Oauth2_client ENABLE_AUTO_REGISTRATION configuration

HI,

I want to use only SSO/oauth2 from google for authentication: no gitea local accounts, no anonymous external users, only new users which are in my google oauth2 organization, just sign in to gitea using google account.
I suppose [oauth2_client] ENABLE_AUTO_REGISTRATION is just for this purpose.
But it does not work. Maybe you have ideas?
My config:

[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING = true

[oauth2_client]
ENABLE_AUTO_REGISTRATION = true
USERNAME = email
ACCOUNT_LINKING = auto