Hello!, Waiting for my Jira account to request the improvement, but wanted to share the idea here to check if it makes sense.
I'm trying to make OIDC work for me and I find that no matter what authorization policies I set on Keycloak, Guacamole always lets a Keycloak authenticated user to login. I would like to see a mysql-auto-create-accounts: user-with-valid-group Conditional alternative to mysql-auto-create-accounts: true For the MySQL module. The rationale would be to base authorization on group membership, if the authenticated has at least 1 group coincidence (OIDC response vs groups in DB), we accept the authentication and create the user in the DB. If the user has no group membership that matches a known group in the database, we don't allow the user to be authenticated. This can reduce attack vectors blocking any access to the application to users that are not supposed to consume the service at all. Does it make sense?. Regards,
