Add support for auth.oidc.allowed_user_groups (#667) (#668)

Signed-off-by: Michael Tupitsyn <michael.tupitsyn@gmail.com>
2026-04-12 02:16:30 +00:00 · 2026-04-11 09:24:18 -07:00
parent 401642701a
commit 9b437205b1
10 changed files with 106 additions and 1 deletions
--- a/docs/documentation/usage/authentication.md
+++ b/docs/documentation/usage/authentication.md
@@ -66,6 +66,40 @@ auth:
        - "outlook.com"
 ```

+#### Limiting Login to Specific User Groups
+
+You can limit the login to specific user groups by setting the `allowed_user_groups` property for OAuth2 or OIDC providers.
+If this property is not empty, the user's `user_groups` claim must contain at least one matching group.
+
+To use this feature, ensure your group claim is mapped via `field_map.user_groups`.
+
+```yaml
+auth:
+  oidc:
+    - provider_name: "oidc1"
+      # ... other settings
+      allowed_user_groups:
+        - "wg-users"
+        - "wg-admins"
+      field_map:
+        user_groups: "groups"
+```
+
+If `allowed_user_groups` is configured and the authenticated user has no matching group in `user_groups`, login is denied.
+
+Minimal deny-by-group example:
+
+```yaml
+auth:
+  oauth:
+    - provider_name: "oauth1"
+      # ... other settings
+      allowed_user_groups:
+        - "vpn-users"
+      field_map:
+        user_groups: "groups"
+```
+
 #### Limit Login to Existing Users

 You can limit the login to existing users only by setting the `registration_enabled` property to `false` for OAuth2 or OIDC providers.