Disable local users for a smooth single-idp mode (#5226)

Add LocalAuthDisabled option to embedded IdP configuration This adds the ability to disable local (email/password) authentication when using the embedded Dex identity provider. When disabled, users can only authenticate via external identity providers (Google, OIDC, etc.). This simplifies user login when there is only one external IdP configured. The login page will redirect directly to the IdP login page. Key changes: Added LocalAuthDisabled field to EmbeddedIdPConfig Added methods to check and toggle local auth: IsLocalAuthEnabled, HasNonLocalConnectors, DisableLocalAuth, EnableLocalAuth Validation prevents disabling local auth if no external connectors are configured Existing local users are preserved when disabled and can login again when re-enabled Operations are idempotent (disabling already disabled is a no-op)
2026-04-19 00:36:38 +00:00 · 2026-02-01 14:26:22 +01:00
parent 0c990ab662
commit 3a0cf230a1
17 changed files with 450 additions and 22 deletions
--- a/management/server/http/handlers/users/invites_handler_test.go
+++ b/management/server/http/handlers/users/invites_handler_test.go
@@ -205,6 +205,14 @@ func TestCreateInvite(t *testing.T) {
 				return nil, status.Errorf(status.PreconditionFailed, "invite links are only available with embedded identity provider")
 			},
 		},
+		{
+			name:           "local auth disabled",
+			requestBody:    `{"email":"test@example.com","name":"Test User","role":"user","auto_groups":[]}`,
+			expectedStatus: http.StatusPreconditionFailed,
+			mockFunc: func(ctx context.Context, accountID, initiatorUserID string, invite *types.UserInfo, expiresIn int) (*types.UserInvite, error) {
+				return nil, status.Errorf(status.PreconditionFailed, "local user creation is disabled - use an external identity provider")
+			},
+		},
 		{
 			name:           "invalid JSON",
 			requestBody:    `{invalid json}`,
@@ -376,6 +384,15 @@ func TestAcceptInvite(t *testing.T) {
 				return status.Errorf(status.PreconditionFailed, "invite links are only available with embedded identity provider")
 			},
 		},
+		{
+			name:           "local auth disabled",
+			token:          testInviteToken,
+			requestBody:    `{"password":"SecurePass123!"}`,
+			expectedStatus: http.StatusPreconditionFailed,
+			mockFunc: func(ctx context.Context, token, password string) error {
+				return status.Errorf(status.PreconditionFailed, "local user creation is disabled - use an external identity provider")
+			},
+		},
 		{
 			name:           "missing token",
 			token:          "",