docs(groups): correct claim-key configurability and deny-list wording

appleboy · claude · appleboy · commit de467cb1527c · 2026-06-03T19:10:34.000+08:00
- Note in the group form that the emitted claim key defaults to groups and is configurable via OIDC_GROUPS_CLAIM_NAME
- Clarify in .env.example and docs/GROUPS.md that the system: deny-list is applied to both the raw name and the prefixed value, not only before prefixing

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.env.example b/.env.example
@@ -88,8 +88,9 @@ SESSION_SECRET=session-secret-change-in-production
 # OIDC_GROUPS_CLAIM_NAME=groups    # Example: OIDC_GROUPS_CLAIM_NAME=roles
 #
 # OIDC_GROUPS_PREFIX — optional string prepended to every emitted group name
-# (e.g. "oidc:"). Default empty. Applied before the system: deny-list, so a
-# prefix that produces a system: value is still dropped.
+# (e.g. "oidc:"). Default empty. The system: deny-list is applied to BOTH the
+# raw name and the prefixed value, so a name or a prefix that resolves to a
+# system: value is always dropped.
 # OIDC_GROUPS_PREFIX=              # Example: OIDC_GROUPS_PREFIX=oidc:
 
 # JWT Token Expiration
diff --git a/docs/GROUPS.md b/docs/GROUPS.md
@@ -47,8 +47,9 @@ until an admin adds the scope.
 
 Both emission sites (id_token and `/oauth/userinfo`) resolve the claim key and
 prefix from the same config and run names through the same
-`services.BuildGroupsClaim` transform (deny-list → prefix → de-dup → sort), so
-the two views are always identical.
+`services.BuildGroupsClaim` transform — the `system:` deny-list is applied both
+before and after prefixing, then the optional prefix, de-dup, and sort — so the
+two views are always identical.
 
 ## Managing groups
 
diff --git a/internal/templates/admin_group_form.templ b/internal/templates/admin_group_form.templ
@@ -32,7 +32,8 @@ templ AdminGroupForm(props GroupFormPageProps) {
 					<div class="admin-form-header">
 						<h1 class="admin-form-title">{ groupFormTitle(props) }</h1>
 						<p class="admin-form-subtitle">
-							The group name is emitted in the OIDC <code>groups</code> claim for members.
+							The group name is emitted in the OIDC groups claim for members
+							(default key <code>groups</code>, configurable via <code>OIDC_GROUPS_CLAIM_NAME</code>).
 							Names starting with <code>system:</code> are not allowed.
 						</p>
 					</div>
