kite-org · zxh326 · Mar 28, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 28, 2026
diff --git a/docs/config/oauth-setup.md b/docs/config/oauth-setup.md
@@ -20,6 +20,14 @@ In the user interface with the **admin** role, the settings entry will be displa
 Follow the instructions on the page to fill in the basic information to use OAuth login.
 ![OAuth](../screenshots/oauth.png)
 
+### Advanced Settings
+
+Kite supports overriding default OIDC claims and restricting access based on user groups. These options can be configured in the **Advanced Settings** section when adding or editing an OAuth Provider:
+
+- **Username Claim**: Overrides the default claim used to extract the user's username (e.g., `preferred_username`, `upn`, or `nickname`). If left empty, Kite uses standard claims like `email` or `name`.
+- **Groups Claim**: Overrides the default claim used to extract the user's groups (e.g., `groups`, `memberOf`, or `roles`). If left empty, Kite defaults to standard group representations.
+- **Allowed Groups**: Restricts login to users who belong to specific groups. Enter a comma-separated list of group names (e.g., `admin, developers`). If configured, users must belong to at least one of these groups to log in. Users without a matching group are denied access.
+
 ## Common Issues
 
 ### User shows no permissions after login