feat(oidc): Add flag to forward all logs, even if allowedGroups is set

[peschmae]

Overview

Currently if the allowedGroups flag is set in a oidc connector, only the matching groups are kept in the claim. This was introduced in #3074

Shortly afterwards the regex filter for groups was introduced in #3063 which is applied first.

This change adds a new config flag forwardAllGroups which keeps the (filtered) groups in the claim, even if allowedGroups is used.

What this PR does / why we need it

We are running dex, and want to limit the groups which can login to a Authentication group (eg. SERVICE_GROUP), but in the service, we also need a list of Authorization groups (eg. SERVICE_GROUP_ADMIN, SERVICE_GROUP_VIEWER). Currently we would need to have all groups in the allowedGroups list to check for the in the service behind dex. If you have a large list of Authorization groups (or a dynamic list), it's not possible to have all of them forwarded without updating the dex config each time a new one is added.

With this new field, it would be possible to configure allowedGroups to limit who can login, and then also use the claimModification.filterGroupClaims to only send the relevant groups to the backend service.

It is implemented in a backwards compatible way, so that the behaviour doesn't change unless the user enabled the forwardAllGroups flag.

Special notes for your reviewer

[nabokihms]

Hello @peschmae and thanks for the PR!

We are planning to go from the custom connector group filtering logic to a policy solution. The idea is briefly discussed here. https://github.com/dexidp/dex/blob/master/docs/enhancements/cel-expressions-2026-02-28.md

[peschmae]

Updated the branch to fix linting issues.

@nabokihms Oh that sounds awesome! :) I guess this won't be merged then?
Are there some stories/issues already where one could contribute to this feature?

[nabokihms]

As of today, we don't have anything more structured than thoughts in the DEP.