[Feature]: Disallow login through password for SSO users

[AndreasA]

Plugin Version

4.2.1

PHP Version

8.1

Shopware Version

6.4.18.1

Installation method

Composer

Identity provider

None

What happened?

I admit I did not yet veriy this but if a user logs in through SSO it would be good if that user could not login at all using a password as otherwise they might be able to change their password (e.g. password forgot functionality) and login without the company's SSO after they left the company.

But as mentioned I did not yet check, if this is already the case. I just did not see anything in the code base regarding this (at a first glance).

Relevant log output

No response

[JoshuaBehrens]

It is a good idea. As this new feature heavily depends on how extensible the API is, that Shopware provides to authenticate the user, we cannot work on that for our Shopware 6.4 version of the plugin and postpone this after the Shopware 6.5 refactoring.

It is a good idea but not complete. Some SSO providers support logout URIs https://openid.net/specs/openid-connect-frontchannel-1_0.html which should inform the shop, that the user needs to be logged out. This needs to trigger freshly dropped users out of their active sessions.

I created a ticket for this but do not expect this to come very soon.

[AndreasA]

Sounds good. Probably both scenarios should be added. but I think it is definitely fine to wait until Shopware 6.5 release.

Is the necessary API already in place for Shopware 6.5? If not, it would probably be a good idea to create corresponding PRs now before the final 6.5 release 😄

[JoshuaBehrens]

In theory we can solve it on request layer using only Symfony tools, but this is rather "hacky". We will see, what we need to do for that.

[AndreasA]

@JoshuaBehrens I expected something like this already from a short shopware core code review. I guess some additional events etc. might be necessary to do this nicely. Adding this to the new version for Shopware 6.5 would be great though.

One idea I had that is not perfect but might be a good straightforward workaround would be to disable (and maybe even delete) SSO users using a scheduled task if their last SSO login is older than e.g. 24 hours and only enabling them upon SSO login. As mentioned not perfect but probably a good initial compromise and it would not be that hacky 😄

[JoshuaBehrens]

and maybe even delete

I like to have less junk in the database but with columns like createdBy and updatedBy we have hard constraints on the users so it is unlikely to get rid of the users per se. This will not be an applicable approach within Shopware.

[silviokennecke]

@AndreasA I just added a configuration option to completely disable the password login for the administration. It is already included in the 5.0.0-beta.1.

[AndreasA]

@silviokennecke Just one question, is it possible to allow non SSO users to still login using the password, if that option is active? or will only SSO work afterwards? e.g. if some there are users outside the company that need access but cannot be integrated in the company SSO. could probably add a second SSO provider but it might be easier to give those a normal admin user.

[silviokennecke]

Sorry Andreas, I totally missed you comment. It is not possible to login via password in any case if the "disable password login" is enabled