Option to lock users to OAuth2

[hirnschmalz]

Our main use case for SSO is to move user maintenance to our identity provider. To make it unable for users to login into the backend after they have been disabled in the identity provider, it would be great to have an option to

• disable password field in the TYPO3 backend if the user is an OAuth2 user
• disable the OAuth2 providers list as soon as the user has activated one (from the personal user settings and also from the user list which is available for admin users)
• disable the username/password provider for users with OAuth2 (if this is possible)

[maikschneider]

Hey @hirnschmalz, do you want to activate this feature for regular backend users or for admin users as well? In case it's sufficient for non-admin users, maybe disabling the user > settings module for this backend group would be enough?

[hirnschmalz]

@maikschneider this should also be possible for BE admins.

[maikschneider]

Okay. I think this should be possible.

User settings

Disabling the fields in user settings is very easy via UserTS which could be added via a special be_group:

setup.fields.password.disabled = 1
setup.fields.password2.disabled = 1
setup.fields.email.disabled = 1
setup.fields.mfaProviders.disabled = 1
setup.fields.tx_oauth2_client_configs.disabled = 1

User edit (via System > Backend Users)

This is plain TCA and therefore a couple of hooks do exist.

I will have a look into it to make it as easy as possible. It is for sure a useful feature, thanks.

[hirnschmalz]

I'm aware of the TsConfig settings. The problem is, that if the SSO user is a TYPO3 backend admin, he could adjust these values by himself and "open a door" by adding a password and so let him login even if the user is longer active in the identity provider.

[maikschneider]

As admin you could just create a new admin user with username and password.. Admins in general have the privilege to adjust user settings - this is hardcoded. If you have trust issues, don't give your users admin privileges.

[hirnschmalz]

Yes, good point. Since there won't be a solution which is 100% safe and also work for TYPO3 admins, I guess there is no need for adaptions. I'll create a dedicated BE usergroup.

Maybe a hint in the README.md for other users whould be a good idea.