allow to prevent access to harbor in oidc configuration

[tobhv]

Hello,

I would like to have an option in harbor that prevents access, user onboarding to harbor based on user oidc group membership and / or user role assignment.

example method used by another cloud native tool: gitlab: https://docs.gitlab.com/ee/administration/auth/oidc.html#required-groups

Backgroundinfo: As I understand it "group claim name" is intended to be used to allow the automatic creation of groups in harbor. but it does not prevent user access, group filter is used to filter what group names (aka the value of "group claim name") are created in harbor automatically.

[bregtaca]

We really need this too... This is a huge security improvement and solving this on the identity provider (AWS Cognito) is impossible.

[MattyMay]

You may be able to accomplish this through your OIDC provider, depending on what you're using. In Authelia, for instance, you can set a custom auth policy for a particular OIDC client.