'ENABLE_BASIC_AUTHENTICATION: false" doesn't block login from browser if a password is set for an OpenID Connect (Entra ID)

[flotpg]

Description

Hi,
I've setup a fresh instance which uses OpenID Connect via Entra ID / Azure Active Directory.
I noticed that a user who logged in via OpenID Connect is still able to set a password under /user/settings/account:

So I tried pushing to the repo using that manually set password which works and I thought it's a good idea to check, If we can disable this.

The only thing I found is this: https://docs.gitea.com/administration/config-cheat-sheet#service-service

[service]
ENABLE_BASIC_AUTHENTICATION: false

It somehow works - I can't git push anymore using that password but it doesn't block login from browser so the user can login using that manually set password which renders all security policies we provide by our IDP useless :)

How can I disable password login completely or better prevent openID users, to change or manually set a password?

Many thanks and best regards, Flo.

Gitea Version

1.22.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Ubuntu 22.04

How are you running Gitea?

binary

Database

MySQL/MariaDB

[charles7668]

Maybe related to #31535.

[kdumontnu]

Maybe related to #31535.

Yes, I believe the PR you linked is intending to solve this issue and a step towards better SSO IDP management

[kdumontnu]

Closed with #31535

(also potential dupe of #13606)