I am using Jenkins Login with Openid Connect (Amazon Cognito). I am able to use group-based authorization. I can see my groups in Granted Authorities: authenticated,<cognito group>

But when I try making API call, it gives me a "403" error saying "Missing overall read permissions". 

I am using API token created using <Jenkins url>/configure/me

It is only allowing in case I give "Read" access to the anonymous group in Jenkins, which I couldn't give in my production environment.

Issue::

Jenkins is not able to read neither SSO users authorized in groups nor in the authenticated group.