Hi,
Is it intended that a user is still able to login with the local password? Let’s say a user creates an account via oidc login. At this point everything is fine, the user can log in via the oidc provider and the account is protected via 2fa enforcement on the oidc provider as well.
Now, the user set a local password for this oidc connected account via the password reset email feature. After setting the password, login is possible using the local password and oidc, but the local login is not 2fa protected and potentially insecure. To make it even worse there seems to be no way back, after setting a local password users can’t remove it again, and they can also not setup 2fa because this will disable social logins. I would like to have an option to disallow local logins for oidc users and to be even more strict an option to disallow all other social logins as well to make oidc login mandatory for oidc connected accounts.
Thanks.
