Restrict login to users matching a certain group

[bergerar]

We would like to limit access to Nextcloud to users having certain groups. So when a user authenticates with OAuth, it should check the groups coming from the OAuth provider before a user is created / allowed to login in. If the user is not on a whitelist (regex), the user login is rejected.

Background

We have a member database containing many members from different divisions. Some divisions have their own Nextcloud instance, and it would be great to allow them to use the member database for login. But other divisions should not be able to use the Nextcloud instance. The user story is described in https://github.com/hitobito/hitobito_jubla/issues/74 (german)

Proposal

• Add a new field in the settings for setting a whitelist regex for which groups (gid) are synchronized with Nextcloud
• Add a new checkbox in the settings "Restrict login for users without whitelisted groups"
• During the authentication process, check if the user is in at least one group that is part of the whitelist
• During the group synchronisation, only add and remove groups that are whitelisted. (this would also solve #866)

What do you think about this proposal?