Allow disabling local password through broker.conf

shiv-tyagi · shiv-tyagi · commit 8eb4641c6ece · 2026-02-01T22:27:20.000+05:30
diff --git a/authd-oidc-brokers/conf/variants/oidc/broker.conf b/authd-oidc-brokers/conf/variants/oidc/broker.conf
@@ -24,6 +24,18 @@ client_id = <CLIENT_ID>
 ## if the identity provider is unreachable (e.g. due to network issues).
 #force_provider_authentication = false
 
+## Disable local password authentication, requiring users to always perform
+## device authentication with the identity provider.
+##
+## When enabled:
+## - Users will not be able to create or use local passwords
+## - Device authentication will be required for every login
+## - Local password authentication mode will not be offered
+##
+## Important: Enabling this option prevents offline login entirely.
+## Users must have network connectivity to authenticate.
+#disable_local_password = false
+
 [users]
 ## The directory where the home directories of new users are created.
 ## Existing users will keep their current home directory.
diff --git a/authd-oidc-brokers/internal/broker/broker.go b/authd-oidc-brokers/internal/broker/broker.go
@@ -305,6 +305,11 @@ func (b *Broker) availableAuthModes(session session) (availableModes []string, e
 func (b *Broker) authModeIsAvailable(session session, authMode string) bool {
 	switch authMode {
 	case authmodes.Password:
+		if b.cfg.disableLocalPassword {
+			log.Debugf(context.Background(), "Local password authentication is disabled")
+			return false
+		}
+
 		if !tokenExists(session) {
 			log.Debugf(context.Background(), "Token does not exist for user %q, so local password authentication is not available", session.username)
 			return false
@@ -716,9 +721,14 @@ func (b *Broker) deviceAuth(ctx context.Context, session *session) (string, isAu
 	// Store the auth info in the session so that we can use it when handling the
 	// next IsAuthenticated call for the new password mode.
 	session.authInfo = authInfo
-	session.nextAuthModes = []string{authmodes.NewPassword}
 
-	return AuthNext, nil
+	// Only require password creation if local password authentication is not disabled
+	if !b.cfg.disableLocalPassword {
+		session.nextAuthModes = []string{authmodes.NewPassword}
+		return AuthNext, nil
+	}
+
+	return b.finishAuth(session, authInfo)
 }
 
 func (b *Broker) passwordAuth(ctx context.Context, session *session, secret string) (string, isAuthenticatedDataResponse) {
diff --git a/authd-oidc-brokers/internal/broker/config.go b/authd-oidc-brokers/internal/broker/config.go
@@ -18,6 +18,8 @@ import (
 const (
 	// forceProviderAuthenticationKey is the key in the config file for the option to force provider authentication during login.
 	forceProviderAuthenticationKey = "force_provider_authentication"
+	// disableLocalPasswordKey is the key in the config file for the option to disable local password authentication.
+	disableLocalPasswordKey = "disable_local_password"
 
 	// oidcSection is the section name in the config file for the OIDC specific configuration.
 	oidcSection = "oidc"
@@ -80,6 +82,7 @@ type userConfig struct {
 	issuerURL    string
 
 	forceProviderAuthentication bool
+	disableLocalPassword        bool
 	registerDevice              bool
 
 	allowedUsers          map[string]struct{}
@@ -234,6 +237,13 @@ func parseConfig(cfgContent []byte, dropInContent []any, p provider) (userConfig
 				return userConfig{}, fmt.Errorf("error parsing '%s': %w", forceProviderAuthenticationKey, err)
 			}
 		}
+
+		if oidc.HasKey(disableLocalPasswordKey) {
+			cfg.disableLocalPassword, err = oidc.Key(disableLocalPasswordKey).Bool()
+			if err != nil {
+				return userConfig{}, fmt.Errorf("error parsing '%s': %w", disableLocalPasswordKey, err)
+			}
+		}
 	}
 
 	entraID := iniCfg.Section(entraIDSection)
