diff --git a/server/modules/authentication/oauth2/authentication.js b/server/modules/authentication/oauth2/authentication.js
index 7be57f74..ce66c3db 100644
--- a/server/modules/authentication/oauth2/authentication.js
+++ b/server/modules/authentication/oauth2/authentication.js
@@ -31,6 +31,19 @@ module.exports = {
             email: _.get(profile, conf.emailClaim)
           }
         })
+        if (conf.mapGroups) {
+          const groups = _.get(profile, conf.groupsClaim)
+          if (groups && _.isArray(groups)) {
+            const currentGroups = (await user.$relatedQuery('groups').select('groups.id')).map(g => g.id)
+            const expectedGroups = Object.values(WIKI.auth.groups).filter(g => groups.includes(g.name)).map(g => g.id)
+            for (const groupId of _.difference(expectedGroups, currentGroups)) {
+              await user.$relatedQuery('groups').relate(groupId)
+            }
+            for (const groupId of _.difference(currentGroups, expectedGroups)) {
+              await user.$relatedQuery('groups').unrelate().where('groupId', groupId)
+            }
+          }
+        }
         cb(null, user)
       } catch (err) {
         cb(err, null)
diff --git a/server/modules/authentication/oauth2/definition.yml b/server/modules/authentication/oauth2/definition.yml
index 45c19183..0e599629 100644
--- a/server/modules/authentication/oauth2/definition.yml
+++ b/server/modules/authentication/oauth2/definition.yml
@@ -54,25 +54,38 @@ props:
     default: email
     maxWidth: 500
     order: 8
+  mapGroups:
+    type: Boolean
+    title: Map Groups
+    hint: Map groups matching names from the groups claim value
+    default: false
+    order: 9
+  groupsClaim:
+    type: String
+    title: Groups Claim
+    hint: Field containing the group names
+    default: groups
+    maxWidth: 500
+    order: 10
   logoutURL:
     type: String
     title: Logout URL
     hint: (optional) Logout URL on the OAuth2 provider where the user will be redirected to complete the logout process.
-    order: 9
+    order: 11
   scope:
     type: String
     title: Scope
     hint: (optional) Application Client permission scopes.
-    order: 10
+    order: 12
   useQueryStringForAccessToken:
     type: Boolean
     default: false
     title: Pass access token via GET query string to User Info Endpoint
     hint: (optional) Pass the access token in an `access_token` parameter attached to the GET query string of the User Info Endpoint URL. Otherwise the access token will be passed in the Authorization header.
-    order: 11
+    order: 13
   enableCSRFProtection:
     type: Boolean
     default: true
     title: Enable CSRF protection
     hint: Pass a nonce state parameter during authentication to protect against CSRF attacks.
-    order: 12
+    order: 14