You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using CILogonOAuthenticator, you configure access to one or more identity providers (idps). That makes it an odd authenticator class among the other classes in this project.
In 15.1.0, we could have idp config like below:
CILogonOAuthenticator:
allowed_idps:
# google accountshttp://google.com/accounts/o8/id:
username_derivation:
username_claim: "email"allowed_domains: ["google-allowed.org"]# microsoft accountshttp://login.microsoftonline.com/common/oauth2/v2.0/authorize:
username_derivation:
username_claim: "email"
Assuming the goal was to allow all microsoft accounts, but only the google accounts with an email domain of "google-allowed.org", then this config in oauth v15 made it happen.
In v16, this is not something we can configure any more. While access would be granted correctly to google accounts with domains explicitly allowed, oauth v16 would no longer allow the microsoft accounts. For other oauthenticators this was resolved by adding the allow_all config to explicitly allow all users. In this case though, configuring allow_all would allow both google users and microsoft users, even though we only wanted to allow all microsoft users.
Proposal
We add an allow_all option for individual IDPs as well.
The text was updated successfully, but these errors were encountered:
consideRatio
changed the title
[CILogon] How to authorize all users of one idp but not another?
[CILogon] How to authorize all users of one idp but not another - add idp specific allow_all config?
Sep 20, 2023
Using CILogonOAuthenticator, you configure access to one or more identity providers (idps). That makes it an odd authenticator class among the other classes in this project.
In 15.1.0, we could have idp config like below:
Assuming the goal was to allow all microsoft accounts, but only the google accounts with an email domain of "google-allowed.org", then this config in oauth v15 made it happen.
In v16, this is not something we can configure any more. While access would be granted correctly to google accounts with domains explicitly allowed, oauth v16 would no longer allow the microsoft accounts. For other oauthenticators this was resolved by adding the
allow_all
config to explicitly allow all users. In this case though, configuringallow_all
would allow both google users and microsoft users, even though we only wanted to allow all microsoft users.Proposal
allow_all
option for individual IDPs as well.The text was updated successfully, but these errors were encountered: