From significant usage of CILogonOAuthenticator with 2i2c at https://github.com/2i2c-org/infrastructure, we've found that a quite common need is to declare that "all domains matching a certain pattern" is relevant to match against. For example, all domains ending with .edu.
If we want, we could make allowed_domains more flexible, and support this in a non-breaking way by code like this in CILogonOAuthenticator.check_allowed :
for ad in idp_allowed_domains:
# fnmatch allow us to use wildcards like * and ?, but
# not the full regex. For simple domain matching this is
# good enough. If we were to use regexes instead, people
# will have to escape all their '.'s, and since that is
# actually going to match 'any character' it is a
# possible security hole. For details see
# https://docs.python.org/3/library/fnmatch.html.
if fnmatch(email_domain, ad):
return True
minrk
commented
1 year ago
From significant usage of CILogonOAuthenticator with 2i2c at https://github.com/2i2c-org/infrastructure, we've found that a quite common need is to declare that "all domains matching a certain pattern" is relevant to match against. For example, all domains ending with
.edu.If we want, we could make
allowed_domainsmore flexible, and support this in a non-breaking way by code like this inCILogonOAuthenticator.check_allowed:Related