I am working with a CDCK hosted client who is configuring oauth2.
We’ve got it set up so that the create account dialog is automatically bypassed and now new accounts authenticated by the oauth2 server are created automatically. All other login mechanisms are turned off.
During testing they don’t want anyone to log in without approval, so I turned on “must approve users”. This works as expected except they still get a “change email address” button. “email editable” is turned off and oauth2 overrides email is turned on.
I suggested hiding the button with CSS, but this seems like a bug, though it’s arguably a feature request, as it’s more of an annoyance than a can’t-use-discourse issue.