Authentication system support for non-LDAP user data

Would it cause problems for any site if we required either LDAP or GitHub be used for user metadata for users of a Phalanx-based science platform?

Background: The user authentication system for Phalanx currently supports retrieving metadata about the user (name, email address, group membership, and numeric UID and GID) from one of three places: GitHub, if GitHub is used for authentication; the OpenID Connect id token; or an LDAP server. See DMTN-225 for more details.

Currently, so far as I am aware, every deployment is now using or soon will be using either GitHub or LDAP. Getting data from the OpenID Connect token has had a lot of problems in practice: Keycloak cannot provide supplemental GIDs (required for the Notebook Aspect), group membership information may get out of date, and user metadata is not updated dynamically when the user changes it.

If support for OpenID Connect without LDAP is not used, I’d like to remove it to simplify the source code. There are a lot of conditionals that could be streamlined and the documentation for configuring Gafaelfawr would be simpler.

Having heard no objections we are going to proceed with dropping the OpenID Connect id token as a source of user metadata for the reasons described above.