Hello,

We are using GenericOAuthenticator configured to use a Keycloak Open ID client.
It works as expected, however it enables access to Jupyter Hub for the whole Keycloak Realm.

We would like to restrict access using claims, such as some claim must have some specified value.
That doesn’t seem presently possible.

Did I miss something or would that be a new feature?

Thank you for your time

I’m yet to try this, but if we look at oauthenticator/generic.py at ccd58a6e125ae6c57d7e6df7a5b95178ac9435cb · jupyterhub/oauthenticator · GitHub

looks like we can specify:

GenericOAuthenticator:
   claim_groups_key: groups
   allowed_groups:
      - groupA
      - groupB

and make sure built-in mapper groups has been added to our client