New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CILogon] Stripping domains only for case of single allowed domain? #368
Comments
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗 |
See the discussion on the original PR #145
|
Ah - thanks - I knew there was a good reason, it's just I hadn't seen it. But how about my suggestion of allowing a list for |
I think it only makes sense in aliases for the 'same' domains, so maybe we should handle this in the normalize_username step? or a specific dedicated 'aliases' config for mapping multiple idps known to share a user namespace to a single key? class MyAuthenticator(CILogonOAuthenticator):
def normalize_username(self, username):
email = username.lower()
just_name, _, domain = email.partition("@")
if domain in {'bham.ac.uk', 'student.bham.ac.uk'}:
return just_name
else:
return email I've no particular objection to adding an opt-in list of domains to be stripped, with a warning about the possibility of collisions if the length is greater than 1. It's explicit and solves a known problem. |
We actually ran into this as well, i was wondering if maybe we can add a section called
this would allow me to specify that "bham.ac.uk" can be spelled multiple ways. |
This is just asking for the reasoning behind the logic at https://github.com/jupyterhub/oauthenticator/blob/master/oauthenticator/cilogon.py#L206.
In the CILogon authenticator, you can specify allowed identity provider suffixes in
allowed_idps
- in my case these will be['bham.ac.uk', 'student.bham.ac.uk']
.You can also specify
strip_idp_domain
, which will strip the username from (e.g. in my case)m.brett@bham.ac.uk
to justm.brett
. This is what I want.But the logic specifies that I can only
strip_idp_domain
if I have exactly one entry inallowed_idps
. Why is that a requirement? It's a problem in my case, because I must allow two suffixes to allow for staff and students, but I want the bare username e.g. "m.brett" rather than "m.brett@bham.ac.uk".Maybe
strip_idp_domain
could also also allow a list of domains that should be stripped?The text was updated successfully, but these errors were encountered: