I think the name allowed_idps causes some confusion in oauthenticator v16, and that it should be non-breakingly renamed to just idps with a deprecation warning for users still using the allowed_idps name.
With a name like idps, there is no hint about users from a specific ipd would be allowed or simiarly. Configuring idps is about describing what users we can authenticate/recognize, while allowed refers to what users we authorize/allow. Since configuring an idp to be used to authenticate a user doesn't go hand in hand with authorizing a user, I think it should be renamed for clarity.
Together with the proposal in #682, the config for CILogon that is associated with authorizing users then become the following:
I think the name
allowed_idps
causes some confusion in oauthenticator v16, and that it should be non-breakingly renamed to justidps
with a deprecation warning for users still using theallowed_idps
name.With a name like
idps
, there is no hint about users from a specific ipd would be allowed or simiarly. Configuring idps is about describing what users we can authenticate/recognize, whileallowed
refers to what users we authorize/allow. Since configuring an idp to be used to authenticate a user doesn't go hand in hand with authorizing a user, I think it should be renamed for clarity.Together with the proposal in #682, the config for CILogon that is associated with authorizing users then become the following:
OAuthenticator.allow_all
OAuthenticator.allowed_users
OAuthenticator.admin_users
OAuthenticator.allow_existing_users
CILogonOAuthenticator.idps[<some idp>].allowed_domains
CILogonOAuthenticator.idps[<some idp>].allow_all
Proposal
Rename
allowed_idps
toidps
, makingallowed_idps
still work as an alias foridps
, but come with a deprecation warning.