Groups/Roles support

[djessich]

Currently this OmniAuth provider does not read the groups or roles claims provided. It is also not possible to restrict login for users to a specific group. This causes all users for a domain to login to the application with OmniAuth using this provider.

It would be a nice improvement to this provider, if the name of the groups claim could be specified using a config property. If groups can be read via the groups claim it should also be possible to specify a required_groups in the provider configuration, causing the login to fail if the user is not in the specified groups or a successful login if the user is in the specified groups.

The latter required_groups is a pretty common requirement to restrict the login to various applications by groups, otherwise everyone can log in.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[osresearch]

I've hacked something to support roles in Mastodon, although I think it would be better to have omniauth extract the roles claim so that the users of the library don't have to dig into the raw extra_info to find the additional claims. https://github.com/mastodon/mastodon/pull/21787