From 835f76bf58358973b3e53e9cc9459631102ee7ae Mon Sep 17 00:00:00 2001
From: nesbyte <63811145+nesbyte@users.noreply.github.com>
Date: Mon, 18 May 2026 23:31:46 +0300
Subject: [PATCH] feat(docs): how to troubleshoot admin_group_regex with oidc
 (#684)

Added instructions for identifying claims in OIDC user info payload for admin rights.
---
 docs/documentation/configuration/overview.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/documentation/configuration/overview.md b/docs/documentation/configuration/overview.md
index af3c632..5157f9e 100644
--- a/docs/documentation/configuration/overview.md
+++ b/docs/documentation/configuration/overview.md
@@ -602,6 +602,7 @@ Below are the properties for each OIDC provider entry inside `auth.oidc`:
 - **Description:** WgPortal can grant a user admin rights by matching the value of the `is_admin` claim against a regular expression. Alternatively, a regular expression can be used to check if a user is member of a specific group listed in the `user_group` claim. The regular expressions are defined in `admin_value_regex` and `admin_group_regex`.
     - `admin_value_regex`: A regular expression to match the `is_admin` claim. By default, this expression matches the string "true" (`^true$`).
     - `admin_group_regex`: A regular expression to match the `user_groups` claim. Each entry in the `user_groups` claim is checked against this regex.
+        - To identify which claim to match against, set log_level: debug and reload the config. Log in with the intended admin account and inspect the logs for the OIDC user info payload. If the required claim is missing it must be added by the OIDC provider. If it is present, use its value as the pattern for admin_group_regex.
 
 #### `registration_enabled`
 - **Default:** `false`