diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1477c99d..967455db 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@
 - [#3278](https://github.com/oauth2-proxy/oauth2-proxy/pull/3278) feat: possibility to inject id_token in redirect url during sign out (@albanf)
 - [#2851](https://github.com/oauth2-proxy/oauth2-proxy/pull/2851) feat: add support for specifying allowed OIDC JWT signing algorithms (#2753) (@andoks / @tuunit)
 - [#3369](https://github.com/oauth2-proxy/oauth2-proxy/pull/3369) fix: use CSRFExpire instead of Expire for CSRF cookie validation (@Br1an67)
+- [#3365](https://github.com/oauth2-proxy/oauth2-proxy/pull/3365) fix: filter empty strings from allowed groups (@Br1an67)
 
 # V7.14.3
 
diff --git a/providers/provider_data.go b/providers/provider_data.go
index 8f9d1e36..80bd77ae 100644
--- a/providers/provider_data.go
+++ b/providers/provider_data.go
@@ -194,6 +194,10 @@ func regexpForRule(rule options.URLParameterRule) string {
 func (p *ProviderData) setAllowedGroups(groups []string) {
 	p.AllowedGroups = make(map[string]struct{}, len(groups))
 	for _, group := range groups {
+		if len(group) == 0 {
+			continue
+		}
+
 		p.AllowedGroups[group] = struct{}{}
 	}
 }
diff --git a/providers/provider_default_test.go b/providers/provider_default_test.go
index 0fbe7abd..9370cdca 100644
--- a/providers/provider_default_test.go
+++ b/providers/provider_default_test.go
@@ -102,6 +102,18 @@ func TestProviderDataAuthorize(t *testing.T) {
 			groups:        []string{"baz", "foo"},
 			expectedAuthZ: false,
 		},
+		{
+			name:          "AllowedGroupsWithEmptyString",
+			allowedGroups: []string{"group2", ""},
+			groups:        []string{"group1", "group2"},
+			expectedAuthZ: true,
+		},
+		{
+			name:          "AllowedGroupsOnlyEmptyString",
+			allowedGroups: []string{""},
+			groups:        []string{"group1", "group2"},
+			expectedAuthZ: true,
+		},
 	}
 
 	for _, tc := range testCases {