Problem: Is there some way to disable the email login when using OIDC? #3266
-
IssueI've read through the documentation and I have semaphore set up with docker and my OIDC provider (Authentik), and everything works fine. However, I'd like to disable the email login where it seems that just anyone can put in an email to even just get an anonymous login. Preferably, I'd also like an option for the application to redirect to Authentik immediately instead of going to semaphore's login screen. Below is a screenshot of the email login I'm talking about: 
ImpactWeb-Frontend (what users interact with) ConfigurationOIDC Config: "oidc_providers": {
"authentik": {
"display_name": "Sign in with Authentik",
"provider_url": "https://auth.my.domain/application/o/ansible-semaphore/",
"client_id": "client_id",
"client_secret": "client_secret",
"redirect_url": "https://semaphore.my.domain/api/auth/oidc/authentik/redirect/",
"scopes": ["openid", "profile", "email"],
"username_claim": "preferred_username",
"name_claim": "preferred_username"
}
}Additional informationNo response |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hi @Belugaking yes, it is possible, there is env var |
Beta Was this translation helpful? Give feedback.
-
|
I'm going to double check this when I get a chance, but is it really intended behavior for someone to be able to just log into my account if they know my email? That seems like a huge security risk for those that may want to use OIDC with internal login even just temporarily. |
Beta Was this translation helpful? Give feedback.
-
|
That fixed the original problem, however I do still get the actual username/password login. 
|
Beta Was this translation helpful? Give feedback.
Hi @Belugaking yes, it is possible, there is env var
SEMAPHORE_PASSWORD_LOGIN_DISABLEDand config optionpassword_login_disablefor this.