Restrict the IDPs that are allowed by CILogon to login to this instance

[alukach]

We restrict the IDPs that are allowed by CILogon to login to this instance. Based on https://cilogon.org/idplist/, I suggest ORCID, GitHub, University of Toronto (because I (Yuvi) have login credentials) and possibly one other university where someone else in the team has login credentials (Georgia Tech?)

[alukach]

Reached out to CILogon.

Question:

Is it possible to configure CILogon to limit access to my application to users from a subset of the supported IdPs? Or is that a task that is to be performed by my application by examining the access token returned by CILogon?

Answer:

Limiting access to a subset of IdPs is a feature available to CILogon subscribers at the “Essential Service” level and higher. See https://www.cilogon.org/subscribe for information about CILogon subscription levels.

For “Basic Authentication” clients, you can check the “idp” claim or “idp_name” claim which are returned when requesting the “org.cilogon.userinfo” scope. See https://www.cilogon.org/oidc#h.p_PEQXL8QUjsQm for details.

Will work towards Basic Authentication solution.