devise icon indicating copy to clipboard operation
devise copied to clipboard
verified publisher icon heartcombo

Devise + Omniauth: disable email login when users enable SSO

Open collimarco opened this issue 3 years ago • 5 comments

I have completed the official tutorial to add Omniauth.

Now when some users choose to use "Sign in with Google" I want to disable the normal login with email and password for those users (for enhanced security). Note that I want to disable it only for those specific users and not for the entire application.

Basically I would like to build something like Basecamp, where the users can use the email or the SSO, but not both at the same time.

How can I achieve that? I can't find any Devise configuration that would allow that.

collimarco avatar Jun 26 '22 10:06 collimarco

Did you ever figure something out for this? I am the same situation and haven't really come up with anything

chrisgow avatar Sep 10 '22 03:09 chrisgow

@chrisgow Unfortunately, no, I didn't find any solution. It would be really important to have this option for security: if you enable SSO (e.g. with Google) you don't want to have other ways to access your account (e.g. email, password resets, etc.). And you, did you find any solution?

collimarco avatar Jan 14 '23 16:01 collimarco

I'm also facing the same situation because we need to support a phased SSO rollout for an existing local-password app.

I'm just starting to look at things but my plan is:

  1. Clean-up the password related fields.
  2. Prevent any password from working if SSO is enabled.

For 1, once a user links an account I call clean_up_passwords on the user which will clear the password and the password confirmation field: https://www.rubydoc.info/github/plataformatec/devise/Devise/Models/DatabaseAuthenticatable.

For 2, I'm overriding the valid_password? method to return false if SSO has been enabled. Something like:

# user.rb

  def valid_password?(password)
    return false if sso_enabled?

    super
  end

Not perfect, but seems to be a start. Will update again once I get further along.

krsyoung avatar Feb 27 '23 03:02 krsyoung

ty @krsyoung ! I'm giving you a shoutout on this stackoverflow post

https://stackoverflow.com/questions/72760601/devise-omniauth-disable-email-login-when-users-enable-sso/75787006#75787006

catsofmath avatar Mar 20 '23 06:03 catsofmath

Not sure if this is a problem related to Devise or business application? I faced same issues couple of years ago and I came up hiding password fields in the custom template.

@carlosantoniodasilva wdyt?

leandronsp avatar Nov 10 '23 14:11 leandronsp