Content
View differences
Updated by Jan Sandbrink 7 months ago
**As** a user
**I want to** rework the "change password page",
**so that** I can see and manage whether login through password is possible for which external accounts are connected to my account. OpenProject account
**Context**
Initially * A user's account can be connected to other IDPs, (eg. Google, Entra...)
* In the intention was that logging in through an SSO provider would clear one's password and past, only allow for login via SSO. However, there was/is a bug, that when an existing account (with password login) authenticates via SSO and the SSO last-used provider is subsequently added to the account via the "remap existing account" feature, the password login would still be possible.
This bug turned out to be a desired feature for some customers, which leaves us saved in a position where it's hard to fix the bug, but we don't really support this setup either.
**Acceptance criteria**
(Suggestion DB (?)
* In some cases, when the ID comes from Jan to be turned into Design an external IDP, some fields are not editable (first and then back into Acceptance criteria)
last name), but some are (eg. email)
* Rename (account preferences) menu item "Change password" There is a note when this is the case.
* \[Pavel can write a list of places affected by this, with screenshots to "Password & Login"
illustrate current behaviour\]
* View of that menu So when using an IDP, there is split nevertheless a corresponding account in two sections: OpenProject (existing or a new one is created)
* A user _could_ theoretically log into their OP account using _two_ different IDPs.
* 1: Password
All of the different IDPs are now stored in the DB.
* If the same email address is used, a password is set
new IDP can take over login for that account.
* Shows last time password was changed ("x days ago")
Having multiple providers is nevertheless less common.
* allows Why a user might want to open change password modal via button
remove a connection:
* allows remove an existing one when they've transitioned to remove password via button
a new one
* risk: might also lock themselves out if there was only if SSO account exists
one
* If no password if hijacking is set
allowed, then even if you remove one, it'll be reestablished when I reconnect
* shows that if hijacking is not allowed, no password SSO account is set
* allows available to create a password via button
the user (however, the account will still exist)
**Acceptance criteria**
* only if allowed by admin (to be determined where/how)
TBD
**Technical notes**
* 2: SSO accounts
Need a matrix/table of cases, considering:
* Lists all connected SSO accounts
different admin settings (hijack on and off)
* allows to unlink an SSO account
* only if password or other SSO account exists
* only if allowed by admin (to be determined where/how)
different user cases (only 1 SSO, with 2 diff SSOs...)
**Permissions and visibility considerations**
* to be determined: What should admins be able to allow/disallow here?
* this potentially requires change of existing instance-level settings
<br>
**Translation considerations**
* <br>
**Out of scope**
* admin-level mass-changes, e.g. "remove password from everyone" Removal of existing connections.
* This might be better handled at an admin-level. When a provider is removed, all the connections are also removed.
* \[open\] Should the user be notificed somehow? Existing services are marked as 'deactivated' or 'inactive' when an existing configured external account is no longer possible.
**I want to** rework the "change password page",
**so that** I can see and manage whether login through password is possible for
**Context**
Initially
* In
This bug turned out to be a desired feature for some customers, which leaves us
**Acceptance criteria**
(Suggestion
* In some cases, when the ID comes
* \[Pavel can write a list of places affected by this, with screenshots
* A user _could_ theoretically log into their OP account using _two_ different IDPs.
* 1: Password
* allows
**Acceptance criteria**
**Technical notes**
* only if password or other SSO account exists
* only if allowed by admin (to be determined where/how)
* to be determined: What should admins be able to allow/disallow here?
* this potentially requires change of existing instance-level settings
* <br>
**Out of scope**
* admin-level mass-changes, e.g. "remove password from everyone"
* This might be better handled at an admin-level. When a provider is removed, all the connections are also removed.
* \[open\] Should the user be notificed somehow? Existing services are marked as 'deactivated' or 'inactive' when an existing configured external account is no longer possible.