Restrict login for users via OpenID

Hi @all,
I let my users fall into the thee groups(Admin, Publisher, Viewer) via an OpenIDC claim. This will work as expected. But when an user log in, wich will be in none of the three groups he will always put into the Viewer group an "eat" an license. My first idea was to block it via DefaultUserRole. But allowed values are publisher or viewer. So any user which are not in of of the three groups are automatic licensed as an viewer. So how can I prevent this, that an an ungrouped user will put into the viewer group?
Currently I use:

UserRoleGroupMapping = true
PublisherRoleMapping = ...
AdministratorRoleMapping = ...
RequireUsernameClaim = true
GroupsAutoProvision = true
GroupsClaim = ...