DependencyTrack
Option to Disable Username/Password Authentication
Current Behavior
Problem: We aim to improve the security posture of our Dependency-Track instance by eliminating the option for username/password login. We want to enforce the use of stronger authentication methods such as OpenID Connect.
Proposed Solution: Implement a configuration setting that allows administrators to completely disable username/password-based authentication. When this setting is active, users should only be able to log in via other configured authentication mechanisms (e.g., OpenID Connect).
Context: Disabling traditional username/password login aligns with security best practices and mitigates risks associated with credential compromise.
Proposed Behavior
Implement a configuration setting that allows administrators to completely disable username/password-based authentication. When this setting is active, users should only be able to log in via other configured authentication mechanisms (e.g., OpenID Connect).
Checklist
- [x] I have read and understand the contributing guidelines
- [x] I have checked the existing issues for whether this enhancement was already requested
If you are not creating any managed users, nobody can login with user/pw. Why need to explicitly disable it?
A key concern is the default presence of the admin user, which, despite being deletable, remains exposed until manual intervention. This contradicts an Infrastructure as Code (IaC) approach. I've invested considerable effort attempting to deploy and configure Dependency Track purely through the provided Helm chart, aiming for a fully automated setup. However, the current chart capabilities seem to necessitate manual post-deployment steps, which hinders our IaC adoption.
I landed here with the very same concern. When only OIDC is allowed, it's misleading to have a form there. Not to mention the fact that every single login attempt (legit or not) reaches the API server.
Related: https://github.com/DependencyTrack/frontend/issues/429
