oauth2-proxy groups claim

I'm trying to do the oauth2_proxy allowed_groups bit from the guide https://zitadel.com/docs/examples/identity-proxy/oauth2-proxy#check-for-groups but i cant seem to figure out how to get the custom_roles.js to work
looking at the source of

custom_roles.js

custom_roles.js

it looks like for the

oidc_groups_claim

oidc_groups_claim

i want to use

my:zitadel:grants

my:zitadel:grants

and then in

allowed_groups

allowed_groups

it looks like i want to use

<projectid>:rolename

<projectid>:rolename

where

<projectid

<projectid

is the value

resource id

resource id

from the project but i just get permission denied
is there some place i can see what those claims would be for debugging purposes?

OAuth2-proxy is a project which allows services to delegate the authentication flow to a IDP, for example ZITADEL