test
   public void getConfigWithTokenWhenTokenIsSet() {
     EnvironmentContext.getCurrent()
-        .setSubject(new SubjectImpl("test_name", "test_id", TEST_TOKEN, false));
+        .setSubject(
+            new SubjectImpl("test_name", Collections.emptyList(), "test_id", TEST_TOKEN, false));
 
     Config resultConfig = kubernetesOidcProviderConfigFactory.buildConfig(defaultConfig, null);
 
diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactoryTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactoryTest.java
index e7c540a5f92..8df0f22210c 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactoryTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceFactoryTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -88,6 +88,7 @@
 import org.eclipse.che.api.workspace.server.spi.NamespaceResolutionContext;
 import org.eclipse.che.api.workspace.shared.Constants;
 import org.eclipse.che.commons.env.EnvironmentContext;
+import org.eclipse.che.commons.subject.Subject;
 import org.eclipse.che.commons.subject.SubjectImpl;
 import org.eclipse.che.inject.ConfigurationException;
 import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory;
@@ -168,13 +169,14 @@ public void setUp() throws Exception {
 
     lenient().when(namespaceOperation.withName(any())).thenReturn(namespaceResource);
     lenient().when(namespaceResource.get()).thenReturn(mock(Namespace.class));
-    lenient().when(authorizationChecker.isAuthorized(anyString())).thenReturn(true);
+    lenient().when(authorizationChecker.isAuthorized(any(Subject.class))).thenReturn(true);
 
     lenient().doReturn(namespaceListResource).when(namespaceOperation).withLabels(anyMap());
     lenient().when(namespaceListResource.list()).thenReturn(namespaceList);
     lenient().when(namespaceList.getItems()).thenReturn(Collections.emptyList());
 
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "i123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "i123", null, false));
   }
 
   @AfterMethod
@@ -344,7 +346,8 @@ public void shouldReturnPreparedNamespacesWhenFound() throws InfrastructureExcep
             pool,
             authorizationChecker,
             permissionsCleaner);
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
 
     // when
     List<KubernetesNamespaceMeta> availableNamespaces = namespaceFactory.list();
@@ -387,7 +390,8 @@ public void shouldNotThrowAnExceptionWhenNotAllowedToListNamespaces() throws Exc
             pool,
             authorizationChecker,
             permissionsCleaner);
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
 
     // when
     List<KubernetesNamespaceMeta> availableNamespaces = namespaceFactory.list();
@@ -551,7 +555,8 @@ public void testAllConfiguratorsAreCalledWhenCreatingNamespace() throws Infrastr
                 pool,
                 authorizationChecker,
                 permissionsCleaner));
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
 
     KubernetesNamespace toReturnNamespace = mock(KubernetesNamespace.class);
     when(toReturnNamespace.getName()).thenReturn(namespaceName);
@@ -1013,7 +1018,8 @@ public void shouldCreateExecAndViewRolesAndBindings() throws Exception {
 
     WorkspaceImpl workspace =
         new WorkspaceImplBuilder().setId("workspace123").setAttributes(emptyMap()).build();
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
     String namespace = namespaceFactory.getNamespaceName(workspace);
 
     assertEquals(namespace, "che-123");
@@ -1386,7 +1392,8 @@ public void testUsernamePlaceholderInLabelsIsNotEvaluated() throws Infrastructur
             pool,
             authorizationChecker,
             permissionsCleaner);
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
     namespaceFactory.list();
 
     verify(namespaceOperation).withLabels(Map.of("try_placeholder_here", "<username>"));
@@ -1411,7 +1418,8 @@ public void testUsernamePlaceholderInAnnotationsIsEvaluated() throws Infrastruct
                 pool,
                 authorizationChecker,
                 permissionsCleaner));
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
     KubernetesNamespace toReturnNamespace = mock(KubernetesNamespace.class);
     prepareNamespace(toReturnNamespace);
     doReturn(toReturnNamespace).when(namespaceFactory).doCreateNamespaceAccess(any(), any());
diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/GitConfigProvisionerTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/GitConfigProvisionerTest.java
index 1d737acf594..eef0445ba19 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/GitConfigProvisionerTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/GitConfigProvisionerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -32,6 +32,7 @@
 import io.fabric8.kubernetes.api.model.PodSpec;
 import io.fabric8.kubernetes.api.model.VolumeMount;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import org.eclipse.che.api.core.ServerException;
@@ -84,7 +85,7 @@ public void setup() {
     gitConfigProvisioner =
         new GitConfigProvisioner(preferenceManager, userManager, vcsSslCertificateProvisioner);
 
-    Subject subject = new SubjectImpl(null, "id", null, false);
+    Subject subject = new SubjectImpl(null, Collections.emptyList(), "id", null, false);
     EnvironmentContext environmentContext = new EnvironmentContext();
     environmentContext.setSubject(subject);
     EnvironmentContext.setCurrent(environmentContext);
diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisioner.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisioner.java
index 2308d7ad53e..532fcebfd18 100644
--- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisioner.java
+++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisioner.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java
index c92f775209f..e585a636902 100644
--- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java
+++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -40,7 +40,6 @@
 import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesEnvironmentProvisioner;
 import org.eclipse.che.workspace.infrastructure.kubernetes.StartSynchronizerFactory;
 import org.eclipse.che.workspace.infrastructure.kubernetes.api.server.KubernetesNamespaceService;
-import org.eclipse.che.workspace.infrastructure.kubernetes.authorization.AuthorizationChecker;
 import org.eclipse.che.workspace.infrastructure.kubernetes.authorization.PermissionsCleaner;
 import org.eclipse.che.workspace.infrastructure.kubernetes.cache.jpa.JpaKubernetesRuntimeCacheModule;
 import org.eclipse.che.workspace.infrastructure.kubernetes.devfile.DockerimageComponentToWorkspaceApplier;
@@ -81,7 +80,6 @@
 import org.eclipse.che.workspace.infrastructure.kubernetes.wsplugins.SidecarToolingProvisioner;
 import org.eclipse.che.workspace.infrastructure.kubernetes.wsplugins.brokerphases.BrokerEnvironmentFactory;
 import org.eclipse.che.workspace.infrastructure.kubernetes.wsplugins.events.BrokerService;
-import org.eclipse.che.workspace.infrastructure.openshift.authorization.OpenShiftAuthorizationCheckerImpl;
 import org.eclipse.che.workspace.infrastructure.openshift.devfile.OpenshiftComponentToWorkspaceApplier;
 import org.eclipse.che.workspace.infrastructure.openshift.environment.OpenShiftEnvironment;
 import org.eclipse.che.workspace.infrastructure.openshift.environment.OpenShiftEnvironmentFactory;
@@ -119,7 +117,6 @@ protected void configure() {
     namespaceConfigurators.addBinding().to(OpenShiftWorkspaceServiceAccountConfigurator.class);
     namespaceConfigurators.addBinding().to(GitconfigConfigurator.class);
 
-    bind(AuthorizationChecker.class).to(OpenShiftAuthorizationCheckerImpl.class);
     bind(PermissionsCleaner.class).asEagerSingleton();
 
     bind(KubernetesNamespaceService.class);
diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/authorization/OpenShiftAuthorizationCheckerImpl.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/authorization/OpenShiftAuthorizationCheckerImpl.java
index 895ab310d49..5a4a4599797 100644
--- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/authorization/OpenShiftAuthorizationCheckerImpl.java
+++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/authorization/OpenShiftAuthorizationCheckerImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -22,6 +22,7 @@
 import javax.inject.Singleton;
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
 import org.eclipse.che.commons.annotation.Nullable;
+import org.eclipse.che.commons.subject.Subject;
 import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory;
 import org.eclipse.che.workspace.infrastructure.kubernetes.authorization.AuthorizationChecker;
 
@@ -51,7 +52,8 @@ public OpenShiftAuthorizationCheckerImpl(
     this.cheServerKubernetesClientFactory = cheServerKubernetesClientFactory;
   }
 
-  public boolean isAuthorized(String username) throws InfrastructureException {
+  public boolean isAuthorized(Subject subject) throws InfrastructureException {
+    String username = subject.getUserName();
     return isAllowedUser(cheServerKubernetesClientFactory.create(), username)
         && !isDeniedUser(cheServerKubernetesClientFactory.create(), username);
   }
diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/multiuser/oauth/OpenshiftTokenInitializationFilter.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/multiuser/oauth/OpenshiftTokenInitializationFilter.java
index fb5167613e9..910713172fb 100644
--- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/multiuser/oauth/OpenshiftTokenInitializationFilter.java
+++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/multiuser/oauth/OpenshiftTokenInitializationFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -16,6 +16,7 @@
 import io.fabric8.kubernetes.api.model.ObjectMeta;
 import io.fabric8.kubernetes.client.KubernetesClientException;
 import io.fabric8.openshift.client.OpenShiftClient;
+import java.util.Collections;
 import java.util.Optional;
 import javax.inject.Inject;
 import javax.inject.Singleton;
@@ -93,7 +94,8 @@ protected Subject extractSubject(String token, io.fabric8.openshift.api.model.Us
       ObjectMeta userMeta = osu.getMetadata();
       User user = userManager.getOrCreateUser(getUserId(osu), userMeta.getName());
       return new AuthorizedSubject(
-          new SubjectImpl(user.getName(), user.getId(), token, false), permissionChecker);
+          new SubjectImpl(user.getName(), Collections.emptyList(), user.getId(), token, false),
+          permissionChecker);
     } catch (ServerException | ConflictException e) {
       throw new RuntimeException(e);
     }
diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactory.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactory.java
index bc1976b2f33..8f64340badf 100644
--- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactory.java
+++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -112,7 +112,7 @@ public OpenShiftProject getOrCreate(RuntimeIdentity identity) throws Infrastruct
     var subject = EnvironmentContext.getCurrent().getSubject();
     var userName = subject.getUserName();
 
-    validateAuthorization(osProject.getName(), userName);
+    validateAuthorization(osProject.getName(), subject);
 
     NamespaceResolutionContext resolutionCtx =
         new NamespaceResolutionContext(identity.getWorkspaceId(), subject.getUserId(), userName);
diff --git a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisionerTest.java b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisionerTest.java
index ca07575d5d1..4eeb1289f51 100644
--- a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisionerTest.java
+++ b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisionerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
diff --git a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/authorization/OpenShiftAuthorizationCheckerTest.java b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/authorization/OpenShiftAuthorizationCheckerTest.java
index 11fdf866c6c..fae3aa35859 100644
--- a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/authorization/OpenShiftAuthorizationCheckerTest.java
+++ b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/authorization/OpenShiftAuthorizationCheckerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -28,6 +28,8 @@
 import java.util.Map;
 import java.util.Queue;
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
+import org.eclipse.che.commons.subject.Subject;
+import org.eclipse.che.commons.subject.SubjectImpl;
 import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory;
 import org.mockito.Mock;
 import org.mockito.testng.MockitoTestNGListener;
@@ -44,6 +46,10 @@ public class OpenShiftAuthorizationCheckerTest {
   @Mock private CheServerKubernetesClientFactory clientFactory;
   private KubernetesClient client;
   private KubernetesMockServer kubernetesMockServer;
+  private static Subject user1 =
+      new SubjectImpl("user1", Collections.emptyList(), "id", "token", false);
+  private static Subject user2 =
+      new SubjectImpl("user2", Collections.emptyList(), "id", "token", false);
 
   @BeforeMethod
   public void setUp() throws InfrastructureException {
@@ -67,7 +73,7 @@ public void tearDown() {
 
   @Test(dataProvider = "advancedAuthorizationData")
   public void advancedAuthorization(
-      String testUserName,
+      Subject subject,
       List<Group> groups,
       String allowedUsers,
       String allowedGroups,
@@ -82,7 +88,7 @@ public void advancedAuthorization(
     groups.forEach(group -> client.resources(Group.class).create(group));
 
     // when
-    boolean isAuthorized = authorizationChecker.isAuthorized(testUserName);
+    boolean isAuthorized = authorizationChecker.isAuthorized(subject);
 
     // then
     Assert.assertEquals(isAuthorized, expectedIsAuthorized);
@@ -104,14 +110,14 @@ public static Object[][] advancedAuthorizationData() {
             List.of("user2"));
 
     return new Object[][] {
-      {"user1", Collections.emptyList(), "", "", "", "", true},
-      {"user1", Collections.emptyList(), "user1", "", "", "", true},
-      {"user1", Collections.emptyList(), "user1", "", "user2", "", true},
-      {"user1", List.of(groupWithUser2), "user1", "", "", "groupWithUser2", true},
-      {"user1", List.of(groupWithUser1), "", "groupWithUser1", "", "", true},
-      {"user2", List.of(groupWithUser1), "user2", "groupWithUser1", "", "", true},
+      {user1, Collections.emptyList(), "", "", "", "", true},
+      {user1, Collections.emptyList(), "user1", "", "", "", true},
+      {user1, Collections.emptyList(), "user1", "", "user2", "", true},
+      {user1, List.of(groupWithUser2), "user1", "", "", "groupWithUser2", true},
+      {user1, List.of(groupWithUser1), "", "groupWithUser1", "", "", true},
+      {user2, List.of(groupWithUser1), "user2", "groupWithUser1", "", "", true},
       {
-        "user1",
+        user1,
         List.of(groupWithUser1, groupWithUser2),
         "",
         "groupWithUser1",
@@ -119,15 +125,15 @@ public static Object[][] advancedAuthorizationData() {
         "groupWithUser2",
         true
       },
-      {"user1", Collections.emptyList(), "user1", "", "user1", "", false},
-      {"user2", Collections.emptyList(), "user1", "", "", "", false},
-      {"user2", Collections.emptyList(), "user1", "", "user2", "", false},
-      {"user2", List.of(groupWithUser1), "", "groupWithUser1", "", "", false},
-      {"user1", Collections.emptyList(), "", "", "user1", "", false},
-      {"user1", List.of(groupWithUser1), "", "", "", "groupWithUser1", false},
-      {"user1", List.of(groupWithUser1), "", "groupWithUser1", "", "groupWithUser1", false},
+      {user1, Collections.emptyList(), "user1", "", "user1", "", false},
+      {user2, Collections.emptyList(), "user1", "", "", "", false},
+      {user2, Collections.emptyList(), "user1", "", "user2", "", false},
+      {user2, List.of(groupWithUser1), "", "groupWithUser1", "", "", false},
+      {user1, Collections.emptyList(), "", "", "user1", "", false},
+      {user1, List.of(groupWithUser1), "", "", "", "groupWithUser1", false},
+      {user1, List.of(groupWithUser1), "", "groupWithUser1", "", "groupWithUser1", false},
       {
-        "user2",
+        user2,
         List.of(groupWithUser1, groupWithUser2),
         "",
         "groupWithUser1",
diff --git a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactoryTest.java b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactoryTest.java
index 845281d403a..2ed5eff941b 100644
--- a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactoryTest.java
+++ b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactoryTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2024 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -67,6 +67,7 @@
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
 import org.eclipse.che.api.workspace.server.spi.NamespaceResolutionContext;
 import org.eclipse.che.commons.env.EnvironmentContext;
+import org.eclipse.che.commons.subject.Subject;
 import org.eclipse.che.commons.subject.SubjectImpl;
 import org.eclipse.che.inject.ConfigurationException;
 import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory;
@@ -139,7 +140,7 @@ public void setUp() throws Exception {
     lenient().when(cheServerOpenshiftClientFactory.createOC()).thenReturn(osClient);
     lenient().when(cheServerKubernetesClientFactory.create()).thenReturn(osClient);
     lenient().when(osClient.projects()).thenReturn(projectOperation);
-    lenient().when(authorizationChecker.isAuthorized(anyString())).thenReturn(true);
+    lenient().when(authorizationChecker.isAuthorized(any(Subject.class))).thenReturn(true);
 
     lenient()
         .when(workspaceManager.getWorkspace(any()))
@@ -153,7 +154,9 @@ public void setUp() throws Exception {
     lenient().when(projectList.getItems()).thenReturn(emptyList());
 
     EnvironmentContext.getCurrent()
-        .setSubject(new SubjectImpl(USER_NAME, USER_ID, "t-354t53xff34234", false));
+        .setSubject(
+            new SubjectImpl(
+                USER_NAME, Collections.emptyList(), USER_ID, "t-354t53xff34234", false));
   }
 
   @AfterMethod
@@ -284,7 +287,8 @@ public void shouldReturnPreparedNamespacesWhenFound() throws InfrastructureExcep
             authorizationChecker,
             permissionsCleaner,
             NO_OAUTH_IDENTITY_PROVIDER);
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
 
     // when
     List<KubernetesNamespaceMeta> availableNamespaces = projectFactory.list();
@@ -322,7 +326,8 @@ public void shouldNotThrowAnExceptionWhenNotAllowedToListNamespaces() throws Exc
             authorizationChecker,
             permissionsCleaner,
             NO_OAUTH_IDENTITY_PROVIDER);
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "u123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "u123", null, false));
 
     // when
     List<KubernetesNamespaceMeta> availableNamespaces = projectFactory.list();
@@ -749,7 +754,8 @@ public void testUsernamePlaceholderInLabelsIsNotEvaluated() throws Infrastructur
             authorizationChecker,
             permissionsCleaner,
             NO_OAUTH_IDENTITY_PROVIDER);
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
     projectFactory.list();
 
     verify(projectOperation).withLabels(Map.of("try_placeholder_here", "<username>"));
@@ -777,7 +783,8 @@ public void testUsernamePlaceholderInAnnotationsIsEvaluated() throws Infrastruct
                 authorizationChecker,
                 permissionsCleaner,
                 NO_OAUTH_IDENTITY_PROVIDER));
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
     OpenShiftProject toReturnProject = mock(OpenShiftProject.class);
     prepareProject(toReturnProject);
     doReturn(toReturnProject).when(projectFactory).doCreateProjectAccess(any(), any());
@@ -819,7 +826,8 @@ public void testAllConfiguratorsAreCalledWhenCreatingProject() throws Infrastruc
                 authorizationChecker,
                 permissionsCleaner,
                 NO_OAUTH_IDENTITY_PROVIDER));
-    EnvironmentContext.getCurrent().setSubject(new SubjectImpl("jondoe", "123", null, false));
+    EnvironmentContext.getCurrent()
+        .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
 
     OpenShiftProject toReturnProject = mock(OpenShiftProject.class);
     when(toReturnProject.getName()).thenReturn(projectName);
diff --git a/multiuser/api/che-multiuser-api-authentication-commons/src/test/java/org/eclipse/che/multiuser/api/authentication/commons/filter/MultiUserEnvironmentInitializationFilterTest.java b/multiuser/api/che-multiuser-api-authentication-commons/src/test/java/org/eclipse/che/multiuser/api/authentication/commons/filter/MultiUserEnvironmentInitializationFilterTest.java
index 92002de28f3..566dfe7956c 100644
--- a/multiuser/api/che-multiuser-api-authentication-commons/src/test/java/org/eclipse/che/multiuser/api/authentication/commons/filter/MultiUserEnvironmentInitializationFilterTest.java
+++ b/multiuser/api/che-multiuser-api-authentication-commons/src/test/java/org/eclipse/che/multiuser/api/authentication/commons/filter/MultiUserEnvironmentInitializationFilterTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -30,6 +30,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.servlet.http.HttpSession;
 import java.io.IOException;
+import java.util.Collections;
 import java.util.Optional;
 import org.eclipse.che.commons.env.EnvironmentContext;
 import org.eclipse.che.commons.subject.Subject;
@@ -55,7 +56,8 @@ public class MultiUserEnvironmentInitializationFilterTest {
 
   private final String userId = "user-abc-123";
   private final String token = "token-abc123";
-  private final Subject subject = new SubjectImpl("user", userId, token, false);
+  private final Subject subject =
+      new SubjectImpl("user", Collections.emptyList(), userId, token, false);
 
   private MultiUserEnvironmentInitializationFilter<Object> filter;
 
@@ -137,7 +139,8 @@ public void shouldCreateSubjectIfSessionDidNotContainOne() throws Exception {
   @Test
   public void shouldReCreateSubjectIfTokensDidNotMatch() throws Exception {
     Subject otherSubject =
-        new SubjectImpl(subject.getUserId(), subject.getUserName(), "token111", false);
+        new SubjectImpl(
+            subject.getUserId(), Collections.emptyList(), subject.getUserName(), "token111", false);
     when(tokenExtractor.getToken(any(HttpServletRequest.class))).thenReturn(token);
     when(sessionStore.getSession(eq(userId), any())).thenReturn(session);
     when(session.getAttribute(eq(CHE_SUBJECT_ATTRIBUTE))).thenReturn(otherSubject);
@@ -149,7 +152,8 @@ public void shouldReCreateSubjectIfTokensDidNotMatch() throws Exception {
 
   @Test
   public void shouldInvalidateSessionIfUserChanged() throws Exception {
-    Subject otherSubject = new SubjectImpl("another_user", "user987", "token111", false);
+    Subject otherSubject =
+        new SubjectImpl("another_user", Collections.emptyList(), "user987", "token111", false);
     when(tokenExtractor.getToken(any(HttpServletRequest.class))).thenReturn(token);
     when(sessionStore.getSession(eq(userId), any())).thenReturn(session);
     when(session.getAttribute(eq(CHE_SUBJECT_ATTRIBUTE))).thenReturn(otherSubject);
diff --git a/multiuser/api/che-multiuser-api-authorization/src/main/java/org/eclipse/che/multiuser/api/permission/server/AuthorizedSubject.java b/multiuser/api/che-multiuser-api-authorization/src/main/java/org/eclipse/che/multiuser/api/permission/server/AuthorizedSubject.java
index 609db80bc30..56aec337054 100644
--- a/multiuser/api/che-multiuser-api-authorization/src/main/java/org/eclipse/che/multiuser/api/permission/server/AuthorizedSubject.java
+++ b/multiuser/api/che-multiuser-api-authorization/src/main/java/org/eclipse/che/multiuser/api/permission/server/AuthorizedSubject.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -13,6 +13,7 @@
 
 import static java.lang.String.format;
 
+import java.util.List;
 import org.eclipse.che.api.core.ConflictException;
 import org.eclipse.che.api.core.ForbiddenException;
 import org.eclipse.che.api.core.NotFoundException;
@@ -43,6 +44,11 @@ public String getUserName() {
     return baseSubject.getUserName();
   }
 
+  @Override
+  public List<String> getGroups() {
+    return baseSubject.getGroups();
+  }
+
   @Override
   public boolean hasPermission(String domain, String instance, String action) {
     try {
diff --git a/multiuser/api/che-multiuser-api-organization/src/test/java/org/eclipse/che/multiuser/organization/api/OrganizationManagerTest.java b/multiuser/api/che-multiuser-api-organization/src/test/java/org/eclipse/che/multiuser/organization/api/OrganizationManagerTest.java
index 346cccbc5e1..44e4bd4c9fe 100644
--- a/multiuser/api/che-multiuser-api-organization/src/test/java/org/eclipse/che/multiuser/organization/api/OrganizationManagerTest.java
+++ b/multiuser/api/che-multiuser-api-organization/src/test/java/org/eclipse/che/multiuser/organization/api/OrganizationManagerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -89,7 +89,8 @@ public void setUp() throws Exception {
         .when(eventService.publish(any()))
         .thenAnswer(invocation -> invocation.getArguments()[0]);
     EnvironmentContext.getCurrent()
-        .setSubject(new SubjectImpl(USER_NAME, USER_ID, "userToken", false));
+        .setSubject(
+            new SubjectImpl(USER_NAME, Collections.emptyList(), USER_ID, "userToken", false));
   }
 
   @AfterMethod
diff --git a/multiuser/api/che-multiuser-api-organization/src/test/java/org/eclipse/che/multiuser/organization/api/OrganizationServiceTest.java b/multiuser/api/che-multiuser-api-organization/src/test/java/org/eclipse/che/multiuser/organization/api/OrganizationServiceTest.java
index b877a634913..3c236f7b92c 100644
--- a/multiuser/api/che-multiuser-api-organization/src/test/java/org/eclipse/che/multiuser/organization/api/OrganizationServiceTest.java
+++ b/multiuser/api/che-multiuser-api-organization/src/test/java/org/eclipse/che/multiuser/organization/api/OrganizationServiceTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -30,6 +30,7 @@
 import static org.testng.Assert.assertEquals;
 
 import io.restassured.response.Response;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import org.eclipse.che.api.core.BadRequestException;
@@ -339,7 +340,9 @@ public static class EnvironmentFilter implements RequestFilter {
     @Override
     public void doFilter(GenericContainerRequest request) {
       EnvironmentContext.getCurrent()
-          .setSubject(new SubjectImpl("userName", CURRENT_USER_ID, "token", false));
+          .setSubject(
+              new SubjectImpl(
+                  "userName", Collections.emptyList(), CURRENT_USER_ID, "token", false));
     }
   }
 }
diff --git a/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilter.java b/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilter.java
index 75dbae189d6..bbc548abf8e 100644
--- a/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilter.java
+++ b/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -142,8 +142,11 @@ public Subject extractSubject(String token, Jws<Claims> processedToken) throws S
                       new JwtException(
                           "Unable to authenticate user because email address is not set in keycloak profile"));
       User user = userManager.getOrCreateUser(id, email, username);
+      // #KeycloakEnvironmentInitializationFilter is not used anymore, so we can ignore obtaining
+      // the list of groups user belongs to
       return new AuthorizedSubject(
-          new SubjectImpl(user.getName(), user.getId(), token, false), permissionChecker);
+          new SubjectImpl(user.getName(), Collections.emptyList(), user.getId(), token, false),
+          permissionChecker);
     } catch (ServerException | ConflictException e) {
       throw new ServletException(
           "Unable to identify user " + claims.getSubject() + " in Che database", e);
diff --git a/multiuser/machine-auth/che-multiuser-machine-authentication/src/main/java/org/eclipse/che/multiuser/machine/authentication/server/MachineLoginFilter.java b/multiuser/machine-auth/che-multiuser-machine-authentication/src/main/java/org/eclipse/che/multiuser/machine/authentication/server/MachineLoginFilter.java
index a53a34fbbbc..cc97d9ae3d0 100644
--- a/multiuser/machine-auth/che-multiuser-machine-authentication/src/main/java/org/eclipse/che/multiuser/machine/authentication/server/MachineLoginFilter.java
+++ b/multiuser/machine-auth/che-multiuser-machine-authentication/src/main/java/org/eclipse/che/multiuser/machine/authentication/server/MachineLoginFilter.java
@@ -26,6 +26,7 @@
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import java.io.IOException;
+import java.util.Collections;
 import java.util.Optional;
 import javax.inject.Inject;
 import javax.inject.Singleton;
@@ -97,7 +98,9 @@ public Subject extractSubject(String token, Claims claims) {
       final String userName = userManager.getById(userId).getName();
       final String workspaceId = claims.get(WORKSPACE_ID_CLAIM, String.class);
       return new MachineTokenAuthorizedSubject(
-          new SubjectImpl(userName, userId, token, false), permissionChecker, workspaceId);
+          new SubjectImpl(userName, Collections.emptyList(), userId, token, false),
+          permissionChecker,
+          workspaceId);
     } catch (NotFoundException e) {
       throw new JwtException("Corresponding user doesn't exist.");
     } catch (ServerException | JwtException e) {
diff --git a/multiuser/machine-auth/che-multiuser-machine-authentication/src/test/java/org/eclipse/che/multiuser/machine/authentication/server/MachineLoginFilterTest.java b/multiuser/machine-auth/che-multiuser-machine-authentication/src/test/java/org/eclipse/che/multiuser/machine/authentication/server/MachineLoginFilterTest.java
index a3f0139cba9..66132b3d107 100644
--- a/multiuser/machine-auth/che-multiuser-machine-authentication/src/test/java/org/eclipse/che/multiuser/machine/authentication/server/MachineLoginFilterTest.java
+++ b/multiuser/machine-auth/che-multiuser-machine-authentication/src/test/java/org/eclipse/che/multiuser/machine/authentication/server/MachineLoginFilterTest.java
@@ -34,6 +34,7 @@
 import jakarta.servlet.http.HttpSession;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import org.eclipse.che.api.core.NotFoundException;
@@ -68,7 +69,7 @@ public class MachineLoginFilterTest {
   private static final String WORKSPACE_ID = "workspace31";
 
   private static final Subject SUBJECT =
-      new SubjectImpl("test_user", "test_user31", "userToken", false);
+      new SubjectImpl("test_user", Collections.emptyList(), "test_user31", "userToken", false);
 
   private static final Map<String, Object> HEADER = new HashMap<>();
   private static final ClaimsBuilder CLAIMS_BUILDER = Jwts.claims();
diff --git a/multiuser/machine-auth/che-multiuser-machine-authentication/src/test/java/org/eclipse/che/multiuser/machine/authentication/server/MachineTokenRegistryTest.java b/multiuser/machine-auth/che-multiuser-machine-authentication/src/test/java/org/eclipse/che/multiuser/machine/authentication/server/MachineTokenRegistryTest.java
index 1b2140db4ca..eef1bfaea87 100644
--- a/multiuser/machine-auth/che-multiuser-machine-authentication/src/test/java/org/eclipse/che/multiuser/machine/authentication/server/MachineTokenRegistryTest.java
+++ b/multiuser/machine-auth/che-multiuser-machine-authentication/src/test/java/org/eclipse/che/multiuser/machine/authentication/server/MachineTokenRegistryTest.java
@@ -27,6 +27,7 @@
 import io.jsonwebtoken.Jwts;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import org.eclipse.che.api.core.NotFoundException;
@@ -90,6 +91,7 @@ public void testCreatesNewTokenWhenNoPreviouslyCreatedFound() throws Exception {
     final SubjectImpl subject =
         new SubjectImpl(
             claims.get(USER_NAME_CLAIM, String.class),
+            Collections.emptyList(),
             claims.get(USER_ID_CLAIM, String.class),
             null,
             false);
diff --git a/multiuser/oidc/pom.xml b/multiuser/oidc/pom.xml
index 21c79623f6e..4331a39f5db 100644
--- a/multiuser/oidc/pom.xml
+++ b/multiuser/oidc/pom.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2012-2025 Red Hat, Inc.
+    Copyright (c) 2012-2026 Red Hat, Inc.
     This program and the accompanying materials are made
     available under the terms of the Eclipse Public License 2.0
     which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -47,14 +47,6 @@
             <groupId>org.eclipse.che.core</groupId>
             <artifactId>che-core-api-core</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.core</groupId>
-            <artifactId>che-core-api-model</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.core</groupId>
-            <artifactId>che-core-api-user</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.eclipse.che.core</groupId>
             <artifactId>che-core-commons-annotations</artifactId>
diff --git a/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/OIDCInfoProvider.java b/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/OIDCInfoProvider.java
index 0e56b66e8e3..9a784607f38 100644
--- a/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/OIDCInfoProvider.java
+++ b/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/OIDCInfoProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -43,7 +43,10 @@ public class OIDCInfoProvider implements Provider<OIDCInfo> {
       OIDC_SETTING_PREFIX + "auth_internal_server_url";
   public static final String OIDC_PROVIDER_SETTING = OIDC_SETTING_PREFIX + "oidc_provider";
   public static final String OIDC_USERNAME_CLAIM_SETTING = OIDC_SETTING_PREFIX + "username_claim";
+  public static final String OIDC_USERNAME_PREFIX_SETTING = OIDC_SETTING_PREFIX + "username_prefix";
   public static final String OIDC_EMAIL_CLAIM_SETTING = OIDC_SETTING_PREFIX + "email_claim";
+  public static final String OIDC_GROUPS_CLAIM_SETTING = OIDC_SETTING_PREFIX + "groups_claim";
+  public static final String OIDC_GROUP_PREFIX_SETTING = OIDC_SETTING_PREFIX + "group_prefix";
   public static final String OIDC_ALLOWED_CLOCK_SKEW_SEC =
       OIDC_SETTING_PREFIX + "allowed_clock_skew_sec";
 
diff --git a/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java b/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java
index 5ba7ae40337..eb9f81569eb 100644
--- a/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java
+++ b/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -13,19 +13,20 @@
 
 import static com.google.common.base.Strings.isNullOrEmpty;
 import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_EMAIL_CLAIM_SETTING;
+import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_GROUPS_CLAIM_SETTING;
+import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_GROUP_PREFIX_SETTING;
 import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_USERNAME_CLAIM_SETTING;
+import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_USERNAME_PREFIX_SETTING;
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.JwtParser;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.Optional;
 import javax.inject.Inject;
 import javax.inject.Named;
 import javax.inject.Singleton;
-import org.eclipse.che.api.core.ConflictException;
-import org.eclipse.che.api.core.ServerException;
-import org.eclipse.che.api.core.model.user.User;
-import org.eclipse.che.api.user.server.UserManager;
 import org.eclipse.che.commons.annotation.Nullable;
 import org.eclipse.che.commons.subject.Subject;
 import org.eclipse.che.commons.subject.SubjectImpl;
@@ -34,6 +35,8 @@
 import org.eclipse.che.multiuser.api.authentication.commons.token.RequestTokenExtractor;
 import org.eclipse.che.multiuser.api.permission.server.AuthorizedSubject;
 import org.eclipse.che.multiuser.api.permission.server.PermissionChecker;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * This filter uses given token directly. It's used for native Kubernetes user authentication.
@@ -47,15 +50,21 @@
 @Singleton
 public class OidcTokenInitializationFilter
     extends MultiUserEnvironmentInitializationFilter<Jws<Claims>> {
+  private static final Logger LOG = LoggerFactory.getLogger(OidcTokenInitializationFilter.class);
+
   private static final String EMAIL_CLAIM = "email";
   private static final String NAME_CLAIM = "name";
+  private static final String GROUPS_CLAIM = "groups";
   protected static final String DEFAULT_USERNAME_CLAIM = NAME_CLAIM;
   protected static final String DEFAULT_EMAIL_CLAIM = EMAIL_CLAIM;
+  protected static final String DEFAULT_GROUPS_CLAIM = GROUPS_CLAIM;
 
   private final JwtParser jwtParser;
   private final PermissionChecker permissionChecker;
-  private final UserManager userManager;
   private final String usernameClaim;
+  private final String usernamePrefix;
+  private final String groupsClaim;
+  private final String groupPrefix;
   private final String emailClaim;
 
   @Inject
@@ -64,15 +73,19 @@ public OidcTokenInitializationFilter(
       JwtParser jwtParser,
       SessionStore sessionStore,
       RequestTokenExtractor tokenExtractor,
-      UserManager userManager,
       @Nullable @Named(OIDC_USERNAME_CLAIM_SETTING) String usernameClaim,
+      @Nullable @Named(OIDC_USERNAME_PREFIX_SETTING) String usernamePrefix,
+      @Nullable @Named(OIDC_GROUPS_CLAIM_SETTING) String groupsClaim,
+      @Nullable @Named(OIDC_GROUP_PREFIX_SETTING) String groupPrefix,
       @Nullable @Named(OIDC_EMAIL_CLAIM_SETTING) String emailClaim) {
     super(sessionStore, tokenExtractor);
     this.permissionChecker = permissionChecker;
     this.jwtParser = jwtParser;
-    this.userManager = userManager;
-    this.usernameClaim = isNullOrEmpty(usernameClaim) ? DEFAULT_USERNAME_CLAIM : usernameClaim;
     this.emailClaim = isNullOrEmpty(emailClaim) ? DEFAULT_EMAIL_CLAIM : emailClaim;
+    this.usernameClaim = isNullOrEmpty(usernameClaim) ? DEFAULT_USERNAME_CLAIM : usernameClaim;
+    this.usernamePrefix = isNullOrEmpty(usernamePrefix) ? "" : usernamePrefix;
+    this.groupsClaim = isNullOrEmpty(groupsClaim) ? DEFAULT_GROUPS_CLAIM : groupsClaim;
+    this.groupPrefix = isNullOrEmpty(groupPrefix) ? "" : groupPrefix;
   }
 
   @Override
@@ -87,17 +100,23 @@ protected String getUserId(Jws<Claims> processedToken) {
 
   @Override
   protected Subject extractSubject(String token, Jws<Claims> processedToken) {
-    try {
-      Claims claims = processedToken.getBody();
-      User user =
-          userManager.getOrCreateUser(
-              claims.getSubject(),
-              claims.get(emailClaim, String.class),
-              claims.get(usernameClaim, String.class));
-      return new AuthorizedSubject(
-          new SubjectImpl(user.getName(), user.getId(), token, false), permissionChecker);
-    } catch (ServerException | ConflictException e) {
-      throw new RuntimeException(e);
+    Claims claims = processedToken.getBody();
+    String email = claims.get(emailClaim, String.class);
+    String username = usernamePrefix + claims.get(usernameClaim, String.class);
+
+    List<String> groups = new ArrayList<>();
+    Object groupClaim = claims.get(this.groupsClaim);
+    if (groupClaim instanceof Iterable) {
+      for (Object group : ((Iterable<?>) groupClaim)) {
+        groups.add(groupPrefix + group);
+      }
+    } else if (groupClaim instanceof String) {
+      groups.add(groupPrefix + groupClaim);
+    } else {
+      LOG.warn("Groups claim '{}' is not a String or Iterable, skipping groups", this.groupsClaim);
     }
+
+    return new AuthorizedSubject(
+        new SubjectImpl(username, groups, claims.getSubject(), token, false), permissionChecker);
   }
 }
diff --git a/multiuser/oidc/src/test/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilterTest.java b/multiuser/oidc/src/test/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilterTest.java
index 30799fff884..36689aa9df5 100644
--- a/multiuser/oidc/src/test/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilterTest.java
+++ b/multiuser/oidc/src/test/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilterTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -11,10 +11,8 @@
  */
 package org.eclipse.che.multiuser.oidc.filter;
 
-import static org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.DEFAULT_EMAIL_CLAIM;
-import static org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.DEFAULT_USERNAME_CLAIM;
+import static org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.*;
 import static org.mockito.Mockito.lenient;
-import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
@@ -24,10 +22,10 @@
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.JwtParser;
+import java.util.Arrays;
+import java.util.List;
 import org.eclipse.che.api.core.ConflictException;
 import org.eclipse.che.api.core.ServerException;
-import org.eclipse.che.api.core.model.user.User;
-import org.eclipse.che.api.user.server.UserManager;
 import org.eclipse.che.multiuser.api.authentication.commons.SessionStore;
 import org.eclipse.che.multiuser.api.authentication.commons.token.RequestTokenExtractor;
 import org.eclipse.che.multiuser.api.permission.server.PermissionChecker;
@@ -45,13 +43,15 @@ public class OidcTokenInitializationFilterTest {
   @Mock private JwtParser jwtParser;
   @Mock private SessionStore sessionStore;
   @Mock private RequestTokenExtractor tokenExtractor;
-  @Mock private UserManager userManager;
-  private final String usernameClaim = "blabolClaim";
-  private final String emailClaim = "pafturClaim";
+  private final String usernameClaim = "userClaim";
+  private final String usernamePrefix = "oidc-user:";
+  private final String groupsClaim = "groupClaim";
+  private final String groupPrefix = "oidc-group:";
+  private final String emailClaim = "emailClaim";
   private final String TEST_USERNAME = "jondoe";
   private final String TEST_USER_EMAIL = "jon@doe";
   private final String TEST_USERID = "jon1337";
-
+  private final List<String> TEST_GROUPS = Arrays.asList("group1", "group2");
   private final String TEST_TOKEN = "abcToken";
 
   @Mock private Jws<Claims> jwsClaims;
@@ -67,14 +67,17 @@ public void setUp() {
             jwtParser,
             sessionStore,
             tokenExtractor,
-            userManager,
             usernameClaim,
+            usernamePrefix,
+            groupsClaim,
+            groupPrefix,
             emailClaim);
 
     lenient().when(jwsClaims.getBody()).thenReturn(claims);
     lenient().when(claims.getSubject()).thenReturn(TEST_USERID);
     lenient().when(claims.get(emailClaim, String.class)).thenReturn(TEST_USER_EMAIL);
     lenient().when(claims.get(usernameClaim, String.class)).thenReturn(TEST_USERNAME);
+    lenient().when(claims.get(groupsClaim)).thenReturn(TEST_GROUPS);
   }
 
   @Test
@@ -103,18 +106,12 @@ public void testGetUserId() {
 
   @Test
   public void testExtractSubject() throws ServerException, ConflictException {
-    User createdUser = mock(User.class);
-    when(createdUser.getId()).thenReturn(TEST_USERID);
-    when(createdUser.getName()).thenReturn(TEST_USERNAME);
-    when(userManager.getOrCreateUser(TEST_USERID, TEST_USER_EMAIL, TEST_USERNAME))
-        .thenReturn(createdUser);
-
     var subject = tokenInitializationFilter.extractSubject(TEST_TOKEN, jwsClaims);
 
     assertEquals(subject.getUserId(), TEST_USERID);
-    assertEquals(subject.getUserName(), TEST_USERNAME);
+    assertEquals(subject.getUserName(), usernamePrefix + TEST_USERNAME);
+    assertEquals(subject.getGroups(), Arrays.asList("oidc-group:group1", "oidc-group:group2"));
     assertEquals(subject.getToken(), TEST_TOKEN);
-    verify(userManager).getOrCreateUser(TEST_USERID, TEST_USER_EMAIL, TEST_USERNAME);
   }
 
   @Test(dataProvider = "usernameClaims")
@@ -126,22 +123,19 @@ public void testDefaultUsernameClaimWhenEmpty(String customUsernameClaim)
             jwtParser,
             sessionStore,
             tokenExtractor,
-            userManager,
             customUsernameClaim,
+            usernamePrefix,
+            groupsClaim,
+            groupPrefix,
             emailClaim);
-    User createdUser = mock(User.class);
-    when(createdUser.getId()).thenReturn(TEST_USERID);
-    when(createdUser.getName()).thenReturn(TEST_USERNAME);
-    when(userManager.getOrCreateUser(TEST_USERID, TEST_USER_EMAIL, TEST_USERNAME))
-        .thenReturn(createdUser);
     when(claims.get(DEFAULT_USERNAME_CLAIM, String.class)).thenReturn(TEST_USERNAME);
 
     var subject = tokenInitializationFilter.extractSubject(TEST_TOKEN, jwsClaims);
 
     assertEquals(subject.getUserId(), TEST_USERID);
-    assertEquals(subject.getUserName(), TEST_USERNAME);
+    assertEquals(subject.getUserName(), usernamePrefix + TEST_USERNAME);
+    assertEquals(subject.getGroups(), Arrays.asList("oidc-group:group1", "oidc-group:group2"));
     assertEquals(subject.getToken(), TEST_TOKEN);
-    verify(userManager).getOrCreateUser(TEST_USERID, TEST_USER_EMAIL, TEST_USERNAME);
     verify(claims).get(DEFAULT_USERNAME_CLAIM, String.class);
     verify(claims, never()).get(usernameClaim, String.class);
   }
@@ -155,31 +149,59 @@ public void testDefaultEmailClaimWhenEmpty(String customEmailClaim)
             jwtParser,
             sessionStore,
             tokenExtractor,
-            userManager,
             usernameClaim,
+            usernamePrefix,
+            groupsClaim,
+            groupPrefix,
             customEmailClaim);
-    User createdUser = mock(User.class);
-    when(createdUser.getId()).thenReturn(TEST_USERID);
-    when(createdUser.getName()).thenReturn(TEST_USERNAME);
-    when(userManager.getOrCreateUser(TEST_USERID, TEST_USER_EMAIL, TEST_USERNAME))
-        .thenReturn(createdUser);
     when(claims.get(DEFAULT_EMAIL_CLAIM, String.class)).thenReturn(TEST_USER_EMAIL);
 
     var subject = tokenInitializationFilter.extractSubject(TEST_TOKEN, jwsClaims);
 
     assertEquals(subject.getUserId(), TEST_USERID);
-    assertEquals(subject.getUserName(), TEST_USERNAME);
+    assertEquals(subject.getUserName(), usernamePrefix + TEST_USERNAME);
     assertEquals(subject.getToken(), TEST_TOKEN);
-    verify(userManager).getOrCreateUser(TEST_USERID, TEST_USER_EMAIL, TEST_USERNAME);
+    assertEquals(subject.getGroups(), Arrays.asList("oidc-group:group1", "oidc-group:group2"));
     verify(claims).get(DEFAULT_EMAIL_CLAIM, String.class);
     verify(claims, never()).get(emailClaim, String.class);
   }
 
+  @Test(dataProvider = "groupsClaims")
+  public void testDefaultGroupClaimWhenEmpty(String customGroupsClaim)
+      throws ServerException, ConflictException {
+    tokenInitializationFilter =
+        new OidcTokenInitializationFilter(
+            permissionsChecker,
+            jwtParser,
+            sessionStore,
+            tokenExtractor,
+            usernameClaim,
+            usernamePrefix,
+            customGroupsClaim,
+            groupPrefix,
+            emailClaim);
+    when(claims.get(DEFAULT_GROUPS_CLAIM)).thenReturn(TEST_GROUPS);
+
+    var subject = tokenInitializationFilter.extractSubject(TEST_TOKEN, jwsClaims);
+
+    assertEquals(subject.getUserId(), TEST_USERID);
+    assertEquals(subject.getUserName(), usernamePrefix + TEST_USERNAME);
+    assertEquals(subject.getGroups(), Arrays.asList("oidc-group:group1", "oidc-group:group2"));
+    assertEquals(subject.getToken(), TEST_TOKEN);
+    verify(claims).get(DEFAULT_GROUPS_CLAIM);
+    verify(claims, never()).get(groupsClaim);
+  }
+
   @DataProvider
   public static Object[][] usernameClaims() {
     return new Object[][] {{""}, {null}};
   }
 
+  @DataProvider
+  public static Object[][] groupsClaims() {
+    return new Object[][] {{""}, {null}};
+  }
+
   @DataProvider
   public static Object[][] emailClaims() {
     return new Object[][] {{""}, {null}};
diff --git a/multiuser/permission/che-multiuser-permission-devfile/src/test/java/org/eclipse/che/multiuser/permission/devfile/server/TestObjectGenerator.java b/multiuser/permission/che-multiuser-permission-devfile/src/test/java/org/eclipse/che/multiuser/permission/devfile/server/TestObjectGenerator.java
index c441e05b494..82a96d2ff0d 100644
--- a/multiuser/permission/che-multiuser-permission-devfile/src/test/java/org/eclipse/che/multiuser/permission/devfile/server/TestObjectGenerator.java
+++ b/multiuser/permission/che-multiuser-permission-devfile/src/test/java/org/eclipse/che/multiuser/permission/devfile/server/TestObjectGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -16,6 +16,7 @@
 import static java.util.Collections.singletonMap;
 
 import com.google.common.collect.ImmutableMap;
+import java.util.Collections;
 import org.eclipse.che.account.shared.model.Account;
 import org.eclipse.che.account.spi.AccountImpl;
 import org.eclipse.che.api.devfile.server.DtoConverter;
@@ -40,7 +41,7 @@ public class TestObjectGenerator {
   public static final String TEST_CHE_NAMESPACE = "user";
   public static final String CURRENT_USER_ID = NameGenerator.generate("usrid", 6);
   public static final Subject TEST_SUBJECT =
-      new SubjectImpl(TEST_CHE_NAMESPACE, CURRENT_USER_ID, "token", false);
+      new SubjectImpl(TEST_CHE_NAMESPACE, Collections.emptyList(), CURRENT_USER_ID, "token", false);
   public static final String USER_DEVFILE_ID = NameGenerator.generate("usrd", 16);
   public static final AccountImpl TEST_ACCOUNT =
       new AccountImpl("acc-id042u3ui3oi", TEST_CHE_NAMESPACE, "test");
diff --git a/wsmaster/che-core-api-devfile/src/test/java/org/eclipse/che/api/devfile/server/TestObjectGenerator.java b/wsmaster/che-core-api-devfile/src/test/java/org/eclipse/che/api/devfile/server/TestObjectGenerator.java
index c0d30da9483..9450228dda5 100644
--- a/wsmaster/che-core-api-devfile/src/test/java/org/eclipse/che/api/devfile/server/TestObjectGenerator.java
+++ b/wsmaster/che-core-api-devfile/src/test/java/org/eclipse/che/api/devfile/server/TestObjectGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -17,6 +17,7 @@
 
 import com.google.common.base.MoreObjects;
 import com.google.common.collect.ImmutableMap;
+import java.util.Collections;
 import org.eclipse.che.account.shared.model.Account;
 import org.eclipse.che.account.spi.AccountImpl;
 import org.eclipse.che.api.devfile.server.model.impl.UserDevfileImpl;
@@ -40,7 +41,7 @@ public class TestObjectGenerator {
   public static final String TEST_CHE_NAMESPACE = "user";
   public static final String CURRENT_USER_ID = NameGenerator.generate("usrid", 6);
   public static final Subject TEST_SUBJECT =
-      new SubjectImpl(TEST_CHE_NAMESPACE, CURRENT_USER_ID, "token", false);
+      new SubjectImpl(TEST_CHE_NAMESPACE, Collections.emptyList(), CURRENT_USER_ID, "token", false);
   public static final String USER_DEVFILE_ID = NameGenerator.generate("usrd", 16);
   public static final AccountImpl TEST_ACCOUNT =
       new AccountImpl("acc-id042u3ui3oi", TEST_CHE_NAMESPACE, "test");
diff --git a/wsmaster/che-core-api-factory-azure-devops/src/test/java/org/eclipse/che/api/factory/server/azure/devops/AzureDevOpsPersonalAccessTokenFetcherTest.java b/wsmaster/che-core-api-factory-azure-devops/src/test/java/org/eclipse/che/api/factory/server/azure/devops/AzureDevOpsPersonalAccessTokenFetcherTest.java
index a21eff089d5..2d4e1e1cb58 100644
--- a/wsmaster/che-core-api-factory-azure-devops/src/test/java/org/eclipse/che/api/factory/server/azure/devops/AzureDevOpsPersonalAccessTokenFetcherTest.java
+++ b/wsmaster/che-core-api-factory-azure-devops/src/test/java/org/eclipse/che/api/factory/server/azure/devops/AzureDevOpsPersonalAccessTokenFetcherTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -32,6 +32,7 @@
 import com.github.tomakehurst.wiremock.common.Slf4jNotifier;
 import com.google.common.net.HttpHeaders;
 import java.util.Base64;
+import java.util.Collections;
 import java.util.Optional;
 import org.eclipse.che.api.auth.shared.dto.OAuthToken;
 import org.eclipse.che.api.factory.server.scm.PersonalAccessToken;
@@ -120,7 +121,7 @@ public void fetchPersonalAccessTokenShouldReturnToken() throws Exception {
       expectedExceptionsMessageRegExp =
           "Username is not authorized in azure-devops OAuth provider.")
   public void shouldThrowUnauthorizedExceptionIfTokenIsNotValid() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken = newDto(OAuthToken.class).withToken(azureOauthToken).withScope("");
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
     stubFor(
@@ -133,7 +134,7 @@ public void shouldThrowUnauthorizedExceptionIfTokenIsNotValid() throws Exception
 
   @Test(expectedExceptions = ScmUnauthorizedException.class)
   public void shouldThrowUnauthorizedExceptionOnRedirectResponse() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken = newDto(OAuthToken.class).withToken(azureOauthToken).withScope("");
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
     stubFor(
diff --git a/wsmaster/che-core-api-factory-bitbucket-server/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketServerPersonalAccessTokenFetcherTest.java b/wsmaster/che-core-api-factory-bitbucket-server/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketServerPersonalAccessTokenFetcherTest.java
index 51c817041cf..7d00a0b7637 100644
--- a/wsmaster/che-core-api-factory-bitbucket-server/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketServerPersonalAccessTokenFetcherTest.java
+++ b/wsmaster/che-core-api-factory-bitbucket-server/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketServerPersonalAccessTokenFetcherTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -73,7 +73,8 @@ public class BitbucketServerPersonalAccessTokenFetcherTest {
   @BeforeMethod
   public void setup() throws MalformedURLException {
     URL apiEndpoint = new URL("https://che.server.com");
-    subject = new SubjectImpl("another_user", "user987", "token111", false);
+    subject =
+        new SubjectImpl("another_user", Collections.emptyList(), "user987", "token111", false);
     bitbucketUser =
         new BitbucketUser(
             "User User", "user-name", 32423523, "NORMAL", true, "user-slug", "user@users.com");
diff --git a/wsmaster/che-core-api-factory-bitbucket-server/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketServerUserDataFetcherTest.java b/wsmaster/che-core-api-factory-bitbucket-server/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketServerUserDataFetcherTest.java
index a2100eef957..bce89585ec3 100644
--- a/wsmaster/che-core-api-factory-bitbucket-server/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketServerUserDataFetcherTest.java
+++ b/wsmaster/che-core-api-factory-bitbucket-server/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketServerUserDataFetcherTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -16,6 +16,7 @@
 import static org.testng.Assert.assertEquals;
 
 import java.net.MalformedURLException;
+import java.util.Collections;
 import org.eclipse.che.api.factory.server.bitbucket.server.BitbucketServerApiClient;
 import org.eclipse.che.api.factory.server.bitbucket.server.BitbucketUser;
 import org.eclipse.che.api.factory.server.scm.GitUserData;
@@ -43,7 +44,8 @@ public class BitbucketServerUserDataFetcherTest {
 
   @BeforeMethod
   public void setup() throws MalformedURLException {
-    subject = new SubjectImpl("another_user", "user987", "token111", false);
+    subject =
+        new SubjectImpl("another_user", Collections.emptyList(), "user987", "token111", false);
     bitbucketUser =
         new BitbucketUser("User", "user", 32423523, "NORMAL", true, "user", "user@users.com");
     fetcher =
diff --git a/wsmaster/che-core-api-factory-bitbucket/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketPersonalAccessTokenFetcherTest.java b/wsmaster/che-core-api-factory-bitbucket/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketPersonalAccessTokenFetcherTest.java
index 4e07ea24c9a..e3ef31804df 100644
--- a/wsmaster/che-core-api-factory-bitbucket/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketPersonalAccessTokenFetcherTest.java
+++ b/wsmaster/che-core-api-factory-bitbucket/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketPersonalAccessTokenFetcherTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -28,6 +28,7 @@
 import com.github.tomakehurst.wiremock.client.WireMock;
 import com.github.tomakehurst.wiremock.common.Slf4jNotifier;
 import com.google.common.net.HttpHeaders;
+import java.util.Collections;
 import java.util.Optional;
 import org.eclipse.che.api.auth.shared.dto.OAuthToken;
 import org.eclipse.che.api.core.UnauthorizedException;
@@ -103,7 +104,7 @@ public void shouldNotValidateSCMServerWithTrailingSlash() throws Exception {
       expectedExceptionsMessageRegExp =
           "Current token doesn't have the necessary privileges. Please make sure Che app scopes are correct and containing at least: repository:write and account")
   public void shouldThrowExceptionOnInsufficientTokenScopes() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken = newDto(OAuthToken.class).withToken(bitbucketOauthToken).withScope("");
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
 
@@ -124,7 +125,7 @@ public void shouldThrowExceptionOnInsufficientTokenScopes() throws Exception {
       expectedExceptions = ScmUnauthorizedException.class,
       expectedExceptionsMessageRegExp = "Username is not authorized in bitbucket OAuth provider.")
   public void shouldThrowUnauthorizedExceptionWhenUserNotLoggedIn() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     when(oAuthAPI.getOrRefreshToken(anyString())).thenThrow(UnauthorizedException.class);
 
     bitbucketPersonalAccessTokenFetcher.fetchPersonalAccessToken(
@@ -133,7 +134,7 @@ public void shouldThrowUnauthorizedExceptionWhenUserNotLoggedIn() throws Excepti
 
   @Test
   public void shouldReturnToken() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken =
         newDto(OAuthToken.class).withToken(bitbucketOauthToken).withScope("repo");
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
@@ -230,7 +231,7 @@ public void shouldNotValidateExpiredOauthToken() throws Exception {
       expectedExceptions = ScmUnauthorizedException.class,
       expectedExceptionsMessageRegExp = "Username is not authorized in bitbucket OAuth provider.")
   public void shouldThrowUnauthorizedExceptionIfTokenIsNotValid() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken = newDto(OAuthToken.class).withToken(bitbucketOauthToken).withScope("");
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
     stubFor(
diff --git a/wsmaster/che-core-api-factory-github/src/test/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcherTest.java b/wsmaster/che-core-api-factory-github/src/test/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcherTest.java
index 2bf561c630a..b5686dd76e6 100644
--- a/wsmaster/che-core-api-factory-github/src/test/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcherTest.java
+++ b/wsmaster/che-core-api-factory-github/src/test/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcherTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2024 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -140,7 +140,7 @@ public void testContainsScope() {
       expectedExceptionsMessageRegExp =
           "Current token doesn't have the necessary privileges. Please make sure Che app scopes are correct and containing at least: \\[repo, user:email, read:user, read:org, workflow]")
   public void shouldThrowExceptionOnInsufficientTokenScopes() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken = newDto(OAuthToken.class).withToken(githubOauthToken).withScope("");
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
 
@@ -160,7 +160,7 @@ public void shouldThrowExceptionOnInsufficientTokenScopes() throws Exception {
       expectedExceptions = ScmUnauthorizedException.class,
       expectedExceptionsMessageRegExp = "Username is not authorized in github OAuth provider.")
   public void shouldThrowUnauthorizedExceptionWhenUserNotLoggedIn() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     when(oAuthAPI.getOrRefreshToken(anyString())).thenThrow(UnauthorizedException.class);
 
     githubPATFetcher.fetchPersonalAccessToken(subject, wireMockServer.url("/"));
@@ -170,7 +170,7 @@ public void shouldThrowUnauthorizedExceptionWhenUserNotLoggedIn() throws Excepti
       expectedExceptions = ScmUnauthorizedException.class,
       expectedExceptionsMessageRegExp = "Username is not authorized in github OAuth provider.")
   public void shouldThrowUnauthorizedExceptionIfTokenIsNotValid() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken = newDto(OAuthToken.class).withToken(githubOauthToken).withScope("");
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
     stubFor(
@@ -183,7 +183,7 @@ public void shouldThrowUnauthorizedExceptionIfTokenIsNotValid() throws Exception
 
   @Test
   public void shouldReturnToken() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken = newDto(OAuthToken.class).withToken(githubOauthToken);
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
 
diff --git a/wsmaster/che-core-api-factory-gitlab/src/test/java/org/eclipse/che/api/factory/server/gitlab/GitlabOAuthTokenFetcherTest.java b/wsmaster/che-core-api-factory-gitlab/src/test/java/org/eclipse/che/api/factory/server/gitlab/GitlabOAuthTokenFetcherTest.java
index 926408df4ca..3d5defe49ae 100644
--- a/wsmaster/che-core-api-factory-gitlab/src/test/java/org/eclipse/che/api/factory/server/gitlab/GitlabOAuthTokenFetcherTest.java
+++ b/wsmaster/che-core-api-factory-gitlab/src/test/java/org/eclipse/che/api/factory/server/gitlab/GitlabOAuthTokenFetcherTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2024 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -28,6 +28,7 @@
 import com.github.tomakehurst.wiremock.client.WireMock;
 import com.github.tomakehurst.wiremock.common.Slf4jNotifier;
 import com.google.common.net.HttpHeaders;
+import java.util.Collections;
 import java.util.Optional;
 import org.eclipse.che.api.auth.shared.dto.OAuthToken;
 import org.eclipse.che.api.core.UnauthorizedException;
@@ -76,7 +77,7 @@ void stop() {
       expectedExceptionsMessageRegExp =
           "Current token doesn't have the necessary privileges. Please make sure Che app scopes are correct and containing at least: \\[api, write_repository]")
   public void shouldThrowExceptionOnInsufficientTokenScopes() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken = newDto(OAuthToken.class).withToken("oauthtoken").withScope("api repo");
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
 
@@ -103,7 +104,7 @@ public void shouldThrowExceptionOnInsufficientTokenScopes() throws Exception {
       expectedExceptions = ScmUnauthorizedException.class,
       expectedExceptionsMessageRegExp = "Username is not authorized in gitlab OAuth provider.")
   public void shouldThrowUnauthorizedExceptionWhenUserNotLoggedIn() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     when(oAuthAPI.getOrRefreshToken(anyString())).thenThrow(UnauthorizedException.class);
 
     oAuthTokenFetcher.fetchPersonalAccessToken(subject, wireMockServer.url("/"));
@@ -111,7 +112,7 @@ public void shouldThrowUnauthorizedExceptionWhenUserNotLoggedIn() throws Excepti
 
   @Test
   public void shouldReturnToken() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken =
         newDto(OAuthToken.class).withToken("oauthtoken").withScope("api write_repository openid");
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
@@ -143,7 +144,7 @@ public void shouldReturnToken() throws Exception {
           "OAuth 2 is not configured for SCM provider \\[gitlab\\]. For details, refer "
               + "the documentation in section of SCM providers configuration.")
   public void shouldThrowScmCommunicationExceptionWhenNoOauthIsConfigured() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     GitlabOAuthTokenFetcher localFetcher =
         new GitlabOAuthTokenFetcher(wireMockServer.url("/"), "http://che.api", null);
     localFetcher.fetchPersonalAccessToken(subject, wireMockServer.url("/"));
@@ -185,7 +186,7 @@ public void shouldValidateOAuthToken() throws Exception {
       expectedExceptions = ScmUnauthorizedException.class,
       expectedExceptionsMessageRegExp = "Username is not authorized in gitlab OAuth provider.")
   public void shouldThrowUnauthorizedExceptionIfTokenIsNotValid() throws Exception {
-    Subject subject = new SubjectImpl("Username", "id1", "token", false);
+    Subject subject = new SubjectImpl("Username", Collections.emptyList(), "id1", "token", false);
     OAuthToken oAuthToken = newDto(OAuthToken.class).withToken("token").withScope("");
     when(oAuthAPI.getOrRefreshToken(anyString())).thenReturn(oAuthToken);
     stubFor(
diff --git a/wsmaster/che-core-api-factory/src/test/java/org/eclipse/che/api/factory/server/FactoryServiceTest.java b/wsmaster/che-core-api-factory/src/test/java/org/eclipse/che/api/factory/server/FactoryServiceTest.java
index 1308f975016..dd7d2c72af3 100644
--- a/wsmaster/che-core-api-factory/src/test/java/org/eclipse/che/api/factory/server/FactoryServiceTest.java
+++ b/wsmaster/che-core-api-factory/src/test/java/org/eclipse/che/api/factory/server/FactoryServiceTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2024 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -38,6 +38,7 @@
 import io.restassured.http.ContentType;
 import io.restassured.response.Response;
 import java.lang.reflect.Field;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
@@ -136,7 +137,9 @@ public static class EnvironmentFilter implements RequestFilter {
     @Override
     public void doFilter(GenericContainerRequest request) {
       EnvironmentContext context = EnvironmentContext.getCurrent();
-      context.setSubject(new SubjectImpl(ADMIN_USER_NAME, USER_ID, ADMIN_USER_PASSWORD, false));
+      context.setSubject(
+          new SubjectImpl(
+              ADMIN_USER_NAME, Collections.emptyList(), USER_ID, ADMIN_USER_PASSWORD, false));
     }
   }
 
diff --git a/wsmaster/che-core-api-logger/src/test/java/org/eclipse/che/api/logger/LoggerServiceTest.java b/wsmaster/che-core-api-logger/src/test/java/org/eclipse/che/api/logger/LoggerServiceTest.java
index 3dd72a48b82..9e8c5d1ff21 100644
--- a/wsmaster/che-core-api-logger/src/test/java/org/eclipse/che/api/logger/LoggerServiceTest.java
+++ b/wsmaster/che-core-api-logger/src/test/java/org/eclipse/che/api/logger/LoggerServiceTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -21,6 +21,7 @@
 import static org.testng.Assert.assertTrue;
 
 import io.restassured.response.Response;
+import java.util.Collections;
 import java.util.List;
 import org.eclipse.che.api.core.rest.ApiExceptionMapper;
 import org.eclipse.che.api.core.rest.shared.dto.ServiceError;
@@ -191,7 +192,7 @@ public static class EnvironmentFilter implements RequestFilter {
     @Override
     public void doFilter(GenericContainerRequest request) {
       EnvironmentContext.getCurrent()
-          .setSubject(new SubjectImpl(NAMESPACE, USER_ID, "token", false));
+          .setSubject(new SubjectImpl(NAMESPACE, Collections.emptyList(), USER_ID, "token", false));
     }
   }
 }
diff --git a/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java b/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java
index e11d9e4592a..de9f0717eb8 100644
--- a/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java
+++ b/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2025 Red Hat, Inc.
+ * Copyright (c) 2012-2026 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -12,69 +12,28 @@
 package org.eclipse.che.api.workspace.server;
 
 import static java.util.Arrays.asList;
-import static java.util.Collections.emptyMap;
-import static java.util.Collections.singletonList;
-import static java.util.Collections.singletonMap;
+import static java.util.Collections.*;
 import static java.util.Map.of;
-import static org.eclipse.che.api.core.model.workspace.WorkspaceStatus.RUNNING;
-import static org.eclipse.che.api.core.model.workspace.WorkspaceStatus.STARTING;
-import static org.eclipse.che.api.core.model.workspace.WorkspaceStatus.STOPPED;
+import static org.eclipse.che.api.core.model.workspace.WorkspaceStatus.*;
 import static org.eclipse.che.api.core.model.workspace.config.MachineConfig.MEMORY_LIMIT_ATTRIBUTE;
 import static org.eclipse.che.api.workspace.server.devfile.Constants.CURRENT_API_VERSION;
-import static org.eclipse.che.api.workspace.shared.Constants.CREATED_ATTRIBUTE_NAME;
-import static org.eclipse.che.api.workspace.shared.Constants.ERROR_MESSAGE_ATTRIBUTE_NAME;
-import static org.eclipse.che.api.workspace.shared.Constants.LAST_ACTIVE_INFRASTRUCTURE_NAMESPACE;
-import static org.eclipse.che.api.workspace.shared.Constants.LAST_ACTIVITY_TIME;
-import static org.eclipse.che.api.workspace.shared.Constants.REMOVE_WORKSPACE_AFTER_STOP;
-import static org.eclipse.che.api.workspace.shared.Constants.STOPPED_ABNORMALLY_ATTRIBUTE_NAME;
-import static org.eclipse.che.api.workspace.shared.Constants.STOPPED_ATTRIBUTE_NAME;
-import static org.eclipse.che.api.workspace.shared.Constants.UPDATED_ATTRIBUTE_NAME;
-import static org.eclipse.che.api.workspace.shared.Constants.WORKSPACE_GENERATE_NAME_CHARS_APPEND;
-import static org.eclipse.che.api.workspace.shared.Constants.WORKSPACE_INFRASTRUCTURE_NAMESPACE_ATTRIBUTE;
+import static org.eclipse.che.api.workspace.shared.Constants.*;
 import static org.eclipse.che.dto.server.DtoFactory.newDto;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyInt;
-import static org.mockito.ArgumentMatchers.anyLong;
-import static org.mockito.ArgumentMatchers.anyMap;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.Mockito.atLeastOnce;
-import static org.mockito.Mockito.doReturn;
-import static org.mockito.Mockito.doThrow;
-import static org.mockito.Mockito.lenient;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-import static org.testng.Assert.assertEquals;
-import static org.testng.Assert.assertFalse;
-import static org.testng.Assert.assertNotNull;
-import static org.testng.Assert.assertNull;
-import static org.testng.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.*;
+import static org.mockito.Mockito.*;
+import static org.testng.Assert.*;
 import static org.testng.util.Strings.isNullOrEmpty;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import java.time.Clock;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 import java.util.concurrent.CompletableFuture;
 import org.eclipse.che.account.api.AccountManager;
 import org.eclipse.che.account.spi.AccountImpl;
-import org.eclipse.che.api.core.ConflictException;
-import org.eclipse.che.api.core.NotFoundException;
-import org.eclipse.che.api.core.Page;
-import org.eclipse.che.api.core.ServerException;
-import org.eclipse.che.api.core.ValidationException;
+import org.eclipse.che.api.core.*;
+import org.eclipse.che.api.core.model.workspace.*;
 import org.eclipse.che.api.core.model.workspace.Runtime;
-import org.eclipse.che.api.core.model.workspace.Warning;
-import org.eclipse.che.api.core.model.workspace.Workspace;
-import org.eclipse.che.api.core.model.workspace.WorkspaceConfig;
-import org.eclipse.che.api.core.model.workspace.WorkspaceStatus;
 import org.eclipse.che.api.core.model.workspace.config.Command;
 import org.eclipse.che.api.core.model.workspace.config.Environment;
 import org.eclipse.che.api.core.model.workspace.devfile.Devfile;
@@ -85,16 +44,7 @@
 import org.eclipse.che.api.workspace.server.devfile.convert.DevfileConverter;
 import org.eclipse.che.api.workspace.server.devfile.exception.DevfileFormatException;
 import org.eclipse.che.api.workspace.server.devfile.validator.DevfileIntegrityValidator;
-import org.eclipse.che.api.workspace.server.model.impl.CommandImpl;
-import org.eclipse.che.api.workspace.server.model.impl.EnvironmentImpl;
-import org.eclipse.che.api.workspace.server.model.impl.MachineConfigImpl;
-import org.eclipse.che.api.workspace.server.model.impl.MachineImpl;
-import org.eclipse.che.api.workspace.server.model.impl.RecipeImpl;
-import org.eclipse.che.api.workspace.server.model.impl.RuntimeImpl;
-import org.eclipse.che.api.workspace.server.model.impl.ServerConfigImpl;
-import org.eclipse.che.api.workspace.server.model.impl.WarningImpl;
-import org.eclipse.che.api.workspace.server.model.impl.WorkspaceConfigImpl;
-import org.eclipse.che.api.workspace.server.model.impl.WorkspaceImpl;
+import org.eclipse.che.api.workspace.server.model.impl.*;
 import org.eclipse.che.api.workspace.server.model.impl.devfile.DevfileImpl;
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
 import org.eclipse.che.api.workspace.server.spi.NamespaceResolutionContext;
@@ -170,7 +120,7 @@ public void setUp() throws Exception {
         new EnvironmentContext() {
           @Override
           public Subject getSubject() {
-            return new SubjectImpl(NAMESPACE_1, USER_ID, "token", false);
+            return new SubjectImpl(NAMESPACE_1, Collections.emptyList(), USER_ID, "token", false);
           }
         });
 

From fc441806d0ff7e0a5063f57b087c7de5a21a4b92 Mon Sep 17 00:00:00 2001
From: Anatolii Bazko <abazko@redhat.com>
Date: Mon, 2 Feb 2026 17:32:53 +0100
Subject: [PATCH 2/7] feat: Support OpenShift external IDP

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
---
 .../src/main/webapp/WEB-INF/classes/che/multiuser.properties    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties
index b67eb3ed83b..c10bb411b89 100644
--- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties
+++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties
@@ -98,7 +98,7 @@ che.oidc.username_prefix=NULL
 
 # Claim to be used for extracting user group membership from the JWT token.
 # If not defined, group information will not be extracted from the token.
-che.oidc.group_claim=NULL
+che.oidc.groups_claim=NULL
 
 # Prefix to be prepended to group names extracted from the OIDC token.
 # If not defined, no prefix will be added.

From 8a2ca17c6df13fdd13bcc9c98f10b2df7983786c Mon Sep 17 00:00:00 2001
From: Anatolii Bazko <abazko@redhat.com>
Date: Tue, 3 Feb 2026 09:45:10 +0100
Subject: [PATCH 3/7] feat: Support OpenShift external IDP

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
---
 .../eclipse/che/api/deploy/WsMasterModule.java | 16 ++++++++--------
 .../che/api/deploy/WsMasterServletModule.java  | 18 +++++++++---------
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java
index 3e95fea354a..cd60eab1353 100644
--- a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java
+++ b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java
@@ -356,14 +356,14 @@ private void configureMultiUserMode(
     bind(org.eclipse.che.multiuser.permission.workspace.activity.ActivityPermissionsFilter.class);
 
     bind(RequestTokenExtractor.class).to(HeaderRequestTokenExtractor.class);
-    if (isOIDCProviderConfigured()) {
+    if (isOpenShiftOAuthEnabled()) {
+      bind(AuthorizationChecker.class).to(OpenShiftAuthorizationCheckerImpl.class);
+    } else {
       bind(OIDCInfo.class).toProvider(OIDCInfoProvider.class).asEagerSingleton();
       bind(SigningKeyResolver.class).to(OIDCSigningKeyResolver.class);
       bind(JwtParser.class).toProvider(OIDCJwtParserProvider.class);
       bind(JwkProvider.class).toProvider(OIDCJwkProvider.class);
       bind(AuthorizationChecker.class).to(KubernetesOIDCAuthorizationCheckerImpl.class);
-    } else {
-      bind(AuthorizationChecker.class).to(OpenShiftAuthorizationCheckerImpl.class);
     }
     bind(TokenValidator.class).to(NotImplementedTokenValidator.class);
     bind(ProfileDao.class).to(JpaProfileDao.class);
@@ -471,14 +471,14 @@ private void installDefaultSecureServerExposer(String infrastructure) {
     }
   }
 
-  private boolean isOIDCProviderConfigured() {
+  private boolean isOpenShiftOAuthEnabled() {
     String openShiftOAuthEnabled = System.getenv("CHE_INFRA_OPENSHIFT_OAUTH__ENABLED");
 
-    if (isNullOrEmpty(openShiftOAuthEnabled)) {
-      String infrastructure = System.getenv("CHE_INFRASTRUCTURE_ACTIVE");
-      return KubernetesInfrastructure.NAME.equals(infrastructure);
+    if (!isNullOrEmpty(openShiftOAuthEnabled)) {
+      return Boolean.valueOf(openShiftOAuthEnabled);
     }
 
-    return !Boolean.valueOf(openShiftOAuthEnabled);
+    String infrastructure = System.getenv("CHE_INFRASTRUCTURE_ACTIVE");
+    return OpenShiftInfrastructure.NAME.equals(infrastructure);
   }
 }
diff --git a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterServletModule.java b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterServletModule.java
index 598af6be94d..d218c28dd58 100644
--- a/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterServletModule.java
+++ b/assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterServletModule.java
@@ -19,7 +19,7 @@
 import org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter;
 import org.eclipse.che.inject.DynaModule;
 import org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter;
-import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfrastructure;
+import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftInfrastructure;
 import org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter;
 import org.everrest.guice.servlet.GuiceEverrestServlet;
 import org.slf4j.Logger;
@@ -67,21 +67,21 @@ private boolean isCheCorsEnabled() {
   }
 
   private void configureNativeUserMode() {
-    if (isOIDCProviderConfigured()) {
-      filter("/*").through(OidcTokenInitializationFilter.class);
-    } else {
+    if (isOpenShiftOAuthEnabled()) {
       filter("/*").through(OpenshiftTokenInitializationFilter.class);
+    } else {
+      filter("/*").through(OidcTokenInitializationFilter.class);
     }
   }
 
-  private boolean isOIDCProviderConfigured() {
+  private boolean isOpenShiftOAuthEnabled() {
     String openShiftOAuthEnabled = System.getenv("CHE_INFRA_OPENSHIFT_OAUTH__ENABLED");
 
-    if (isNullOrEmpty(openShiftOAuthEnabled)) {
-      String infrastructure = System.getenv("CHE_INFRASTRUCTURE_ACTIVE");
-      return KubernetesInfrastructure.NAME.equals(infrastructure);
+    if (!isNullOrEmpty(openShiftOAuthEnabled)) {
+      return Boolean.valueOf(openShiftOAuthEnabled);
     }
 
-    return !Boolean.valueOf(openShiftOAuthEnabled);
+    String infrastructure = System.getenv("CHE_INFRASTRUCTURE_ACTIVE");
+    return OpenShiftInfrastructure.NAME.equals(infrastructure);
   }
 }

From 6294bfe5ba41055c54e43ddc02fe8439489385b3 Mon Sep 17 00:00:00 2001
From: Anatolii Bazko <abazko@redhat.com>
Date: Wed, 4 Feb 2026 16:31:41 +0100
Subject: [PATCH 4/7] feat: Support OpenShift external IDP

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
---
 .../KubernetesAuthorizationCheckerTest.java   |  4 +-
 .../OidcTokenInitializationFilterTest.java    |  4 +-
 .../server/WorkspaceManagerTest.java          | 55 ++++++++++++++++---
 3 files changed, 51 insertions(+), 12 deletions(-)

diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerTest.java
index 6a560c70ad7..e29f2c0d54b 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/authorization/KubernetesAuthorizationCheckerTest.java
@@ -11,9 +11,7 @@
  */
 package org.eclipse.che.workspace.infrastructure.kubernetes.authorization;
 
-import static org.mockito.Mockito.*;
-
-import java.util.*;
+import java.util.Arrays;
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
 import org.eclipse.che.commons.subject.Subject;
 import org.eclipse.che.commons.subject.SubjectImpl;
diff --git a/multiuser/oidc/src/test/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilterTest.java b/multiuser/oidc/src/test/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilterTest.java
index 36689aa9df5..47b3b9122cd 100644
--- a/multiuser/oidc/src/test/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilterTest.java
+++ b/multiuser/oidc/src/test/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilterTest.java
@@ -11,7 +11,9 @@
  */
 package org.eclipse.che.multiuser.oidc.filter;
 
-import static org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.*;
+import static org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.DEFAULT_EMAIL_CLAIM;
+import static org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.DEFAULT_GROUPS_CLAIM;
+import static org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.DEFAULT_USERNAME_CLAIM;
 import static org.mockito.Mockito.lenient;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
diff --git a/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java b/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java
index de9f0717eb8..a8c3ddd48b4 100644
--- a/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java
+++ b/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java
@@ -12,26 +12,65 @@
 package org.eclipse.che.api.workspace.server;
 
 import static java.util.Arrays.asList;
-import static java.util.Collections.*;
+import static java.util.Collections.emptyMap;
+import static java.util.Collections.singletonList;
+import static java.util.Collections.singletonMap;
 import static java.util.Map.of;
-import static org.eclipse.che.api.core.model.workspace.WorkspaceStatus.*;
+import static org.eclipse.che.api.core.model.workspace.WorkspaceStatus.RUNNING;
+import static org.eclipse.che.api.core.model.workspace.WorkspaceStatus.STARTING;
+import static org.eclipse.che.api.core.model.workspace.WorkspaceStatus.STOPPED;
 import static org.eclipse.che.api.core.model.workspace.config.MachineConfig.MEMORY_LIMIT_ATTRIBUTE;
 import static org.eclipse.che.api.workspace.server.devfile.Constants.CURRENT_API_VERSION;
-import static org.eclipse.che.api.workspace.shared.Constants.*;
+import static org.eclipse.che.api.workspace.shared.Constants.CREATED_ATTRIBUTE_NAME;
+import static org.eclipse.che.api.workspace.shared.Constants.ERROR_MESSAGE_ATTRIBUTE_NAME;
+import static org.eclipse.che.api.workspace.shared.Constants.LAST_ACTIVE_INFRASTRUCTURE_NAMESPACE;
+import static org.eclipse.che.api.workspace.shared.Constants.LAST_ACTIVITY_TIME;
+import static org.eclipse.che.api.workspace.shared.Constants.REMOVE_WORKSPACE_AFTER_STOP;
+import static org.eclipse.che.api.workspace.shared.Constants.STOPPED_ABNORMALLY_ATTRIBUTE_NAME;
+import static org.eclipse.che.api.workspace.shared.Constants.STOPPED_ATTRIBUTE_NAME;
+import static org.eclipse.che.api.workspace.shared.Constants.UPDATED_ATTRIBUTE_NAME;
+import static org.eclipse.che.api.workspace.shared.Constants.WORKSPACE_GENERATE_NAME_CHARS_APPEND;
+import static org.eclipse.che.api.workspace.shared.Constants.WORKSPACE_INFRASTRUCTURE_NAMESPACE_ATTRIBUTE;
 import static org.eclipse.che.dto.server.DtoFactory.newDto;
-import static org.mockito.ArgumentMatchers.*;
-import static org.mockito.Mockito.*;
-import static org.testng.Assert.*;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.anyLong;
+import static org.mockito.ArgumentMatchers.anyMap;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.atLeastOnce;
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.lenient;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertNotNull;
+import static org.testng.Assert.assertNull;
+import static org.testng.Assert.assertTrue;
 import static org.testng.util.Strings.isNullOrEmpty;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import java.time.Clock;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 import java.util.concurrent.CompletableFuture;
 import org.eclipse.che.account.api.AccountManager;
 import org.eclipse.che.account.spi.AccountImpl;
-import org.eclipse.che.api.core.*;
+import org.eclipse.che.api.core.ConflictException;
+import org.eclipse.che.api.core.NotFoundException;
+import org.eclipse.che.api.core.Page;
+import org.eclipse.che.api.core.ServerException;
+import org.eclipse.che.api.core.ValidationException;
 import org.eclipse.che.api.core.model.workspace.*;
 import org.eclipse.che.api.core.model.workspace.Runtime;
 import org.eclipse.che.api.core.model.workspace.config.Command;

From d9bca4972a5df2e0920b445836caec73a508eb8a Mon Sep 17 00:00:00 2001
From: Anatolii Bazko <abazko@redhat.com>
Date: Wed, 4 Feb 2026 16:32:53 +0100
Subject: [PATCH 5/7] feat: Support OpenShift external IDP

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
---
 .../workspace/server/WorkspaceManagerTest.java   | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java b/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java
index a8c3ddd48b4..a88ff99a84d 100644
--- a/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java
+++ b/wsmaster/che-core-api-workspace/src/test/java/org/eclipse/che/api/workspace/server/WorkspaceManagerTest.java
@@ -71,8 +71,11 @@
 import org.eclipse.che.api.core.Page;
 import org.eclipse.che.api.core.ServerException;
 import org.eclipse.che.api.core.ValidationException;
-import org.eclipse.che.api.core.model.workspace.*;
 import org.eclipse.che.api.core.model.workspace.Runtime;
+import org.eclipse.che.api.core.model.workspace.Warning;
+import org.eclipse.che.api.core.model.workspace.Workspace;
+import org.eclipse.che.api.core.model.workspace.WorkspaceConfig;
+import org.eclipse.che.api.core.model.workspace.WorkspaceStatus;
 import org.eclipse.che.api.core.model.workspace.config.Command;
 import org.eclipse.che.api.core.model.workspace.config.Environment;
 import org.eclipse.che.api.core.model.workspace.devfile.Devfile;
@@ -83,7 +86,16 @@
 import org.eclipse.che.api.workspace.server.devfile.convert.DevfileConverter;
 import org.eclipse.che.api.workspace.server.devfile.exception.DevfileFormatException;
 import org.eclipse.che.api.workspace.server.devfile.validator.DevfileIntegrityValidator;
-import org.eclipse.che.api.workspace.server.model.impl.*;
+import org.eclipse.che.api.workspace.server.model.impl.CommandImpl;
+import org.eclipse.che.api.workspace.server.model.impl.EnvironmentImpl;
+import org.eclipse.che.api.workspace.server.model.impl.MachineConfigImpl;
+import org.eclipse.che.api.workspace.server.model.impl.MachineImpl;
+import org.eclipse.che.api.workspace.server.model.impl.RecipeImpl;
+import org.eclipse.che.api.workspace.server.model.impl.RuntimeImpl;
+import org.eclipse.che.api.workspace.server.model.impl.ServerConfigImpl;
+import org.eclipse.che.api.workspace.server.model.impl.WarningImpl;
+import org.eclipse.che.api.workspace.server.model.impl.WorkspaceConfigImpl;
+import org.eclipse.che.api.workspace.server.model.impl.WorkspaceImpl;
 import org.eclipse.che.api.workspace.server.model.impl.devfile.DevfileImpl;
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
 import org.eclipse.che.api.workspace.server.spi.NamespaceResolutionContext;

From 614ab9bd87657c5f13ed5f8cfcee067864b688e5 Mon Sep 17 00:00:00 2001
From: Anatolii Bazko <abazko@redhat.com>
Date: Mon, 9 Feb 2026 10:12:29 +0100
Subject: [PATCH 6/7] feat: Support OpenShift external IDP

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
---
 .../filter/OidcTokenInitializationFilter.java    | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java b/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java
index eb9f81569eb..0e36828fad7 100644
--- a/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java
+++ b/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java
@@ -106,14 +106,16 @@ protected Subject extractSubject(String token, Jws<Claims> processedToken) {
 
     List<String> groups = new ArrayList<>();
     Object groupClaim = claims.get(this.groupsClaim);
-    if (groupClaim instanceof Iterable) {
-      for (Object group : ((Iterable<?>) groupClaim)) {
-        groups.add(groupPrefix + group);
+    if (groupClaim != null) {
+      if (groupClaim instanceof Iterable) {
+        for (Object group : ((Iterable<?>) groupClaim)) {
+          groups.add(groupPrefix + group);
+        }
+      } else if (groupClaim instanceof String) {
+        groups.add(groupPrefix + groupClaim);
+      } else {
+        LOG.warn("Groups claim '{}' is not a String or Iterable, skipping groups", this.groupsClaim);
       }
-    } else if (groupClaim instanceof String) {
-      groups.add(groupPrefix + groupClaim);
-    } else {
-      LOG.warn("Groups claim '{}' is not a String or Iterable, skipping groups", this.groupsClaim);
     }
 
     return new AuthorizedSubject(

From 63bcd993e0ea957407b22800affdcc528acfab09 Mon Sep 17 00:00:00 2001
From: Anatolii Bazko <abazko@redhat.com>
Date: Mon, 9 Feb 2026 10:21:24 +0100
Subject: [PATCH 7/7] feat: Support OpenShift external IDP

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
---
 .../multiuser/oidc/filter/OidcTokenInitializationFilter.java   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java b/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java
index 0e36828fad7..834a4560e61 100644
--- a/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java
+++ b/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java
@@ -114,7 +114,8 @@ protected Subject extractSubject(String token, Jws<Claims> processedToken) {
       } else if (groupClaim instanceof String) {
         groups.add(groupPrefix + groupClaim);
       } else {
-        LOG.warn("Groups claim '{}' is not a String or Iterable, skipping groups", this.groupsClaim);
+        LOG.warn(
+            "Groups claim '{}' is not a String or Iterable, skipping groups", this.groupsClaim);
       }
     }