Site setting to disable local sign ups

Ethsim2 · April 19, 2026, 8:25pm

Hello,

I’m looking for a site setting that disables local signups, but maintains OpenID connect new account registrations.

Looking back at user reports from January the majority pointed to a site text This was the error message: New account registrations are not allowed at this time. and would have caused me to enable Allow_new_registrations.

Browsing through all the available settings i can’t see an explicit, registrations allowed via OIDC but not the local site.

I have however used a Data Explorer query to check for any users (acting against ToS of course) using their DevTools to unhide sign up button or selectively disable a JS re-direct;

SELECT
  u.id,
  u.username,
  u.name,
  ue.email,
  u.active,
  u.approved,
  u.created_at,
  u.last_seen_at
FROM users u
LEFT JOIN user_associated_accounts uaa
  ON uaa.user_id = u.id
LEFT JOIN user_emails ue
  ON ue.user_id = u.id
 AND ue.primary = true
WHERE uaa.user_id IS NULL
  AND u.staged = false
ORDER BY u.last_seen_at DESC NULLS LAST, u.created_at DESC

I appreciate that the user acting against my policy, would still need to verify their email address, it’s just that i don’t want user registering that might not have an account in the institution providing me with my OIDC needs.

Ethsim2 · April 19, 2026, 8:33pm

could alternatively scope must_approve_users with a must_approve_local_users

but this would remove a possibility of disabling initial page that re-directs to /login as a side effect of solving this security vulnerability.

pmusaraj · April 21, 2026, 3:18pm

Uncheck enable local logins. That will still allow signups/logins via external methods, like an OpenID provider.

Ethsim2 · April 21, 2026, 3:20pm

the main issue with unchecking that is my forum then re-directs directly to entra, that makes my forum look like its managed by an institution (while it’s not).

pmusaraj · April 21, 2026, 3:22pm

Is your site login required? If so, see this setting:

Ethsim2 · April 21, 2026, 3:23pm

yes, that’s enabled. That’s the setting i sent a pull request for - to remove the “external” word from the setting description.

pmusaraj · April 21, 2026, 3:30pm

So, if you want to show a splash screen on the site but with OIDC enabled as the only login method, you need to:

uncheck enable local logins
uncheck auth immediately
have one external login method enabled

Once those conditions are met, people will see a login required screen like this:

Both buttons here (sign up / login) will lead to your one external login method.

Ethsim2 · April 21, 2026, 3:33pm

yes, that’s exactly what i did to https://physicswithethan.discourse.diy

I also disabled my custom component “sign up overrides”

pmusaraj · April 21, 2026, 3:34pm

So you’re all set, or are you missing the Signup button? You can allow new registrations now, it will only enable signup via OIDC.

Ethsim2 · April 21, 2026, 3:36pm

does disabling auth immediately prevent users creating a new account through the OIDC login flow?

pmusaraj · April 21, 2026, 3:54pm

No, it only controls whether the splash is shown or whether users get sent to the login gateway right away.

Ethsim2 · April 21, 2026, 3:57pm

okay, i adjusted both login_required.welcome_message and site_description, and it made the splash look much more personalised.

I also disabled Auto_skip_create_confirm so my login_required.welcome_message is accurate about choice of username.

Topic		Replies	Views
Login Sigin only through openID SSO openid-connect	7	326	June 15, 2024
Disable "Sign Up" button when local logins are disabled UX	1	1535	November 3, 2015
Allow user creation via API when enable_local_logins is disabled Feature	1	546	March 3, 2019
Registration with Google Oauth Feature	2	970	December 4, 2025
Remove signup by email and force only GitHub signup Support	2	383	July 3, 2023

Site setting to disable local sign ups

Related topics