The magic of authentication methods happens in the ir.http model from the base add-on. For whatever value you pass to the auth parameter in your route, Odoo searches for a function called _auth_method_<yourvalue> on this model, so you can easily customize it by inheriting it and declaring a method that takes care of your authentication method of choice.

As an example, we will provide an authentication method called base_group_user, which will only authorize the user, if currently logged in user is part of the group base.group_user, as shown in the following example:

from odoo import exceptions, http, models 
from odoo.http import request 
 
class IrHttp(models.Model): 
  _inherit = 'ir.http' 
 
  def _auth_method_base_group_user(self): 
    self._auth_method_user() 
    if not request.env.user.has_group('base.group_user'): 
      raise exceptions.AccessDenied() 

Now you can say auth='base_group_user' in your decorator, and be sure that users running this route's handler are members of the group. With a little trickery, you can extend this to auth='groups(xmlid1,...)'; its implementation is left as an exercise to the reader, but is included in the GitHub repository example code at Chapter14/r2_paths_auth/my_library/models/sample_auth_http.py .