-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove password and 2fa options for sso controlled users #603
Conversation
@@ -763,6 +763,11 @@ public function removeOAuth2UserConsent(OAuth2UserConsent $oAuth2UserConsent): s | |||
return $this; | |||
} | |||
|
|||
public function isSsoControlled(): bool | |||
{ | |||
return $this->oauthGithubId || $this->oauthGoogleId || $this->oauthFacebookId || $this->oauthKeycloakId || $this->oauthZitadelId; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is obviously prone to getting out of date if new identity providers are added. Not sure if there's a better way, or maybe can think of one later. We could add a column on user that they are sso controlled, but that means we have to be sure to set it to true every time a new provider is added which is also possible to mess up, but perhaps less likely
Dang, I clearly got it wrong in the issue. I assume that means it's impossible to update an SSO controlled users email, as obviously there's no current password for them to use. I suppose I'll keep the page, but remove the form to update it, so you can see your current email value. If it ever changes upstream (downstream?) it won't update here, but at least users will be able to see that and potentially ask an admin to fix it until we have a way to resync with the SSO provider somehow |
Is your comment about deleting / tombstoning the account, or the fact that it requires current password (and thus isn't currently possible)? |
The latter, without a password its not possible for an SSO user to delete their account now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SSO user delete seems like it's going to require a much bigger PR to address, so I'll approve this one as is since it's out of scope from the original intent.
Remove the password and 2fa setting options for users that have oauth configured
If the user attempts to access the password / 2fa pages manually, gets a 403 access denied response
2fa remove/disable is still allowed in code, so admins should still be able to remove 2fa if for some reason it was or gets enabled, but enabling is not allowed
Fixes #576