Mirrors/wg-portal
1
0
Fork 0
mirror of https://github.com/h44z/wg-portal.git synced 2026-04-12 10:26:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Add support for auth.oidc.allowed_user_groups (#667) (#668)
Some checks are pending
Docker / Build and Push (push) Waiting to run
Details
Docker / release (push) Blocked by required conditions
Details
github-pages / deploy (push) Waiting to run
Details

Browse Source 
Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com>
This commit is contained in:
Michael Tupitsyn
2026-04-11 09:24:18 -07:00
committed by GitHub
parent 401642701a
commit 9b437205b1
10 changed files with 106 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/documentation/configuration/examples.md
View File

@@ -144,6 +144,9 @@ auth:
extra_scopes:
- https://www.googleapis.com/auth/userinfo.email
- https://www.googleapis.com/auth/userinfo.profile
allowed_user_groups:
- the-admin-group
- vpn-users
field_map:
user_identifier: sub
email: email
@@ -201,6 +204,9 @@ auth:
- email
- profile
- i-want-some-groups
allowed_user_groups:
- admin-group-name
- vpn-users
field_map:
email: email
firstname: name

8
docs/documentation/configuration/overview.md
View File

@@ -561,6 +561,10 @@ Below are the properties for each OIDC provider entry inside `auth.oidc`:
- **Default:** *(empty)*
- **Description:** A list of allowlisted domains. Only users with email addresses in these domains can log in or register. This is useful for restricting access to specific organizations or groups.
#### `allowed_user_groups`
- **Default:** *(empty)*
- **Description:** A list of allowlisted user groups. If configured, at least one entry in the mapped `user_groups` claim must match one of these values.
#### `field_map`
- **Default:** *(empty)*
- **Description:** Maps OIDC claims to WireGuard Portal user fields.
@@ -639,6 +643,10 @@ Below are the properties for each OAuth provider entry inside `auth.oauth`:
- **Default:** *(empty)*
- **Description:** A list of allowlisted domains. Only users with email addresses in these domains can log in or register. This is useful for restricting access to specific organizations or groups.
#### `allowed_user_groups`
- **Default:** *(empty)*
- **Description:** A list of allowlisted user groups. If configured, at least one entry in the mapped `user_groups` claim must match one of these values.
#### `field_map`
- **Default:** *(empty)*
- **Description:** Maps OAuth attributes to WireGuard Portal fields.

34
docs/documentation/usage/authentication.md
View File

@@ -66,6 +66,40 @@ auth:
- "outlook.com"
```
#### Limiting Login to Specific User Groups
You can limit the login to specific user groups by setting the `allowed_user_groups` property for OAuth2 or OIDC providers.
If this property is not empty, the user's `user_groups` claim must contain at least one matching group.
To use this feature, ensure your group claim is mapped via `field_map.user_groups`.
```yaml
auth:
oidc:
- provider_name: "oidc1"
# ... other settings
allowed_user_groups:
- "wg-users"
- "wg-admins"
field_map:
user_groups: "groups"
```
If `allowed_user_groups` is configured and the authenticated user has no matching group in `user_groups`, login is denied.
Minimal deny-by-group example:
```yaml
auth:
oauth:
- provider_name: "oauth1"
# ... other settings
allowed_user_groups:
- "vpn-users"
field_map:
user_groups: "groups"
```
#### Limit Login to Existing Users
You can limit the login to existing users only by setting the `registration_enabled` property to `false` for OAuth2 or OIDC providers.