Allow disabling manual signups without affecting SSO

[j-koehler]

Describe the feature or potential improvement

User management currently feels a bit off to me. What I would dream of:

• allow manual logins for users already created (e.g. default user/admin user to get things started)
• allow new users being created through SSO
• disable manual signups for new users

In the current implementation there is no real way to do this.

AUTH_DISABLE_SIGNUP is very strict, by even locking out any new user (e.g. new users through SSO). Leaving it untouched (-> false) colides with AUTH_DOMAINS_WITH_SSO_ENFORCEMENT, which is a blacklist of domains, so any other domain can still manually signup+login (permissions depending on the configured default org/project/role, which is was mainly configured for users through SSO to reduce manual assignments/permission checks).

Disabling username+password altogether through AUTH_DISABLE_USERNAME_PASSWORD is causing issues when using "meta accounts" (e.g. created through LANGFUSE_INIT_USER_*), since they can't be used any longer. (But it's a workaround to enable this setting after initial setup and granting broader permissions to "real users".)

So right now there is no "feels good" way to solve my initial plan. Maybe there is an easy way to solve this, maybe it's intentional as it is.

Additional information

No response

[Steffen911]

@j-koehler Thank you a lot for the feedback here. We acknowledge that the auth config settings for self-hosted users have grown organically over time and may lead to confusing behaviours when used together.
We'd be happy to accept contributions around additional flags that may help reach the desirable state that you've described!