Allow user to be created without password

[Shadlington]

Allow user to be created without password

Problem

For use cases that entirely rely on passwordless login, assigning a user a password does not make sense but is required anyway.

Solution

Be able to create a user without a password (or without sending an email to request a password be set) if using passwordless login.

Alternatives/workarounds

Currently we are assigning a random password to any users and subsequently ignoring it.

Related

• https://github.com/FusionAuth/fusionauth-issues/issues/1553

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[awoodobvio]

This is needed when the system is being configured with an external provider as well. See this scenario:

• All users should login via OpenID Connect identity provider (no username/password allowed) -> this is actually hard to do in fusion auth right now since there seems to be an assumption that we ALWAYS want to allow un/pw logins in addition to external IdP.
• Automatic registration creation to applications is disabled due to licensing restrictions.
• Adding a user to an application requires them to attempt a login and get rejected and then we can add the user to the system
• Alternatively, we can add a user with the proper email/username and a dummy password which allows us to set the user up before they log in, but adds an unnecessary password to the system

Ideally, we should be able to add users to the system by "email" / "username" ONLY and let the linking mechanism resolve.

[mooreds]

@awoodsprim Interesting use case. Why can't you:

• create two applications, a 'dummy' one with self service registration and the 'real' application.
• allow the user to OIDC in to the dummy one
• do your out of band licensing, and on success, add a registration to the 'real' application.

You can remove the username/password form from the login page via a custom theme.

[awoodobvio]

@mooreds This still results in the user having to attempt to login (now to a different app) before we can assign them permissions.

The end use case I'd want is:

Add a user to the tenant with an email or username (depending on linking strategy) Add user to a group Add registration for user to the various applications (is there a way to do this via the Group mechanism above?)

This way when the user first logs in, they have access to the systems they need. We do not want self registration, and self registration requires them adding a password which we do not want (no way to create a form without a password that I've seen so far).

[mooreds]

@awoodsprim

Thanks for clarifying your end use case.

You should be able to do this via a provisioning script:

• add a user to a tenant with an email or username (depending on linking strategy) with a random password that they never need to know
• add the user to a group
• add a registration to the user for particular applications

When you present the login form link to the user, specify an idp_hint so they are never shown the password field. In fact, you could edit the theme to remove the login id and password fields as well.

You can not specify a registration via a group, only a role to be assigned after registration.

Hope that helps. This has moved away from the issue and is probably more of a forum topic at this point. If you have additional feedback, let's discuss on the forum (feel free to paste a topic link here).

[awoodobvio]

Continued here: https://fusionauth.io/community/forum/topic/1392/invite-users-to-tenant-via-email-without-password

[adamcunnington-mlg]

November 2023 and disabling user/password login is not a 101 core feature of an auth provider? Am I asleep?!

[mooreds]

@adamcunnington-mlg thanks for your feedback, love the snark :) .

The team at FusionAuth is balancing many different priorities and this hasn't been prioritized based on feedback and planning by our team, our customers or our users, so no, it hasn't been done yet. There is a work around as mentioned above.

Please do upvote the issue if this is important to you, as community feedback is an important part of our roadmap process.

[justin-hughey-github]

Not sure if our use case is 1:1 with what's described above. We have users who are non-federated using username/password to login to FusionAuth. The organization that those users work for purchase an IdP (e.g., Okta). Afterwards, all users who are members of the organization should only be authenticating via the IdP and the password field of the user account should be wiped or disabled.

We would be happy with something as simple as an API endpoint that we could call to delete the user's existing password or to set a flag on the user account, disabling the ability for them to login via username/password.

[theogravity]

We'd like to go pure passwordless on the hosted auth pages where you can do the following:

• On the registration page, only ask for name and e-mail without a password
• On submitting the form, a verification e-mail is sent
• When the user clicks on the verification link, they're signed in

Is this possible?

Edit: Support says it is not supported as of Aug 21 2024.