pennersr
commented
3 months ago There is no direct configuration for that, though you can easily override e.g. the ResetPasswordForm.clean_email() method to lookup the user from the email and handle things from there. There is also the adapter clean_password(self, password, user=None) method you can hookup to to reject moving from an unusable password.
I can imagine a allauth.policies sort of app at some future point in time handling account policies, including e.g. MFA restriction, but for now that's out of scope.
mecampbellsoup
In some cases, users in our application will have joined an existing organization via e.g. SAML configuration (a
SocialApp), and thususer.has_usable_password is Falseanduser.socialaccount_setcontains 1SocialAccountthat was produced/persisted by way of signing up w/ the previously mentioned SAMLSocialAppinstance.We are interested in enabling some configuration to our customers so they can say, "My organization's users should only be able to signup and login via this SAML application." Is there any existing configuration to enforce that, so included but not limited to:
Currently it is possible for a user for whom
user.has_usable_password is Falseto reset their password, and set a usable password, thereby allowing "local" login to their "social only" user account. (This is how our legacy app works, but in our new app we are making things more enterprise-focused and adding controls that give our customers more security features like enforcing SAML SSO authentication, etc.)