Enhancement: configurable SSO groups claim (#11841)

--------- Co-authored-by: shamoon <4887959+shamoon@users.noreply.github.com>
2026-01-26 22:49:01 -06:00 · 2026-01-26 19:31:01 +01:00
parent cafb0f2022
commit e9e138e62c
3 changed files with 19 additions and 4 deletions
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -540,6 +540,11 @@ SOCIALACCOUNT_PROVIDERS = json.loads(
 )
 SOCIAL_ACCOUNT_DEFAULT_GROUPS = __get_list("PAPERLESS_SOCIAL_ACCOUNT_DEFAULT_GROUPS")
 SOCIAL_ACCOUNT_SYNC_GROUPS = __get_boolean("PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS")
+SOCIAL_ACCOUNT_SYNC_GROUPS_CLAIM: Final[str] = os.getenv(
+    "PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS_CLAIM",
+    "groups",
+)
+
 HEADLESS_TOKEN_STRATEGY = "paperless.adapter.DrfTokenStrategy"

 MFA_TOTP_ISSUER = "Paperless-ngx"
--- a/src/paperless/signals.py
+++ b/src/paperless/signals.py
@@ -40,15 +40,19 @@ def handle_social_account_updated(sender, request, sociallogin, **kwargs):

    extra_data = sociallogin.account.extra_data or {}
    social_account_groups = extra_data.get(
-        "groups",
+        settings.SOCIAL_ACCOUNT_SYNC_GROUPS_CLAIM,
        [],
    )  # pre-allauth 65.11.0 structure

    if not social_account_groups:
        # allauth 65.11.0+ nests claims under `userinfo`/`id_token`
        social_account_groups = (
-            extra_data.get("userinfo", {}).get("groups")
-            or extra_data.get("id_token", {}).get("groups")
+            extra_data.get("userinfo", {}).get(
+                settings.SOCIAL_ACCOUNT_SYNC_GROUPS_CLAIM,
+            )
+            or extra_data.get("id_token", {}).get(
+                settings.SOCIAL_ACCOUNT_SYNC_GROUPS_CLAIM,
+            )
            or []
        )
    if settings.SOCIAL_ACCOUNT_SYNC_GROUPS and social_account_groups is not None: