From 4e6d42d5bd698b55e444ce50e3421057870aa177 Mon Sep 17 00:00:00 2001
From: Florian Preinstorfer <site-github@nblock.org>
Date: Fri, 22 Aug 2025 17:54:33 +0200
Subject: [PATCH] Keycloak's group format is configurable

---
 docs/ref/oidc.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/ref/oidc.md b/docs/ref/oidc.md
index 25845821..d39c9e63 100644
--- a/docs/ref/oidc.md
+++ b/docs/ref/oidc.md
@@ -289,8 +289,10 @@ you need to [authorize access based on group membership](#authorize-users-with-f
     - Edit the Headscale client.
     - Search for the client scope `group`.
     - Add it with assigned type `Default`.
-- [Configure the allowed groups in Headscale](#authorize-users-with-filters). Keep in mind that groups in Keycloak start
-  with a leading `/`.
+- [Configure the allowed groups in Headscale](#authorize-users-with-filters). How groups need to be specified depends on
+  Keycloak's `Full group path` option:
+    - `Full group path` is enabled: groups contain their full path, e.g. `/top/group1`
+    - `Full group path` is disabled: only the name of the group is used, e.g. `group1`
 
 ### Microsoft Entra ID