Matthew Swift says: (http://sources.forgerock.org/cru/CR-7428#c88341)
As a user I would still like to be able to type in my gmail.com address even if Google don't support discovery and registration. The same applies to other common providers. I suggest that we support these use cases by allowing administrations to configure static client registrations for providers like Google and then use pattern matching to resolve the provider, e.g:
- "*@google.com" -> use Google OIDC
- "*@yahoo.com" -> use Yahoo OIDC
- "*" -> use discovery.
Note that OIDC auth allows clients to provide "hints" in order to bypass some authentication steps. In particular, if a user types in their GMail email address then, not only can we determine that we should use Google, but we can also pass in the GMail address as a hint in order to skip the step where Google asks the user to select an account and/or type in their email address.