Modify authentication to pull users' UMGs and match to an authorized group

[ajkiessl]

Replace the current environment-variable-based allowed users list with a dynamic Azure AD User Managed Group (UMG).

---

Current Behavior

• Allowed users are stored in an ENV variable
• Header from OAuth (Azure AD) is checked against this list to authorize access

---

Desired Behavior

• Maintain a User Managed Group (UMG) in Azure AD
• Application checks UMG on user login
• Only members of the UMG are authorized

---

Implementation Steps

• Create a User Managed Group (UMG) in Azure AD

• Add current allowed users to this UMG

• Update app auth code to query Azure AD for group membership using OAuth token
  Check ScholarSphere for an implementation example

• Replace ENV-based lookup with UMG membership check

• Write specs to test:

  • Authorized user (in UMG) can access
  • Unauthorized user (not in UMG) is blocked

[jrpatterson]

Alex, Can you add Binky and I as an additional owner to this UMG once created. Thanks, Justin

…

________________________________ From: Alex Kiessling ***@***.***> Sent: Monday, February 2, 2026 9:59 AM To: psu-libraries/pdf_accessibility_api ***@***.***> Cc: Subscribed ***@***.***> Subject: [psu-libraries/pdf_accessibility_api] Modify authentication to pull users' UMGs and match to an authorized group (Issue #228) [https://avatars.githubusercontent.com/u/32677188?s=20&v=4]ajkiessl created an issue (psu-libraries/pdf_accessibility_api#228)<#228> — Reply to this email directly, view it on GitHub<#228>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AASPMY46C23F5OQUHPOIFOT4J5Q5ZAVCNFSM6AAAAACTWFVJK6VHI2DSMVQWIX3LMV43ASLTON2WKOZTHA4DMNBQGY2DAMA>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>