diff --git a/openid_connect.api.php b/openid_connect.api.php
index 78a658a..cb218bc 100644
--- a/openid_connect.api.php
+++ b/openid_connect.api.php
@@ -11,6 +11,32 @@
  */
 
 /**
+ * Perform an action before user is logged into Drupal.
+ *
+ * @param array $tokens
+ *   ID token and access token that we received as a result of the OpenID
+ *   Connect flow.
+ * @param object $account
+ *   The user account if it exists, false if not.
+ * @param array $userinfo
+ *   The user claims returned by the OpenID Connect provider.
+ * @param string $client_name
+ *   The machine name of the OpenID Connect client plugin.
+ *
+ * @return bool
+ *   TRUE if user should be logged into Drupal. FALSE if not.
+ */
+function hook_openid_connect_pre_login($tokens, $account, $userinfo, $client_name) {
+  $allowed_users = array('user1@example.com', 'user2@example.com');
+  // Allow only specific users to log in.
+  if (in_array($userinfo['email'], $allowed_users)) {
+    return TRUE;
+  }
+
+  // Block all others.
+  return FALSE;
+}
+/**
  * Perform an action after a successful authorization.
  *
  * @param array $tokens
diff --git a/openid_connect.module b/openid_connect.module
index 86ca4b9..e35e658 100644
--- a/openid_connect.module
+++ b/openid_connect.module
@@ -799,6 +799,14 @@ function openid_connect_complete_authorization($client, $tokens, &$destination)
   }
 
   $account = openid_connect_user_load_by_sub($sub, $client->getName());
+  $results = module_invoke_all('openid_connect_pre_login', $tokens, $account, $userinfo, $client->getName());
+
+  // Deny access if any module returns FALSE.
+  if (in_array(FALSE, $results, TRUE)) {
+    watchdog('openid_connect', 'Login denied for @email via pre-login hook.', array('@email' => $userinfo['email']), WATCHDOG_ERROR);
+    return FALSE;
+  }
+
   if ($account) {
     // An existing account was found. Save user claims.
     if (variable_get('openid_connect_always_save_userinfo', TRUE)) {
@@ -861,6 +869,14 @@ function openid_connect_connect_current_user($client, $tokens) {
   }
 
   $account = openid_connect_user_load_by_sub($sub, $client->getName());
+  $results = module_invoke_all('openid_connect_pre_login', $tokens, $account, $userinfo, $client->getName());
+
+  // Deny access if any module returns FALSE.
+  if (in_array(FALSE, $results, TRUE)) {
+    watchdog('openid_connect', 'Login denied for @email via pre-login hook.', array('@email' => $userinfo['email']), WATCHDOG_ERROR);
+    return FALSE;
+  }
+
   if ($account && $account->uid !== $user->uid) {
     drupal_set_message(t('Another user is already connected to this @provider account.', $provider_param), 'error');