Generic OIDC - Login filter

[staeglis]

I tried to set up a login filter using the pam_allow_groups option. However, it seems that this doesn't have any effect. Is this actually supported when using Generic OIDC? The ID provider is a Keycloak.

[iLikeToCode]

There's no guarantee of group membership when using OIDC, so I'm not sure how we could implement this. We could probably implement specific user filtering fairly easily, but groups may be a bit harder.

[dmulder]

I think some OIDC providers do supply a groups claim, so we need to request this and utilize it where possible.