All right, I'll just post my solution here, maybe for someone else interested. My goal was to allow certain users (authenticated via oauth2 and with email address from ertain domain) to access course without participation - read only. I've created a special role which is assigned to every user which meets the above criteria on his/her login. The issue here is that we also allow registering external users and we don't want them to see these courses.
This role has no special capabilities - it has no capabilities at all - it's just to mark a user as approved to access course without participation. Then, on the course/category level a 'moodle/course:view' capability is allowed for this role. This way you can easily grant access to users with this special role to a course/category.
I've automated things a little bit more - added a custom checkbox course field (isvisibletoauthorized) which can be set by teachers when editing course preferences. When a course is saved (on event) this capability is automatically allowed/prevented for the role. This way, a regular teacher can decide whether a course will be opened for all our students or just those participating.
This role has no special capabilities - it has no capabilities at all - it's just to mark a user as approved to access course without participation. Then, on the course/category level a 'moodle/course:view' capability is allowed for this role. This way you can easily grant access to users with this special role to a course/category.
I've automated things a little bit more - added a custom checkbox course field (isvisibletoauthorized) which can be set by teachers when editing course preferences. When a course is saved (on event) this capability is automatically allowed/prevented for the role. This way, a regular teacher can decide whether a course will be opened for all our students or just those participating.