Whitelist email domains per connector

[lennartack]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

When we have multiple connectors we sometimes want to restrict the email claims that each connector is allowed to make. For example, suppose you have a connector for a company example.com and a company example.net. You don't want admins of example.com to be able to impersonate users from example.net.

This was worked on before (#66) but unfortunately abandoned.

Proposed Solution

Add an option to each connector type to give a whitelist of allowed email domains. For example:

connectors:
- type: oidc
  id: example
  name: Example
  config:
    issuer: https://example.com
    emailDomains:
    - example.com
    - example.org

Alternatives Considered

No response

Additional Information

If you are interested in this feature we are willing to create a pull request. However, I don't quite understand why the previous project was abandoned so I'd like to know what the issues are first.

[nabokihms]

Hello! The issue is still valid, but the desired approach to fix this is to add claim validations for tokens (that can be attached to clients). I'm thinking of integration with some expression language for this, e.g., CEL or Rego.