Add an "Allowed groups" field in the settings form as a space separated list of groups allowed to log in.
Add a "Groups claim" field in the settings as the claim to pull groups from, default to "groups".
When retrieving oidc info or login in, if allowed groups is set, pull groups from the defined claim, if none of the groups is part of the allowed groups list or no groups is returned don't login or return info.
When retrieving oidc info or login in, if allowed groups is set, pull groups from the defined claim, if none of the groups is part of the allowed groups list or no groups is returned don't login or return info.