diff --git a/CHANGELOG.md b/CHANGELOG.md
index f17e3136..f30f4b2c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@
- [#2300](https://github.com/oauth2-proxy/oauth2-proxy/pull/2300) Add fix for websocket path rewrite (@rekup)
- [#2821](https://github.com/oauth2-proxy/oauth2-proxy/pull/2821) feat: add CF-Connecting-IP as supported real ip header (@ondrejsika)
- [#2620](https://github.com/oauth2-proxy/oauth2-proxy/pull/2620) fix: update code_verifier to use recommended method (@vishvananda)
+- [#2392](https://github.com/oauth2-proxy/oauth2-proxy/pull/2392) chore: extend test cases for oidc provider and documentation regarding implicit setting of the groups scope when no scope was specified in the config (@jjlakis / @tuunit)
# V7.7.1
diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md
index 511e2b59..79a041b5 100644
--- a/docs/docs/configuration/overview.md
+++ b/docs/docs/configuration/overview.md
@@ -75,40 +75,40 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
Provider specific options can be found on their respective subpages.
-| Flag / Config Field | Type | Description | Default |
-| --------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| flag: `--acr-values`
toml: `acr_values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` |
-| flag: `--allowed-group`
toml: `allowed_groups` | string \| list | restrict logins to members of this group (may be given multiple times) | |
-| flag: `--approval-prompt`
toml: `approval_prompt` | string | OAuth approval_prompt | `"force"` |
-| flag: `--backend-logout-url`
toml: `backend_logout_url` | string | URL to perform backend logout, if you use `{id_token}` in the url it will be replaced by the actual `id_token` of the user session | |
-| flag: `--client-id`
toml: `client_id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | |
-| flag: `--client-secret-file`
toml: `client_secret_file` | string | the file with OAuth Client Secret | |
-| flag: `--client-secret`
toml: `client_secret` | string | the OAuth Client Secret | |
-| flag: `--code-challenge-method`
toml: `code_challenge_method` | string | use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended) | |
-| flag: `--insecure-oidc-allow-unverified-email`
toml: `insecure_oidc_allow_unverified_email` | bool | don't fail if an email address in an id_token is not verified | false |
-| flag: `--insecure-oidc-skip-issuer-verification`
toml: `insecure_oidc_skip_issuer_verification` | bool | allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility) | false |
-| flag: `--insecure-oidc-skip-nonce`
toml: `insecure_oidc_skip_nonce` | bool | skip verifying the OIDC ID Token's nonce claim | true |
-| flag: `--jwt-key-file`
toml: `jwt_key_file` | string | path to the private key file in PEM format used to sign the JWT so that you can say something like `--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem`: required by login.gov | |
-| flag: `--jwt-key`
toml: `jwt_key` | string | private key in PEM format used to sign JWT, so that you can say something like `--jwt-key="${OAUTH2_PROXY_JWT_KEY}"`: required by login.gov | |
-| flag: `--login-url`
toml: `login_url` | string | Authentication endpoint | |
-| flag: `--oidc-audience-claim`
toml: `oidc_audience_claims` | string | which OIDC claim contains the audience | `"aud"` |
-| flag: `--oidc-email-claim`
toml: `oidc_email_claim` | string | which OIDC claim contains the user's email | `"email"` |
-| flag: `--oidc-extra-audience`
toml: `oidc_extra_audiences` | string \| list | additional audiences which are allowed to pass verification | `"[]"` |
-| flag: `--oidc-groups-claim`
toml: `oidc_groups_claim` | string | which OIDC claim contains the user groups | `"groups"` |
-| flag: `--oidc-issuer-url`
toml: `oidc_issuer_url` | string | the OpenID Connect issuer URL, e.g. `"https://accounts.google.com"` | |
-| flag: `--oidc-jwks-url`
toml: `oidc_jwks_url` | string | OIDC JWKS URI for token verification; required if OIDC discovery is disabled | |
-| flag: `--profile-url`
toml: `profile_url` | string | Profile access endpoint | |
-| flag: `--prompt`
toml: `prompt` | string | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored | `""` |
-| flag: `--provider-ca-file`
toml: `provider_ca_files` | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead. |
-| flag: `--provider-display-name`
toml: `provider_display_name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) |
-| flag: `--provider`
toml: `provider` | string | OAuth provider | google |
-| flag: `--pubjwk-url`
toml: `pubjwk_url` | string | JWK pubkey access endpoint: required by login.gov | |
-| flag: `--redeem-url`
toml: `redeem_url` | string | Token redemption endpoint | |
-| flag: `--scope`
toml:`scope` | string | OAuth scope specification | |
-| flag: `--skip-claims-from-profile-url`
toml: `skip_claims_from_profile_url` | bool | skip request to Profile URL for resolving claims not present in id_token | false |
-| flag: `--skip-oidc-discovery`
toml: `skip_oidc_discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false |
-| flag: `--use-system-trust-store`
toml: `use_system_trust_store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false |
-| flag: `--validate-url`
toml: `validate_url` | string | Access token validation endpoint | |
+| Flag / Config Field | Type | Description | Default |
+| --------------------------------------------------------------------------------------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| flag: `--acr-values`
toml: `acr_values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` |
+| flag: `--allowed-group`
toml: `allowed_groups` | string \| list | Restrict login to members of a group or list of groups. Furthermore, if you aren't setting the `scope` and use `allowed_groups` with the generic OIDC provider the scope `groups` gets added implicitly. | |
+| flag: `--approval-prompt`
toml: `approval_prompt` | string | OAuth approval_prompt | `"force"` |
+| flag: `--backend-logout-url`
toml: `backend_logout_url` | string | URL to perform backend logout, if you use `{id_token}` in the url it will be replaced by the actual `id_token` of the user session | |
+| flag: `--client-id`
toml: `client_id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | |
+| flag: `--client-secret-file`
toml: `client_secret_file` | string | the file with OAuth Client Secret | |
+| flag: `--client-secret`
toml: `client_secret` | string | the OAuth Client Secret | |
+| flag: `--code-challenge-method`
toml: `code_challenge_method` | string | use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended) | |
+| flag: `--insecure-oidc-allow-unverified-email`
toml: `insecure_oidc_allow_unverified_email` | bool | don't fail if an email address in an id_token is not verified | false |
+| flag: `--insecure-oidc-skip-issuer-verification`
toml: `insecure_oidc_skip_issuer_verification` | bool | allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility) | false |
+| flag: `--insecure-oidc-skip-nonce`
toml: `insecure_oidc_skip_nonce` | bool | skip verifying the OIDC ID Token's nonce claim | true |
+| flag: `--jwt-key-file`
toml: `jwt_key_file` | string | path to the private key file in PEM format used to sign the JWT so that you can say something like `--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem`: required by login.gov | |
+| flag: `--jwt-key`
toml: `jwt_key` | string | private key in PEM format used to sign JWT, so that you can say something like `--jwt-key="${OAUTH2_PROXY_JWT_KEY}"`: required by login.gov | |
+| flag: `--login-url`
toml: `login_url` | string | Authentication endpoint | |
+| flag: `--oidc-audience-claim`
toml: `oidc_audience_claims` | string | which OIDC claim contains the audience | `"aud"` |
+| flag: `--oidc-email-claim`
toml: `oidc_email_claim` | string | which OIDC claim contains the user's email | `"email"` |
+| flag: `--oidc-extra-audience`
toml: `oidc_extra_audiences` | string \| list | additional audiences which are allowed to pass verification | `"[]"` |
+| flag: `--oidc-groups-claim`
toml: `oidc_groups_claim` | string | which OIDC claim contains the user groups | `"groups"` |
+| flag: `--oidc-issuer-url`
toml: `oidc_issuer_url` | string | the OpenID Connect issuer URL, e.g. `"https://accounts.google.com"` | |
+| flag: `--oidc-jwks-url`
toml: `oidc_jwks_url` | string | OIDC JWKS URI for token verification; required if OIDC discovery is disabled | |
+| flag: `--profile-url`
toml: `profile_url` | string | Profile access endpoint | |
+| flag: `--prompt`
toml: `prompt` | string | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored | `""` |
+| flag: `--provider-ca-file`
toml: `provider_ca_files` | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead. |
+| flag: `--provider-display-name`
toml: `provider_display_name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) |
+| flag: `--provider`
toml: `provider` | string | OAuth provider | google |
+| flag: `--pubjwk-url`
toml: `pubjwk_url` | string | JWK pubkey access endpoint: required by login.gov | |
+| flag: `--redeem-url`
toml: `redeem_url` | string | Token redemption endpoint | |
+| flag: `--scope`
toml:`scope` | string | OAuth scope specification. Every provider has a default list of scopes which will be used in case no scope is configured. | |
+| flag: `--skip-claims-from-profile-url`
toml: `skip_claims_from_profile_url` | bool | skip request to Profile URL for resolving claims not present in id_token | false |
+| flag: `--skip-oidc-discovery`
toml: `skip_oidc_discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false |
+| flag: `--use-system-trust-store`
toml: `use_system_trust_store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false |
+| flag: `--validate-url`
toml: `validate_url` | string | Access token validation endpoint | |
### Cookie Options
@@ -199,7 +199,7 @@ Provider specific options can be found on their respective subpages.
| flag: `--htpasswd-file`
toml: `htpasswd_file` | string | additionally authenticate against a htpasswd file. Entries must be created with `htpasswd -B` for bcrypt encryption | |
| flag: `--htpasswd-user-group`
toml: `htpasswd_user_groups` | string \| list | the groups to be set on sessions for htpasswd users | |
| flag: `--proxy-prefix`
toml: `proxy_prefix` | string | the url root path that this proxy should be nested under (e.g. /`/sign_in`) | `"/oauth2"` |
-| flag: `--real-client-ip-header`
toml: `real_client_ip_header` | string | Header used to determine the real IP of the client, requires `--reverse-proxy` to be set (one of: X-Forwarded-For, X-Real-IP, X-ProxyUser-IP, X-Envoy-External-Address, or CF-Connecting-IP) | X-Real-IP |
+| flag: `--real-client-ip-header`
toml: `real_client_ip_header` | string | Header used to determine the real IP of the client, requires `--reverse-proxy` to be set (one of: X-Forwarded-For, X-Real-IP, X-ProxyUser-IP, X-Envoy-External-Address, or CF-Connecting-IP) | X-Real-IP |
| flag: `--redirect-url`
toml: `redirect_url` | string | the OAuth Redirect URL, e.g. `"https://internalapp.yourcompany.com/oauth2/callback"` | |
| flag: `--relative-redirect-url`
toml: `relative_redirect_url` | bool | allow relative OAuth Redirect URL.` | false |
| flag: `--reverse-proxy`
toml: `reverse_proxy` | bool | are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-\{Proto,Host,Uri\} headers to be used on redirect selection | false |
diff --git a/docs/versioned_docs/version-7.6.x/configuration/overview.md b/docs/versioned_docs/version-7.6.x/configuration/overview.md
index 47da7e07..61a239c9 100644
--- a/docs/versioned_docs/version-7.6.x/configuration/overview.md
+++ b/docs/versioned_docs/version-7.6.x/configuration/overview.md
@@ -75,40 +75,40 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
Provider specific options can be found on their respective subpages.
-| Flag / Config Field | Type | Description | Default |
-| --------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| flag: `--acr-values`
toml: `acr_values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` |
-| flag: `--allowed-group`
toml: `allowed_groups` | string \| list | restrict logins to members of this group (may be given multiple times) | |
-| flag: `--approval-prompt`
toml: `approval_prompt` | string | OAuth approval_prompt | `"force"` |
-| flag: `--backend-logout-url`
toml: `backend_logout_url` | string | URL to perform backend logout, if you use `{id_token}` in the url it will be replaced by the actual `id_token` of the user session | |
-| flag: `--client-id`
toml: `client_id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | |
-| flag: `--client-secret-file`
toml: `client_secret_file` | string | the file with OAuth Client Secret | |
-| flag: `--client-secret`
toml: `client_secret` | string | the OAuth Client Secret | |
-| flag: `--code-challenge-method`
toml: `code_challenge_method` | string | use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended) | |
-| flag: `--insecure-oidc-allow-unverified-email`
toml: `insecure_oidc_allow_unverified_email` | bool | don't fail if an email address in an id_token is not verified | false |
-| flag: `--insecure-oidc-skip-issuer-verification`
toml: `insecure_oidc_skip_issuer_verification` | bool | allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility) | false |
-| flag: `--insecure-oidc-skip-nonce`
toml: `insecure_oidc_skip_nonce` | bool | skip verifying the OIDC ID Token's nonce claim | true |
-| flag: `--jwt-key-file`
toml: `jwt_key_file` | string | path to the private key file in PEM format used to sign the JWT so that you can say something like `--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem`: required by login.gov | |
-| flag: `--jwt-key`
toml: `jwt_key` | string | private key in PEM format used to sign JWT, so that you can say something like `--jwt-key="${OAUTH2_PROXY_JWT_KEY}"`: required by login.gov | |
-| flag: `--login-url`
toml: `login_url` | string | Authentication endpoint | |
-| flag: `--oidc-audience-claim`
toml: `oidc_audience_claims` | string | which OIDC claim contains the audience | `"aud"` |
-| flag: `--oidc-email-claim`
toml: `oidc_email_claim` | string | which OIDC claim contains the user's email | `"email"` |
-| flag: `--oidc-extra-audience`
toml: `oidc_extra_audiences` | string \| list | additional audiences which are allowed to pass verification | `"[]"` |
-| flag: `--oidc-groups-claim`
toml: `oidc_groups_claim` | string | which OIDC claim contains the user groups | `"groups"` |
-| flag: `--oidc-issuer-url`
toml: `oidc_issuer_url` | string | the OpenID Connect issuer URL, e.g. `"https://accounts.google.com"` | |
-| flag: `--oidc-jwks-url`
toml: `oidc_jwks_url` | string | OIDC JWKS URI for token verification; required if OIDC discovery is disabled | |
-| flag: `--profile-url`
toml: `profile_url` | string | Profile access endpoint | |
-| flag: `--prompt`
toml: `prompt` | string | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored | `""` |
-| flag: `--provider-ca-file`
toml: `provider_ca_files` | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead. |
-| flag: `--provider-display-name`
toml: `provider_display_name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) |
-| flag: `--provider`
toml: `provider` | string | OAuth provider | google |
-| flag: `--pubjwk-url`
toml: `pubjwk_url` | string | JWK pubkey access endpoint: required by login.gov | |
-| flag: `--redeem-url`
toml: `redeem_url` | string | Token redemption endpoint | |
-| flag: `--scope`
toml:`scope` | string | OAuth scope specification | |
-| flag: `--skip-claims-from-profile-url`
toml: `skip_claims_from_profile_url` | bool | skip request to Profile URL for resolving claims not present in id_token | false |
-| flag: `--skip-oidc-discovery`
toml: `skip_oidc_discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false |
-| flag: `--use-system-trust-store`
toml: `use_system_trust_store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false |
-| flag: `--validate-url`
toml: `validate_url` | string | Access token validation endpoint | |
+| Flag / Config Field | Type | Description | Default |
+| --------------------------------------------------------------------------------------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| flag: `--acr-values`
toml: `acr_values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` |
+| flag: `--allowed-group`
toml: `allowed_groups` | string \| list | Restrict login to members of a group or list of groups. Furthermore, if you aren't setting the `scope` and use `allowed_groups` with the generic OIDC provider the scope `groups` gets added implicitly. | |
+| flag: `--approval-prompt`
toml: `approval_prompt` | string | OAuth approval_prompt | `"force"` |
+| flag: `--backend-logout-url`
toml: `backend_logout_url` | string | URL to perform backend logout, if you use `{id_token}` in the url it will be replaced by the actual `id_token` of the user session | |
+| flag: `--client-id`
toml: `client_id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | |
+| flag: `--client-secret-file`
toml: `client_secret_file` | string | the file with OAuth Client Secret | |
+| flag: `--client-secret`
toml: `client_secret` | string | the OAuth Client Secret | |
+| flag: `--code-challenge-method`
toml: `code_challenge_method` | string | use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended) | |
+| flag: `--insecure-oidc-allow-unverified-email`
toml: `insecure_oidc_allow_unverified_email` | bool | don't fail if an email address in an id_token is not verified | false |
+| flag: `--insecure-oidc-skip-issuer-verification`
toml: `insecure_oidc_skip_issuer_verification` | bool | allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility) | false |
+| flag: `--insecure-oidc-skip-nonce`
toml: `insecure_oidc_skip_nonce` | bool | skip verifying the OIDC ID Token's nonce claim | true |
+| flag: `--jwt-key-file`
toml: `jwt_key_file` | string | path to the private key file in PEM format used to sign the JWT so that you can say something like `--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem`: required by login.gov | |
+| flag: `--jwt-key`
toml: `jwt_key` | string | private key in PEM format used to sign JWT, so that you can say something like `--jwt-key="${OAUTH2_PROXY_JWT_KEY}"`: required by login.gov | |
+| flag: `--login-url`
toml: `login_url` | string | Authentication endpoint | |
+| flag: `--oidc-audience-claim`
toml: `oidc_audience_claims` | string | which OIDC claim contains the audience | `"aud"` |
+| flag: `--oidc-email-claim`
toml: `oidc_email_claim` | string | which OIDC claim contains the user's email | `"email"` |
+| flag: `--oidc-extra-audience`
toml: `oidc_extra_audiences` | string \| list | additional audiences which are allowed to pass verification | `"[]"` |
+| flag: `--oidc-groups-claim`
toml: `oidc_groups_claim` | string | which OIDC claim contains the user groups | `"groups"` |
+| flag: `--oidc-issuer-url`
toml: `oidc_issuer_url` | string | the OpenID Connect issuer URL, e.g. `"https://accounts.google.com"` | |
+| flag: `--oidc-jwks-url`
toml: `oidc_jwks_url` | string | OIDC JWKS URI for token verification; required if OIDC discovery is disabled | |
+| flag: `--profile-url`
toml: `profile_url` | string | Profile access endpoint | |
+| flag: `--prompt`
toml: `prompt` | string | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored | `""` |
+| flag: `--provider-ca-file`
toml: `provider_ca_files` | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead. |
+| flag: `--provider-display-name`
toml: `provider_display_name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) |
+| flag: `--provider`
toml: `provider` | string | OAuth provider | google |
+| flag: `--pubjwk-url`
toml: `pubjwk_url` | string | JWK pubkey access endpoint: required by login.gov | |
+| flag: `--redeem-url`
toml: `redeem_url` | string | Token redemption endpoint | |
+| flag: `--scope`
toml:`scope` | string | OAuth scope specification. Every provider has a default list of scopes which will be used in case no scope is configured. | |
+| flag: `--skip-claims-from-profile-url`
toml: `skip_claims_from_profile_url` | bool | skip request to Profile URL for resolving claims not present in id_token | false |
+| flag: `--skip-oidc-discovery`
toml: `skip_oidc_discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false |
+| flag: `--use-system-trust-store`
toml: `use_system_trust_store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false |
+| flag: `--validate-url`
toml: `validate_url` | string | Access token validation endpoint | |
### Cookie Options
diff --git a/docs/versioned_docs/version-7.7.x/configuration/overview.md b/docs/versioned_docs/version-7.7.x/configuration/overview.md
index e96b7f4f..d470f40f 100644
--- a/docs/versioned_docs/version-7.7.x/configuration/overview.md
+++ b/docs/versioned_docs/version-7.7.x/configuration/overview.md
@@ -75,40 +75,40 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
Provider specific options can be found on their respective subpages.
-| Flag / Config Field | Type | Description | Default |
-| --------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| flag: `--acr-values`
toml: `acr_values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` |
-| flag: `--allowed-group`
toml: `allowed_groups` | string \| list | restrict logins to members of this group (may be given multiple times) | |
-| flag: `--approval-prompt`
toml: `approval_prompt` | string | OAuth approval_prompt | `"force"` |
-| flag: `--backend-logout-url`
toml: `backend_logout_url` | string | URL to perform backend logout, if you use `{id_token}` in the url it will be replaced by the actual `id_token` of the user session | |
-| flag: `--client-id`
toml: `client_id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | |
-| flag: `--client-secret-file`
toml: `client_secret_file` | string | the file with OAuth Client Secret | |
-| flag: `--client-secret`
toml: `client_secret` | string | the OAuth Client Secret | |
-| flag: `--code-challenge-method`
toml: `code_challenge_method` | string | use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended) | |
-| flag: `--insecure-oidc-allow-unverified-email`
toml: `insecure_oidc_allow_unverified_email` | bool | don't fail if an email address in an id_token is not verified | false |
-| flag: `--insecure-oidc-skip-issuer-verification`
toml: `insecure_oidc_skip_issuer_verification` | bool | allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility) | false |
-| flag: `--insecure-oidc-skip-nonce`
toml: `insecure_oidc_skip_nonce` | bool | skip verifying the OIDC ID Token's nonce claim | true |
-| flag: `--jwt-key-file`
toml: `jwt_key_file` | string | path to the private key file in PEM format used to sign the JWT so that you can say something like `--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem`: required by login.gov | |
-| flag: `--jwt-key`
toml: `jwt_key` | string | private key in PEM format used to sign JWT, so that you can say something like `--jwt-key="${OAUTH2_PROXY_JWT_KEY}"`: required by login.gov | |
-| flag: `--login-url`
toml: `login_url` | string | Authentication endpoint | |
-| flag: `--oidc-audience-claim`
toml: `oidc_audience_claims` | string | which OIDC claim contains the audience | `"aud"` |
-| flag: `--oidc-email-claim`
toml: `oidc_email_claim` | string | which OIDC claim contains the user's email | `"email"` |
-| flag: `--oidc-extra-audience`
toml: `oidc_extra_audiences` | string \| list | additional audiences which are allowed to pass verification | `"[]"` |
-| flag: `--oidc-groups-claim`
toml: `oidc_groups_claim` | string | which OIDC claim contains the user groups | `"groups"` |
-| flag: `--oidc-issuer-url`
toml: `oidc_issuer_url` | string | the OpenID Connect issuer URL, e.g. `"https://accounts.google.com"` | |
-| flag: `--oidc-jwks-url`
toml: `oidc_jwks_url` | string | OIDC JWKS URI for token verification; required if OIDC discovery is disabled | |
-| flag: `--profile-url`
toml: `profile_url` | string | Profile access endpoint | |
-| flag: `--prompt`
toml: `prompt` | string | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored | `""` |
-| flag: `--provider-ca-file`
toml: `provider_ca_files` | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead. |
-| flag: `--provider-display-name`
toml: `provider_display_name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) |
-| flag: `--provider`
toml: `provider` | string | OAuth provider | google |
-| flag: `--pubjwk-url`
toml: `pubjwk_url` | string | JWK pubkey access endpoint: required by login.gov | |
-| flag: `--redeem-url`
toml: `redeem_url` | string | Token redemption endpoint | |
-| flag: `--scope`
toml:`scope` | string | OAuth scope specification | |
-| flag: `--skip-claims-from-profile-url`
toml: `skip_claims_from_profile_url` | bool | skip request to Profile URL for resolving claims not present in id_token | false |
-| flag: `--skip-oidc-discovery`
toml: `skip_oidc_discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false |
-| flag: `--use-system-trust-store`
toml: `use_system_trust_store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false |
-| flag: `--validate-url`
toml: `validate_url` | string | Access token validation endpoint | |
+| Flag / Config Field | Type | Description | Default |
+| --------------------------------------------------------------------------------------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| flag: `--acr-values`
toml: `acr_values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` |
+| flag: `--allowed-group`
toml: `allowed_groups` | string \| list | Restrict login to members of a group or list of groups. Furthermore, if you aren't setting the `scope` and use `allowed_groups` with the generic OIDC provider the scope `groups` gets added implicitly. | |
+| flag: `--approval-prompt`
toml: `approval_prompt` | string | OAuth approval_prompt | `"force"` |
+| flag: `--backend-logout-url`
toml: `backend_logout_url` | string | URL to perform backend logout, if you use `{id_token}` in the url it will be replaced by the actual `id_token` of the user session | |
+| flag: `--client-id`
toml: `client_id` | string | the OAuth Client ID, e.g. `"123456.apps.googleusercontent.com"` | |
+| flag: `--client-secret-file`
toml: `client_secret_file` | string | the file with OAuth Client Secret | |
+| flag: `--client-secret`
toml: `client_secret` | string | the OAuth Client Secret | |
+| flag: `--code-challenge-method`
toml: `code_challenge_method` | string | use PKCE code challenges with the specified method. Either 'plain' or 'S256' (recommended) | |
+| flag: `--insecure-oidc-allow-unverified-email`
toml: `insecure_oidc_allow_unverified_email` | bool | don't fail if an email address in an id_token is not verified | false |
+| flag: `--insecure-oidc-skip-issuer-verification`
toml: `insecure_oidc_skip_issuer_verification` | bool | allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility) | false |
+| flag: `--insecure-oidc-skip-nonce`
toml: `insecure_oidc_skip_nonce` | bool | skip verifying the OIDC ID Token's nonce claim | true |
+| flag: `--jwt-key-file`
toml: `jwt_key_file` | string | path to the private key file in PEM format used to sign the JWT so that you can say something like `--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem`: required by login.gov | |
+| flag: `--jwt-key`
toml: `jwt_key` | string | private key in PEM format used to sign JWT, so that you can say something like `--jwt-key="${OAUTH2_PROXY_JWT_KEY}"`: required by login.gov | |
+| flag: `--login-url`
toml: `login_url` | string | Authentication endpoint | |
+| flag: `--oidc-audience-claim`
toml: `oidc_audience_claims` | string | which OIDC claim contains the audience | `"aud"` |
+| flag: `--oidc-email-claim`
toml: `oidc_email_claim` | string | which OIDC claim contains the user's email | `"email"` |
+| flag: `--oidc-extra-audience`
toml: `oidc_extra_audiences` | string \| list | additional audiences which are allowed to pass verification | `"[]"` |
+| flag: `--oidc-groups-claim`
toml: `oidc_groups_claim` | string | which OIDC claim contains the user groups | `"groups"` |
+| flag: `--oidc-issuer-url`
toml: `oidc_issuer_url` | string | the OpenID Connect issuer URL, e.g. `"https://accounts.google.com"` | |
+| flag: `--oidc-jwks-url`
toml: `oidc_jwks_url` | string | OIDC JWKS URI for token verification; required if OIDC discovery is disabled | |
+| flag: `--profile-url`
toml: `profile_url` | string | Profile access endpoint | |
+| flag: `--prompt`
toml: `prompt` | string | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored | `""` |
+| flag: `--provider-ca-file`
toml: `provider_ca_files` | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead. |
+| flag: `--provider-display-name`
toml: `provider_display_name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) |
+| flag: `--provider`
toml: `provider` | string | OAuth provider | google |
+| flag: `--pubjwk-url`
toml: `pubjwk_url` | string | JWK pubkey access endpoint: required by login.gov | |
+| flag: `--redeem-url`
toml: `redeem_url` | string | Token redemption endpoint | |
+| flag: `--scope`
toml:`scope` | string | OAuth scope specification. Every provider has a default list of scopes which will be used in case no scope is configured. | |
+| flag: `--skip-claims-from-profile-url`
toml: `skip_claims_from_profile_url` | bool | skip request to Profile URL for resolving claims not present in id_token | false |
+| flag: `--skip-oidc-discovery`
toml: `skip_oidc_discovery` | bool | bypass OIDC endpoint discovery. `--login-url`, `--redeem-url` and `--oidc-jwks-url` must be configured in this case | false |
+| flag: `--use-system-trust-store`
toml: `use_system_trust_store` | bool | Determines if `provider-ca-file` files and the system trust store are used. If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. | false |
+| flag: `--validate-url`
toml: `validate_url` | string | Access token validation endpoint | |
### Cookie Options
diff --git a/providers/providers_test.go b/providers/providers_test.go
index 5c5df8a8..ce74099d 100644
--- a/providers/providers_test.go
+++ b/providers/providers_test.go
@@ -137,12 +137,32 @@ func TestScope(t *testing.T) {
expectedScope: "openid email profile",
},
{
- name: "oidc: with no scope provided and groups",
+ name: "oidc: with no scope provided and allowed groups",
configuredType: "oidc",
configuredScope: "",
expectedScope: "openid email profile groups",
allowedGroups: []string{"foo"},
},
+ {
+ name: "oidc: with custom scope including groups without allowed groups",
+ configuredType: "oidc",
+ configuredScope: "myscope groups",
+ expectedScope: "myscope groups",
+ },
+ {
+ name: "oidc: with custom scope without groups but allowed groups",
+ configuredType: "oidc",
+ configuredScope: "myscope",
+ expectedScope: "myscope",
+ allowedGroups: []string{"foo"},
+ },
+ {
+ name: "oidc: with custom scope with groups and allowed groups",
+ configuredType: "oidc",
+ configuredScope: "myscope groups",
+ expectedScope: "myscope groups",
+ allowedGroups: []string{"foo"},
+ },
{
name: "oidc: with a configured scope provided",
configuredType: "oidc",
@@ -161,6 +181,27 @@ func TestScope(t *testing.T) {
configuredScope: "read:user read:org",
expectedScope: "read:user read:org",
},
+ {
+ name: "keycloak: with no scope provided and groups",
+ configuredType: "keycloak-oidc",
+ configuredScope: "",
+ expectedScope: "openid email profile groups",
+ allowedGroups: []string{"foo"},
+ },
+ {
+ name: "keycloak: with custom scope and groups",
+ configuredType: "keycloak-oidc",
+ configuredScope: "myscope",
+ expectedScope: "myscope",
+ allowedGroups: []string{"foo"},
+ },
+ {
+ name: "keycloak: with custom scope and groups scope",
+ configuredType: "keycloak-oidc",
+ configuredScope: "myscope groups",
+ expectedScope: "myscope groups",
+ allowedGroups: []string{"foo"},
+ },
}
for _, tc := range testCases {