sigbit
diff --git a/‎docs/docs/configuration.md‎
Lines changed: 52 additions & 10 deletions b/‎docs/docs/configuration.md‎
Lines changed: 52 additions & 10 deletions
diff --git a/‎docs/docs/examples.md‎
Lines changed: 3 additions & 0 deletions b/‎docs/docs/examples.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/docs/oauth-setup.md‎
Lines changed: 54 additions & 0 deletions b/‎docs/docs/oauth-setup.md‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎main.go‎
Lines changed: 38 additions & 0 deletions b/‎main.go‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎main_test.go‎
Lines changed: 87 additions & 0 deletions b/‎main_test.go‎
Lines changed: 87 additions & 0 deletions
@@ -55,16 +55,18 @@ Complete reference for all MCP Auth Proxy configuration options.
 
 #### Generic OIDC
 
-| Option                      | Environment Variable      | Default                | Description                                                  |
-| --------------------------- | ------------------------- | ---------------------- | ------------------------------------------------------------ |
-| `--oidc-configuration-url`  | `OIDC_CONFIGURATION_URL`  | -                      | OIDC configuration URL                                       |
-| `--oidc-client-id`          | `OIDC_CLIENT_ID`          | -                      | OIDC client ID                                               |
-| `--oidc-client-secret`      | `OIDC_CLIENT_SECRET`      | -                      | OIDC client secret                                           |
-| `--oidc-allowed-users`      | `OIDC_ALLOWED_USERS`      | -                      | Comma-separated list of allowed OIDC users (exact match)     |
-| `--oidc-allowed-users-glob` | `OIDC_ALLOWED_USERS_GLOB` | -                      | Comma-separated list of glob patterns for allowed OIDC users |
-| `--oidc-provider-name`      | `OIDC_PROVIDER_NAME`      | `OIDC`                 | Display name for OIDC provider                               |
-| `--oidc-scopes`             | `OIDC_SCOPES`             | `openid,profile,email` | Comma-separated list of OIDC scopes                          |
-| `--oidc-user-id-field`      | `OIDC_USER_ID_FIELD`      | `/email`               | JSON pointer to user ID field in userinfo endpoint response  |
+| Option                           | Environment Variable           | Default                | Description                                                                       |
+| -------------------------------- | ------------------------------ | ---------------------- | --------------------------------------------------------------------------------- |
+| `--oidc-configuration-url`       | `OIDC_CONFIGURATION_URL`       | -                      | OIDC configuration URL                                                            |
+| `--oidc-client-id`               | `OIDC_CLIENT_ID`               | -                      | OIDC client ID                                                                    |
+| `--oidc-client-secret`           | `OIDC_CLIENT_SECRET`           | -                      | OIDC client secret                                                                |
+| `--oidc-allowed-users`           | `OIDC_ALLOWED_USERS`           | -                      | Comma-separated list of allowed OIDC users (exact match)                          |
+| `--oidc-allowed-users-glob`      | `OIDC_ALLOWED_USERS_GLOB`      | -                      | Comma-separated list of glob patterns for allowed OIDC users                      |
+| `--oidc-allowed-attributes`      | `OIDC_ALLOWED_ATTRIBUTES`      | -                      | Comma-separated list of allowed attribute key=value pairs (e.g., `/groups=admin`) |
+| `--oidc-allowed-attributes-glob` | `OIDC_ALLOWED_ATTRIBUTES_GLOB` | -                      | Comma-separated list of attribute key=pattern pairs for glob matching             |
+| `--oidc-provider-name`           | `OIDC_PROVIDER_NAME`           | `OIDC`                 | Display name for OIDC provider                                                    |
+| `--oidc-scopes`                  | `OIDC_SCOPES`                  | `openid,profile,email` | Comma-separated list of OIDC scopes                                               |
+| `--oidc-user-id-field`           | `OIDC_USER_ID_FIELD`           | `/email`               | JSON pointer to user ID field in userinfo endpoint response                       |
 
 ##### OIDC User Matching
 
@@ -87,6 +89,46 @@ You can use both exact matching and glob patterns for OIDC user authorization:
 --oidc-allowed-users-glob "*@example.com"
 ```
 
+##### OIDC Attribute-Based Authorization
+
+You can also authorize users based on attributes from the userinfo endpoint (e.g., group memberships, roles, departments). This is useful when you need to restrict access based on IdP-provided claims beyond just the user ID.
+
+- **Exact attribute matching** (`--oidc-allowed-attributes`): Attribute values must match exactly
+- **Glob attribute patterns** (`--oidc-allowed-attributes-glob`): Attribute values are matched against glob patterns
+
+Attribute keys use [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) syntax to reference fields in the userinfo response. Both string and array attribute values are supported.
+
+**Examples:**
+
+```bash
+# Allow users in the "engineering" department
+--oidc-allowed-attributes "/department=engineering"
+
+# Allow users in the "admin" group (works with array values)
+--oidc-allowed-attributes "/groups=admin"
+
+# Allow users whose group matches a pattern
+--oidc-allowed-attributes-glob "/groups=*-admins"
+
+# Nested attribute (e.g., {"org": {"team": "platform"}})
+--oidc-allowed-attributes "/org/team=platform"
+
+# Multiple allowed values for the same attribute
+--oidc-allowed-attributes "/groups=admin,/groups=developers"
+
+# Combined with user matching
+--oidc-allowed-users "[email protected]" \
+--oidc-allowed-attributes "/groups=data-science" \
+--oidc-allowed-attributes-glob "/groups=*-admins"
+```
+
+:::tip Okta Configuration
+For Okta, you typically need to:
+
+1. Add the `groups` scope: `--oidc-scopes "openid,profile,email,groups"`
+2. Configure a groups claim in Okta Admin (Security → API → Authorization Servers → Claims)
+   :::
+
 ### Cryptographic Key Options
 
 - **`AUTH_HMAC_SECRET`** — Base64-encoded 32-byte secret for HMAC/cookie signing. Default: auto-generated.
 
@@ -45,8 +45,11 @@ services:
       - OIDC_CONFIGURATION_URL=https://your-oidc-provider/.well-known/openid_configuration
       - OIDC_CLIENT_ID=your-oidc-client-id
       - OIDC_CLIENT_SECRET=your-oidc-client-secret
+      - OIDC_SCOPES=openid,profile,email,groups
       - [email protected]
       - OIDC_ALLOWED_USERS_GLOB=*@example.com
+      - OIDC_ALLOWED_ATTRIBUTES=/groups=admin,/department=engineering
+      - OIDC_ALLOWED_ATTRIBUTES_GLOB=/groups=*-admins
       - TRUSTED_PROXIES=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
     volumes:
       - ./data:/data
 
@@ -125,6 +125,36 @@ Configure OAuth providers to enable secure authentication for your MCP server.
   -- your-mcp-command
 ```
 
+#### Attribute-based authorization:
+
+Authorize users based on attributes like group memberships or roles from the userinfo endpoint:
+
+```bash
+./mcp-auth-proxy \
+  --external-url https://{your-domain} \
+  --tls-accept-tos \
+  --oidc-configuration-url "https://your-provider.com/.well-known/openid-configuration" \
+  --oidc-client-id "your-oidc-client-id" \
+  --oidc-client-secret "your-oidc-client-secret" \
+  --oidc-scopes "openid,profile,email,groups" \
+  --oidc-allowed-attributes "/groups=engineering" \
+  -- your-mcp-command
+```
+
+#### Attribute glob patterns:
+
+```bash
+./mcp-auth-proxy \
+  --external-url https://{your-domain} \
+  --tls-accept-tos \
+  --oidc-configuration-url "https://your-provider.com/.well-known/openid-configuration" \
+  --oidc-client-id "your-oidc-client-id" \
+  --oidc-client-secret "your-oidc-client-secret" \
+  --oidc-scopes "openid,profile,email,groups" \
+  --oidc-allowed-attributes-glob "/groups=*-admins" \
+  -- your-mcp-command
+```
+
 ### Provider-Specific Examples
 
 #### Okta
@@ -133,6 +163,27 @@ Configure OAuth providers to enable secure authentication for your MCP server.
 --oidc-configuration-url "https://your-domain.okta.com/.well-known/openid-configuration"
 ```
 
+For group-based authorization with Okta:
+
+1. Add the `groups` scope to your request:
+
+   ```bash
+   --oidc-scopes "openid,profile,email,groups"
+   ```
+
+2. Configure a groups claim in Okta Admin:
+
+   - Go to Security → API → Authorization Servers
+   - Select your authorization server → Claims tab
+   - Add a claim named "groups" with value type "Groups" and filter as needed
+
+3. Use attribute-based authorization:
+   ```bash
+   --oidc-allowed-attributes "/groups=data-science"
+   # or with glob patterns:
+   --oidc-allowed-attributes-glob "/groups=*-admins"
+   ```
+
 #### Auth0
 
 ```bash
@@ -181,8 +232,11 @@ export GITHUB_ALLOWED_ORGS="org1,org2:team1"
 export OIDC_CONFIGURATION_URL="https://provider.com/.well-known/openid-configuration"
 export OIDC_CLIENT_ID="your-oidc-client-id"
 export OIDC_CLIENT_SECRET="your-oidc-client-secret"
+export OIDC_SCOPES="openid,profile,email,groups"
 export OIDC_ALLOWED_USERS="[email protected],[email protected]"
 export OIDC_ALLOWED_USERS_GLOB="*@example.com"
+export OIDC_ALLOWED_ATTRIBUTES="/groups=admin,/department=engineering"
+export OIDC_ALLOWED_ATTRIBUTES_GLOB="/groups=*-admins"
 
 ./mcp-auth-proxy --external-url https://{your-domain} --tls-accept-tos -- your-mcp-command
 ```
@@ -64,6 +64,33 @@ func splitWithEscapes(s, delimiter string) []string {
 	return result
 }
 
+// parseAttributeMap parses a comma-separated string of key=value pairs into a map
+// where each key can have multiple values. Format: /key1=value1,/key1=value2,/key2=value3
+// Keys are JSON pointers to attributes in the userinfo response.
+func parseAttributeMap(s string) map[string][]string {
+	result := make(map[string][]string)
+	if s == "" {
+		return result
+	}
+	parts := splitWithEscapes(s, ",")
+	for _, part := range parts {
+		part = strings.TrimSpace(part)
+		if part == "" {
+			continue
+		}
+		eqIdx := strings.Index(part, "=")
+		if eqIdx == -1 {
+			continue
+		}
+		key := strings.TrimSpace(part[:eqIdx])
+		value := strings.TrimSpace(part[eqIdx+1:])
+		if key != "" && value != "" {
+			result[key] = append(result[key], value)
+		}
+	}
+	return result
+}
+
 type proxyRunnerFunc func(
 	listen string,
 	tlsListen string,
@@ -93,6 +120,8 @@ type proxyRunnerFunc func(
 	oidcProviderName string,
 	oidcAllowedUsers []string,
 	oidcAllowedUsersGlob []string,
+	oidcAllowedAttributes map[string][]string,
+	oidcAllowedAttributesGlob map[string][]string,
 	noProviderAutoSelect bool,
 	password string,
 	passwordHash string,
@@ -138,6 +167,8 @@ func newRootCommand(run proxyRunnerFunc) *cobra.Command {
 	var oidcProviderName string
 	var oidcAllowedUsers string
 	var oidcAllowedUsersGlob string
+	var oidcAllowedAttributes string
+	var oidcAllowedAttributesGlob string
 	var noProviderAutoSelect bool
 	var password string
 	var passwordHash string
@@ -194,6 +225,9 @@ func newRootCommand(run proxyRunnerFunc) *cobra.Command {
 				oidcAllowedUsersGlobList = splitWithEscapes(oidcAllowedUsersGlob, ",")
 			}
 
+			oidcAllowedAttributesMap := parseAttributeMap(oidcAllowedAttributes)
+			oidcAllowedAttributesGlobMap := parseAttributeMap(oidcAllowedAttributesGlob)
+
 			var oidcScopesList []string
 			if oidcScopes != "" {
 				oidcScopesList = strings.Split(oidcScopes, ",")
@@ -250,6 +284,8 @@ func newRootCommand(run proxyRunnerFunc) *cobra.Command {
 				oidcProviderName,
 				oidcAllowedUsersList,
 				oidcAllowedUsersGlobList,
+				oidcAllowedAttributesMap,
+				oidcAllowedAttributesGlobMap,
 				noProviderAutoSelect,
 				password,
 				passwordHash,
@@ -298,6 +334,8 @@ func newRootCommand(run proxyRunnerFunc) *cobra.Command {
 	rootCmd.Flags().StringVar(&oidcProviderName, "oidc-provider-name", getEnvWithDefault("OIDC_PROVIDER_NAME", "OIDC"), "Display name for OIDC provider")
 	rootCmd.Flags().StringVar(&oidcAllowedUsers, "oidc-allowed-users", getEnvWithDefault("OIDC_ALLOWED_USERS", ""), "Comma-separated list of allowed OIDC users")
 	rootCmd.Flags().StringVar(&oidcAllowedUsersGlob, "oidc-allowed-users-glob", getEnvWithDefault("OIDC_ALLOWED_USERS_GLOB", ""), "Comma-separated list of glob patterns for allowed OIDC users")
+	rootCmd.Flags().StringVar(&oidcAllowedAttributes, "oidc-allowed-attributes", getEnvWithDefault("OIDC_ALLOWED_ATTRIBUTES", ""), "Comma-separated list of allowed attribute key=value pairs (e.g., /groups=admin,/roles=editor). Keys are JSON pointers.")
+	rootCmd.Flags().StringVar(&oidcAllowedAttributesGlob, "oidc-allowed-attributes-glob", getEnvWithDefault("OIDC_ALLOWED_ATTRIBUTES_GLOB", ""), "Comma-separated list of attribute key=pattern pairs for glob matching (e.g., /groups=*-admins,/email=*@example.com). Keys are JSON pointers.")
 
 	// Password authentication
 	rootCmd.Flags().BoolVar(&noProviderAutoSelect, "no-provider-auto-select", getEnvBoolWithDefault("NO_PROVIDER_AUTO_SELECT", false), "Disable auto-redirect when only one OAuth/OIDC provider is configured and no password is set")
 
@@ -85,6 +85,89 @@ func TestSplitWithEscapes(t *testing.T) {
 	}
 }
 
+func TestParseAttributeMap(t *testing.T) {
+	testCases := []struct {
+		name     string
+		input    string
+		expected map[string][]string
+	}{
+		{
+			name:     "empty string",
+			input:    "",
+			expected: map[string][]string{},
+		},
+		{
+			name:  "single key-value pair",
+			input: "/groups=admin",
+			expected: map[string][]string{
+				"/groups": {"admin"},
+			},
+		},
+		{
+			name:  "multiple values for same key",
+			input: "/groups=admin,/groups=users",
+			expected: map[string][]string{
+				"/groups": {"admin", "users"},
+			},
+		},
+		{
+			name:  "multiple keys",
+			input: "/groups=admin,/department=engineering",
+			expected: map[string][]string{
+				"/groups":     {"admin"},
+				"/department": {"engineering"},
+			},
+		},
+		{
+			name:  "nested key with JSON pointer",
+			input: "/org/team=platform",
+			expected: map[string][]string{
+				"/org/team": {"platform"},
+			},
+		},
+		{
+			name:  "glob pattern value",
+			input: "/groups=*-admins,/email=*@example.com",
+			expected: map[string][]string{
+				"/groups": {"*-admins"},
+				"/email":  {"*@example.com"},
+			},
+		},
+		{
+			name:  "whitespace trimming",
+			input: " /groups = admin , /role = editor ",
+			expected: map[string][]string{
+				"/groups": {"admin"},
+				"/role":   {"editor"},
+			},
+		},
+		{
+			name:     "invalid format - no equals sign",
+			input:    "invalid",
+			expected: map[string][]string{},
+		},
+		{
+			name:     "invalid format - empty key",
+			input:    "=value",
+			expected: map[string][]string{},
+		},
+		{
+			name:     "invalid format - empty value",
+			input:    "/key=",
+			expected: map[string][]string{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := parseAttributeMap(tc.input)
+			if !reflect.DeepEqual(result, tc.expected) {
+				t.Errorf("Expected %v, got %v", tc.expected, result)
+			}
+		})
+	}
+}
+
 func TestGetEnvWithDefault(t *testing.T) {
 	testCases := []struct {
 		name     string
@@ -251,6 +334,8 @@ func TestNewRootCommand_HTTPStreamingOnlyFlag(t *testing.T) {
 		oidcProviderName string,
 		oidcAllowedUsers []string,
 		oidcAllowedUsersGlob []string,
+		oidcAllowedAttributes map[string][]string,
+		oidcAllowedAttributesGlob map[string][]string,
 		noProviderAutoSelect bool,
 		password string,
 		passwordHash string,
@@ -312,6 +397,8 @@ func TestNewRootCommand_HTTPStreamingOnlyFromEnv(t *testing.T) {
 		oidcProviderName string,
 		oidcAllowedUsers []string,
 		oidcAllowedUsersGlob []string,
+		oidcAllowedAttributes map[string][]string,
+		oidcAllowedAttributesGlob map[string][]string,
 		noProviderAutoSelect bool,
 		password string,
 		passwordHash string,