fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

Disable password reset on a user

Open jaywood128 opened this issue 2 years ago • 7 comments

Disable password reset on a user

Problem

Using the FusionAuth-hosted login page, I want to only allow a user to login with an Idp or a SAML provider. I could disable credential login by removing the login form, and setting the password to a random value the user is not aware of, but this would not prevent them from attempting to change their password.

This would be helpful if you had customers who want to effectively force SSO while preventing users from changing their passwords.

Solution

Provide an option to disable a user from changing their password.

Alternatives/workarounds

  • As stated above, remove the login form and set the user's password to a random value. Remove all references to the forgot password page.
  • Add an alert whenever someone starts the password reset process that automatically locks their account: https://fusionauth.io/docs/extend/events-and-webhooks/events/user-password-reset-start
  • Add a transactional user.login.success webhook that disallows logins that are not of the appropriate type.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

jaywood128 avatar Jan 23 '23 19:01 jaywood128

Assuming this is a customer request - would this be an application scoped configuration, or would it be per user, or a policy to define a group of users?

robotdan avatar Feb 11 '23 20:02 robotdan

For our use case, either per-user or per-group would work. We have a single application, used by both our staff and our customers. Our staff should be required to sign in with Google, and our customers should be able to configure this for their organisation's users. So an application-scoped option would not be suitable for us.

epbensimpson avatar Mar 09 '23 20:03 epbensimpson

I would agree with option to have this per user. Although we have several applications, they are used primarily for whitelabeling purpose. A simple flag on user which would allow or deny starting the forgot password process would be great for our case.

krajncmitja avatar Mar 30 '23 06:03 krajncmitja

We are also looking for this option. We have a group of app-users which are using passwordless login. However we do not want them to pass through our other login forms, but it's on the same application id for other reasons so we can not split it up.

jdegger avatar May 03 '23 07:05 jdegger

We are also looking for this option. Have any workarounds been suggested since this issue was raised? Is this feature on any roadmap?

mattwyatt-recurve avatar Aug 02 '24 22:08 mattwyatt-recurve

@mattwyatt-recurve this is not currently in our near term plans. I added a few more workarounds that may work for you.

Here's our roadmap guidance: https://fusionauth.io/docs/operate/roadmap/roadmap which has options for feedback.

mooreds avatar Aug 14 '24 01:08 mooreds

Might be related to https://github.com/fusionauth/fusionauth-issues/issues/1

mooreds avatar Sep 11 '24 22:09 mooreds

In 1.59.0, we delivered the ability to have a user without a password, resolving https://github.com/FusionAuth/fusionauth-issues/issues/484

Folks who chimed in above, does this address your needs?

mooreds avatar Aug 25 '25 15:08 mooreds