I'd like to suggest a new option to only let users login via one of the identity providers defined in authClientCollection.

Why?

Easier and more secure management. When I force my users to login via gitlab only for example, I can force all gitlab users to use 2FA or other things, increasing the overall security. Also it makes it easier to restrict access and eases password management.
When someone leaves my project I don't have to remove the account in 20 different places. I can just restrict his Gitlab login and oauth to all connected sites won't work anymore. Instead of running the risk someone reuses his password, I can make sure only a strong password + 2FA is used in my identity provider.

Possible Issues

The plugins might not work well with oauth. I haven't tested this yet, so maybe it's not a problem. The API allows oauth so it shouldn't be too much of an issue.