diff --git a/default.nix b/default.nix
index 1edcd0b..fe8c66e 100644
--- a/default.nix
+++ b/default.nix
@@ -5,7 +5,7 @@ buildGoModule rec {
 
   src = ./.;
 
-  vendorSha256 = "sha256-fskmRb9zXLGkL0sJ4P1/sNjzZkUZhAguOCSN1etQ2tU=";
+  vendorSha256 = "sha256-yJHwZLNlZHB9Jo+Xo9c1wy00faiY4oURyYbhNx3yMK8=";
 
   meta = with lib; {
     description = "Simple distributed authentication system";
diff --git a/internal/webui/pg_auth.go b/internal/webui/pg_auth.go
index ebe8d1b..a42e4bb 100644
--- a/internal/webui/pg_auth.go
+++ b/internal/webui/pg_auth.go
@@ -13,17 +13,40 @@ func (s *Service) authGet(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	headers := w.Header()
-	headers.Add("X-Webauth-UserID", tok.Subject())
-	headers.Add("X-Webauth-User", tok.PreferredUsername())
-	headers.Add("X-Webauth-Email", tok.Email())
+	if err := r.ParseForm(); err != nil {
+		zap.S().Errorf("Error parsing request parameters: %v", err)
+		s.renderBadRequest(w, r)
+		return
+	}
 
 	groups, err := getTokenGroupIDs(tok)
 	if err != nil {
 		zap.S().Errorf("Error getting groups from token: %v", err)
-	} else {
-		headers["X-Webauth-Groups"] = groups
+		s.renderError(w)
+		return
 	}
 
+	if reqGroup := r.FormValue("required_group"); reqGroup != "" {
+		found := false
+		for _, g := range groups {
+			if g == reqGroup {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			zap.S().Debug("User %s doesn't have required group %s", tok.Subject(), reqGroup)
+			s.renderForbidden(w, r)
+			return
+		}
+	}
+
+	headers := w.Header()
+	headers.Add("X-Webauth-UserID", tok.Subject())
+	headers.Add("X-Webauth-User", tok.PreferredUsername())
+	headers.Add("X-Webauth-Email", tok.Email())
+	headers["X-Webauth-Groups"] = groups
+
 	w.WriteHeader(http.StatusNoContent)
 }