I think it would be useful to have a way to only allow registration (and perhaps login too?) if a certain OIDC claim is returned by the IdP.
Claims usually vary depending on the IdP and its configuration, so there's no standard way to do it; Forgejo for example does it by allowing the administrator to enter both the claim name to check, and the value that it should have to pass the check.
I believe it would very useful for organizations managing Tranquil PDS via their own OIDC-compatible IdP, as it would allow them to limit which users can access Tranquil, for example for doing a slow roll-out, or for temporarily restricting a specific user.
Additionally, it would be nice to have the same functionality, but to automatically detect which users should be considered Tranquil administrators and have access to the Admin Panel: other services do that check on each OIDC login and update the value accordingly, so perhaps Tranquil could behave in the same way?