New in 1.21.0


Defines authentication groups for visibility categories.

With Scrivito’s visibility categories, accessing specific content as a logged-in user can be made subject to being a member of an authentication group. The group memberships of the current user are provided through an OpenID Connect token. When managing visibility categories, a CMS administrator can specify the required group membership in the process of setting up a visibility category.

By means of provideAuthGroups, administrators can be provided with the list of valid group identifiers in a human-readable form instead of having to deal with names that are hard to remember and to enter without making mistakes. Additionally, autocompletion becomes available.


  • authGroups​ (Object) – Authentication groups declaration. The keys in the declaration are expected to be the group names, and need to correspond to those passed in via the OpenID Connect token. The values are human-readable labels displayed to the user configuring visibility categories.


Calling provideAuthGroups API is optional: If an application does not use it, the user interface still provides its plain-text editing facilities.

Depending on the number of groups and how often they change, consider the following approaches to handling them:

  • If groups change infrequently, hardcoding them in the application (or in a configuration file) may be an option.
  • If groups are to be taken directly from an ActiveDirectory instance, you could either pull them (provided that the server is accessible through a reverse-proxy), or have the ActiveDirectory instance regularly push them to a location the application has access to, e.g. an S3 bucket.
  • Groups and their localizations could also be stored as content inside the CMS itself, e.g. using a configuration object.