That was a battle I fought with some developer consultancy not long ago. I won't tell the whole story, but I will say that if you have issue with JWT tokens that are too big due to the number of groups each user have, you probably do need to use JWTs and you are most definitely doing it wrong and should educate yourself or bring a consultant who at least get the difference between authentication and authorization.