Could you please check one thing:
It looks like the “allowed group” is only working, when at least one group is sent (based on the prefix, if set).
I’ve invited a guest user in our tenant, but this user has no xwiki-relevant group. And this user can login and doesn’t get the error “it’s not a member of the following group”.
Maybe the “lookup” on the empty group-set doesn’t work for allowed-groups.
This is the part of the logs:
DEBUG o.x.c.o.a.i.OIDCUserManager - Getting groups sent by the provider associated with claim [groups]
DEBUG o.x.c.o.a.i.OIDCUserManager - Groups claim not found in userInfo token. Trying idToken
DEBUG o.x.c.o.a.i.OIDCUserManager - The provider did not sent any group
DEBUG o.x.c.o.a.i.OIDCUserManager - Checking allowed groups
WARN o.x.c.o.a.i.OIDCUserManager - Failed to get user avatar from URL [https://graph.microsoft.com/v1.0/me/photo/$value]: IOException: Server returned HTTP response code: 401 for URL: https://graph.microsoft.com/v1.0/me/photo/$value
DEBUG o.x.c.o.a.i.OIDCUserManager - Updating XWiki claims
Only “checking allowed groups” and that’s it.
Thanks,
Gerd