diff --git a/packages/api/src/controllers/auth.js b/packages/api/src/controllers/auth.js
index 0171f3ae0..1d1b127ab 100644
--- a/packages/api/src/controllers/auth.js
+++ b/packages/api/src/controllers/auth.js
@@ -90,6 +90,24 @@ module.exports = {
     ) {
       return { error: `Username ${login} not allowed to log in` };
     }
+
+    const groups = 
+      process.env.OAUTH_GROUP_FIELD && payload && payload[process.env.OAUTH_GROUP_FIELD]
+        ? payload[process.env.OAUTH_GROUP_FIELD]
+        : [];
+
+    const allowedGroups = 
+      process.env.OAUTH_ALLOWED_GROUPS
+        ? process.env.OAUTH_ALLOWED_GROUPS.split(',').map(group => group.toLowerCase().trim())
+        : [];
+    
+    if (
+      process.env.OAUTH_ALLOWED_GROUPS && 
+      !groups.some(group => allowedGroups.includes(group.toLowerCase().trim()))
+    ) {
+      return { error: `Username ${login} does not belong to an allowed group` };
+    }
+
     if (access_token) {
       return {
         accessToken: jwt.sign({ login }, tokenSecret, { expiresIn: getTokenLifetime() }),