Filtering users via SSO

I’m writing a backend for singing in users via our internal OAuth and would like to filter user based on groups returned by the SSO itself.
Unfortunately I can’t seem to find the right method to deny access, as throwing an IdentityNotValid exception in build_identity() results in an error message for the user. Any hints as to where I should look into?

OK, found the answer the moment I clicked “post”:
In the third pipeline step (FetchUser from the Google plugin) just return a helper.error('some message') after checking the group in the oauth token…