option to disable email login, either globally or per user

[snarfed]

mostly applies to instances with existing users that then turn on google SSO. originally mentioned here.

thanks in advance! we're already loving google SSO.

⬇️ Please click the 👍 reaction instead of leaving a +1 or 👍 comment

[23ranjan]

Any idea when this is going to be released ?

[drewB]

I am a big fan of this request. It kind of defeats the purpose of using google for MFA if you can still sign in with a simple username and password.

[jwhitcraft]

This is huge for security, is there any update on this?

[flamber]

You can block requests to /api/session, since that's where regular logins are handled, whereas Google SSO is done via /api/session/google_auth - any negative side effects, I don't know.
On Nginx you would add the following before location / { ... } - I have not tested this, so you might need to adjust/test yourself:

location = /api/session {
  limit_except DELETE {
    return 404;
    break;
  }
}

[jwhitcraft]

@flamber thanks for posting the workaround, in AWS land I just added a rule to the load balancer to 404 that path and it worked great.

[kikocastro]

Hi guys,

Do you know how can @flamber 's solution can be achieved on a heroku running metabase instance?

[salsakran]

This is part of our enterprise Auth offering. Closing since this gets into "a million knobs" territory on the OSS side

[Zhann]

You can block requests to /api/session, since that's where regular logins are handled, whereas Google SSO is done via /api/session/google_auth - any negative side effects, I don't know.

as for side effects, we tried this, and it gave us warnings that we didn't have sufficient permissions, viewing the main page.

[jonathanrhodes]

You can block requests to /api/session, since that's where regular logins are handled, whereas Google SSO is done via /api/session/google_auth - any negative side effects, I don't know.

Tried this today and it did effectively block password login...but if you block the whole path then it also seems to block logout, which appears to be implemented as DELETE /api/session.

[tamvm]

For ones who don't use with nginx, we can create firewall rule on Cloudflare and block exact url /api/session

[YouveGotMeowxy]

You can block requests to /api/session, since that's where regular logins are handled, whereas Google SSO is done via /api/session/google_auth - any negative side effects, I don't know. On Nginx you would add the following before location / { ... } - I have not tested this, so you might need to adjust/test yourself:

location = /api/session {
  limit_except DELETE {
    return 404;
    break;
  }
}

I get this error when trying that block:

nginx: [emerg] "return" directive is not allowed here in /config/nginx/proxy-confs/dashboard.subdomain.conf:20

I'm trying to use Authelia for my credential handling and would like to disable the native login handling; has anyone figured out how to do this yet?

[meyerovb]

Why is this closed? The workaround isn't a stable or acceptable solution.

[paoliniluis]

@meyerovb this is a feature in the product (global feature)

[fedeisas]

You can block requests to /api/session, since that's where regular logins are handled, whereas Google SSO is done via /api/session/google_auth - any negative side effects, I don't know. On Nginx you would add the following before location / { ... } - I have not tested this, so you might need to adjust/test yourself:

location = /api/session {
  limit_except DELETE {
    return 404;
    break;
  }
}

I get this error when trying that block:

nginx: [emerg] "return" directive is not allowed here in /config/nginx/proxy-confs/dashboard.subdomain.conf:20

I'm trying to use Authelia for my credential handling and would like to disable the native login handling; has anyone figured out how to do this yet?

I'm using:

  location = /api/session {
    if ($request_method != 'DELETE') {
      add_header Content-Type application/json always;
      return 401 '{"errors":{"password":"Password authentication is disabled."}}';
    }
    
    proxy_pass ....
 }

[meyerovb]

I'm trying to use Authelia for my credential handling and would like to disable the native login handling; has anyone figured out how to do this yet?

thx for the recommendation on url blocking. To use a non google oauth provider on free metabase set up google cloud identity with passthrough oauth to your provider. I made it work with azure accounts just fine. U probably need a domain and a single paid google account but that’s it. U get 50 free cloud identities but can just ask for more. They upped me to 1k, but we also pay a lot for google translate so there’s that…