diff --git a/oauthenticator/tests/test_generic.py b/oauthenticator/tests/test_generic.py
index a23a4723..71f26683 100644
--- a/oauthenticator/tests/test_generic.py
+++ b/oauthenticator/tests/test_generic.py
@@ -335,6 +335,35 @@ async def test_generic_claim_groups_key_nested_strings(
     assert auth_model["admin"]
 
 
+async def test_generic_auth_model_groups_key_callable(get_authenticator, generic_client):
+    c = Config()
+    c.GenericOAuthenticator.auth_model_groups_key = lambda r: r["auth_state"]["oauth_user"]["policies"]["roles"]
+    c.GenericOAuthenticator.allowed_groups = ["super_user"]
+    authenticator = get_authenticator(config=c)
+
+    handled_user_model = user_model("user1", policies={"roles": ["super_user"]})
+    handler = generic_client.handler_for_user(handled_user_model)
+    auth_model = await authenticator.get_authenticated_user(handler, None)
+
+    assert auth_model
+
+
+async def test_generic_auth_model_groups_key_nested_strings(
+    get_authenticator, generic_client
+):
+    c = Config()
+    c.GenericOAuthenticator.auth_model_groups_key = "auth_state.oauth_user.permissions.groups"
+    c.GenericOAuthenticator.admin_groups = ["super_user"]
+    authenticator = get_authenticator(config=c)
+
+    handled_user_model = user_model("user1", permissions={"groups": ["super_user"]})
+    handler = generic_client.handler_for_user(handled_user_model)
+    auth_model = await authenticator.get_authenticated_user(handler, None)
+
+    assert auth_model
+    assert auth_model["admin"]
+
+
 @mark.parametrize(
     "name, allowed",
     [