Technical lift of migrating whitelisted discourse to SSO

I’m considering using discourse for a discussion board for several thousand people (though never all at once) to replace a facebook group. The primary reason for this (aside from superior UX) is to control access to the board. My question is one of how we can control that access:

  1. Ideally we would start with a local login, with account creation controlled by a whitelist set by admins. We would also want to periodically update the whitelist and prune members who should no longer have access.
  2. in the future we may have our own SSO service where a user group or role provided by the SSO/OpenID Connect would be the source of truth on whether a user can have access. At this point we would want to remove the other login option. It seems like users could just add to their existing account a new connection for that SSO with the same email once configured.
  3. Related to the above, wondering whether categories can be made private based on oidc role or group.

Sorry if this is probably covered in some of the docs, but i’m a little new to the ins and outs of this area and am mostly wondering whether these are well-trod paths for a small team of volunteer engineers and admins.

Right now, there is no group sync support for oidc.