I think the name allowed_idps causes some confusion in oauthenticator v16, and that it should be non-breakingly renamed to just idps with a deprecation warning for users still using the allowed_idps name.
With a name like idps, there is no hint about users from a specific ipd would be allowed or simiarly. Configuring idps is about describing what users we can authenticate/recognize, while allowed refers to what users we authorize/allow. Since configuring an idp to be used to authenticate a user doesn't go hand in hand with authorizing a user, I think it should be renamed for clarity.
Together with the proposal in #682, the config for CILogon that is associated with authorizing users then become the following:
I think the name
allowed_idpscauses some confusion in oauthenticator v16, and that it should be non-breakingly renamed to justidpswith a deprecation warning for users still using theallowed_idpsname.With a name like
idps, there is no hint about users from a specific ipd would be allowed or simiarly. Configuring idps is about describing what users we can authenticate/recognize, whileallowedrefers to what users we authorize/allow. Since configuring an idp to be used to authenticate a user doesn't go hand in hand with authorizing a user, I think it should be renamed for clarity.Together with the proposal in #682, the config for CILogon that is associated with authorizing users then become the following:
OAuthenticator.allow_allOAuthenticator.allowed_usersOAuthenticator.admin_usersOAuthenticator.allow_existing_usersCILogonOAuthenticator.idps[<some idp>].allowed_domainsCILogonOAuthenticator.idps[<some idp>].allow_allProposal
Rename
allowed_idpstoidps, makingallowed_idpsstill work as an alias foridps, but come with a deprecation warning.