Disable password reset on a user

[jaywood128]

Disable password reset on a user

Problem

Using the FusionAuth-hosted login page, I want to only allow a user to login with an Idp or a SAML provider. I could disable credential login by removing the login form, and setting the password to a random value the user is not aware of, but this would not prevent them from attempting to change their password.

This would be helpful if you had customers who want to effectively force SSO while preventing users from changing their passwords.

Solution

Provide an option to disable a user from changing their password.

Alternatives/workarounds

• As stated above, remove the login form and set the user's password to a random value. Remove all references to the forgot password page.
• Add an alert whenever someone starts the password reset process that automatically locks their account: https://fusionauth.io/docs/extend/events-and-webhooks/events/user-password-reset-start
• Add a transactional user.login.success webhook that disallows logins that are not of the appropriate type.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[robotdan]

Assuming this is a customer request - would this be an application scoped configuration, or would it be per user, or a policy to define a group of users?

[epbensimpson]

For our use case, either per-user or per-group would work. We have a single application, used by both our staff and our customers. Our staff should be required to sign in with Google, and our customers should be able to configure this for their organisation's users. So an application-scoped option would not be suitable for us.

[krajncmitja]

I would agree with option to have this per user. Although we have several applications, they are used primarily for whitelabeling purpose. A simple flag on user which would allow or deny starting the forgot password process would be great for our case.

[jdegger]

We are also looking for this option. We have a group of app-users which are using passwordless login. However we do not want them to pass through our other login forms, but it's on the same application id for other reasons so we can not split it up.

[mattwyatt-recurve]

We are also looking for this option. Have any workarounds been suggested since this issue was raised? Is this feature on any roadmap?

[mooreds]

@mattwyatt-recurve this is not currently in our near term plans. I added a few more workarounds that may work for you.

Here's our roadmap guidance: https://fusionauth.io/docs/operate/roadmap/roadmap which has options for feedback.

[mooreds]

Might be related to #1