Support sign in of third party auth provider user when their associated local user must change password

[richard-cox]

SURE-10596

Setup

• Rancher version: v2.11

Describe the bug

• normal flow
  • user installs rancher
  • user runs through setup flow
    • user sets the password of the local auth provider admin user
      • user's mustChangePassword set to false
  • user configures third party auth provider
    • user is associated with a user from the third party auth provider
• unsupported flow
  • user installs rancher
  • third party auth provider automatically set up
    • including associated user with third party auth provider
    • local auth provider admin user password still requires reset
  • Bug - login attempts with third party oidc user associated with local admin auth provider fails

To Reproduce
We can shortcut the automation of above by the following

• Install rancher + setup third party auth provider
• Users & Authentication --> Users --> find the admin user --> Edit Config --> 'Ask user to change their password on next login' --> save
• Logout
• Try to log in with the user used when configuring third party auth provider

Result

• on clicking 'login via x' user is just redirected back to the same page

Expected Result

• SSO process followed, and if successful user is logged in

[richard-cox]

This work depends on the Public API support for auth providers (#15325)

[rak-phillip]

This work depends on the Public API support for auth providers (#15325)

@richard-cox are we able to start work on this? The associated issue is backend blocked at this point.

[richard-cox]

@rak-phillip to do this cleanly yes, unfortunately i don't think we can wait