Under mod_auth_openidc, is it possible for all auth cases across the entire server, to be restricted to a set of specific groups?
I have a webserver where we are aiming to authenticate against our company's Provider that has multiple domains (roughly, groups of user type, e.g. internal users and guests), so we always have to check that a user is part of one of the 'internal' groups rather than one of the guests. The REMOTE_USER is set to strip the @example.com part of the upn.
I realise that it is possible to do:
<Location /restricted>
<RequireAll>
Require claim: groups:uuid1... groups:uuid2... groups:uuid3...
Require user user1 user2
</RequireAll>
</Location>
but there are hundreds of such cases around the server. However, we NEVER want to have people who are not part of one of the three groups to have access when limitation by user is required.
Is there some way I configure, at top-level of the server configuration (i.e. where things like OIDCProviderMetadataURL/OIDCClientID are stated) a rule such as:
"In ALL openidc auth cases, when there is a user restriction, ensure they are always part of one of the three groups".