How to disable password auth once user is created (SSO only)?


(Aahan Krish) #1

Lets say I just installed Discourse. The first admin user I create will have to register with a password. Once registered and in, I enable SSO (e.g. Google), then logout and sign-in using my Google account.

For future logins:

  1. I want the user to be able to sign-in only via SSO and his password should be removed such that he had never logged in with a password (i.e. like a new user who registered via SSO).

  2. But the user can use the “Forgot password” feature to create a password login again.

Is this possible? If so, how do I got about doing this?


As of now, I am creating a new user via SSO, turning him into admin, and deleting the password authenticated old admin user. I don’t like this, unless this is the only safe way to do it.


(Kane York) #2

Disable this setting:


(Aahan Krish) #3

I considered that. But I want to disable password authentication only for the admin user, not all. :worried:


(Kane York) #4

Well, then generate a long password, maybe 50 characters long, then set it and forget it?

That would effectively be the same thing - nobody’s ever going to guess what it was.


(Aahan Krish) #5

Yep, considered that too. And then I thought I have a better idea, and this is what I am doing now:

  1. Configure app.yml with 2 admin emails at the time of site creation (or rebuild it later, maybe): user1@example.com, user2@example.com

  2. Register user1@example.com like you suggested, i.e. with a long password (I generally go with 63 chars).

  3. Enable Google/Yahoo/Facebook/Twitter/GitHub authentication.

  4. Login as user2@example.com using one of them.

  5. Delete user1@example.com’s account.

Probably too much, but I feel safer without a password, especially for the admin user.


(Kane York) #6

Warning - if anyone ever figured out what user1@example.com is, and they somehow get access to that email to complete registration, they will have admin access on your Discourse! Safer to remove it from app.yml.


(Aahan Krish) #7

Ah, you’re right. So, all I have to do is, remove the email from app.yml and run this command:

~$ cd /var/docker
~$ ./launcher rebuild app

right?