Disable local users for a smooth single-idp mode (#5226)

Add LocalAuthDisabled option to embedded IdP configuration

This adds the ability to disable local (email/password) authentication when using the embedded Dex identity provider. When disabled, users can only authenticate via external
identity providers (Google, OIDC, etc.).

This simplifies user login when there is only one external IdP configured. The login page will redirect directly to the IdP login page.

Key changes:

Added LocalAuthDisabled field to EmbeddedIdPConfig
Added methods to check and toggle local auth: IsLocalAuthEnabled, HasNonLocalConnectors, DisableLocalAuth, EnableLocalAuth
Validation prevents disabling local auth if no external connectors are configured
Existing local users are preserved when disabled and can login again when re-enabled
Operations are idempotent (disabling already disabled is a no-op)

management/server/idp/embedded_test.go

@@ -370,3 +370,234 @@ func TestEmbeddedIdPManager_GetLocalKeysLocation(t *testing.T) {
 		})
 	}
 }
+
+func TestEmbeddedIdPManager_LocalAuthDisabled(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("cannot start with local auth disabled without other connectors", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
+		require.NoError(t, err)
+		defer os.RemoveAll(tmpDir)
+
+		config := &EmbeddedIdPConfig{
+			Enabled:           true,
+			Issuer:            "http://localhost:5556/dex",
+			LocalAuthDisabled: true,
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: filepath.Join(tmpDir, "dex.db"),
+				},
+			},
+		}
+
+		_, err = NewEmbeddedIdPManager(ctx, config, nil)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "no other identity providers configured")
+	})
+
+	t.Run("local auth enabled by default", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
+		require.NoError(t, err)
+		defer os.RemoveAll(tmpDir)
+
+		config := &EmbeddedIdPConfig{
+			Enabled: true,
+			Issuer:  "http://localhost:5556/dex",
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: filepath.Join(tmpDir, "dex.db"),
+				},
+			},
+		}
+
+		manager, err := NewEmbeddedIdPManager(ctx, config, nil)
+		require.NoError(t, err)
+		defer func() { _ = manager.Stop(ctx) }()
+
+		// Verify local auth is enabled by default
+		assert.False(t, manager.IsLocalAuthDisabled())
+	})
+
+	t.Run("start with local auth disabled when connector exists", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
+		require.NoError(t, err)
+		defer os.RemoveAll(tmpDir)
+
+		dbFile := filepath.Join(tmpDir, "dex.db")
+
+		// First, create a manager with local auth enabled and add a connector
+		config1 := &EmbeddedIdPConfig{
+			Enabled: true,
+			Issuer:  "http://localhost:5556/dex",
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager1, err := NewEmbeddedIdPManager(ctx, config1, nil)
+		require.NoError(t, err)
+
+		// Create a user
+		userData, err := manager1.CreateUser(ctx, "preserved@example.com", "Preserved User", "account1", "admin@example.com")
+		require.NoError(t, err)
+		userID := userData.ID
+
+		// Add an external connector (Google doesn't require OIDC discovery)
+		_, err = manager1.CreateConnector(ctx, &dex.ConnectorConfig{
+			ID:           "google-test",
+			Name:         "Google Test",
+			Type:         "google",
+			ClientID:     "test-client-id",
+			ClientSecret: "test-client-secret",
+		})
+		require.NoError(t, err)
+
+		// Stop the first manager
+		err = manager1.Stop(ctx)
+		require.NoError(t, err)
+
+		// Now create a new manager with local auth disabled
+		config2 := &EmbeddedIdPConfig{
+			Enabled:           true,
+			Issuer:            "http://localhost:5556/dex",
+			LocalAuthDisabled: true,
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager2, err := NewEmbeddedIdPManager(ctx, config2, nil)
+		require.NoError(t, err)
+		defer func() { _ = manager2.Stop(ctx) }()
+
+		// Verify local auth is disabled via config
+		assert.True(t, manager2.IsLocalAuthDisabled())
+
+		// Verify the user still exists in storage (just can't login via local)
+		lookedUp, err := manager2.GetUserDataByID(ctx, userID, AppMetadata{})
+		require.NoError(t, err)
+		assert.Equal(t, "preserved@example.com", lookedUp.Email)
+	})
+
+	t.Run("CreateUser fails when local auth is disabled", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
+		require.NoError(t, err)
+		defer os.RemoveAll(tmpDir)
+
+		dbFile := filepath.Join(tmpDir, "dex.db")
+
+		// First, create a manager and add an external connector
+		config1 := &EmbeddedIdPConfig{
+			Enabled: true,
+			Issuer:  "http://localhost:5556/dex",
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager1, err := NewEmbeddedIdPManager(ctx, config1, nil)
+		require.NoError(t, err)
+
+		_, err = manager1.CreateConnector(ctx, &dex.ConnectorConfig{
+			ID:           "google-test",
+			Name:         "Google Test",
+			Type:         "google",
+			ClientID:     "test-client-id",
+			ClientSecret: "test-client-secret",
+		})
+		require.NoError(t, err)
+
+		err = manager1.Stop(ctx)
+		require.NoError(t, err)
+
+		// Create manager with local auth disabled
+		config2 := &EmbeddedIdPConfig{
+			Enabled:           true,
+			Issuer:            "http://localhost:5556/dex",
+			LocalAuthDisabled: true,
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager2, err := NewEmbeddedIdPManager(ctx, config2, nil)
+		require.NoError(t, err)
+		defer func() { _ = manager2.Stop(ctx) }()
+
+		// Try to create a user - should fail
+		_, err = manager2.CreateUser(ctx, "newuser@example.com", "New User", "account1", "admin@example.com")
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "local user creation is disabled")
+	})
+
+	t.Run("CreateUserWithPassword fails when local auth is disabled", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
+		require.NoError(t, err)
+		defer os.RemoveAll(tmpDir)
+
+		dbFile := filepath.Join(tmpDir, "dex.db")
+
+		// First, create a manager and add an external connector
+		config1 := &EmbeddedIdPConfig{
+			Enabled: true,
+			Issuer:  "http://localhost:5556/dex",
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager1, err := NewEmbeddedIdPManager(ctx, config1, nil)
+		require.NoError(t, err)
+
+		_, err = manager1.CreateConnector(ctx, &dex.ConnectorConfig{
+			ID:           "google-test",
+			Name:         "Google Test",
+			Type:         "google",
+			ClientID:     "test-client-id",
+			ClientSecret: "test-client-secret",
+		})
+		require.NoError(t, err)
+
+		err = manager1.Stop(ctx)
+		require.NoError(t, err)
+
+		// Create manager with local auth disabled
+		config2 := &EmbeddedIdPConfig{
+			Enabled:           true,
+			Issuer:            "http://localhost:5556/dex",
+			LocalAuthDisabled: true,
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager2, err := NewEmbeddedIdPManager(ctx, config2, nil)
+		require.NoError(t, err)
+		defer func() { _ = manager2.Stop(ctx) }()
+
+		// Try to create a user with password - should fail
+		_, err = manager2.CreateUserWithPassword(ctx, "newuser@example.com", "SecurePass123!", "New User")
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "local user creation is disabled")
+	})
+}