Author Topic: Disable password authentication when OAuth2 is enabled  (Read 720 times)

Offline aleshaczech

  • Newbie
  • *
  • Posts: 1
Disable password authentication when OAuth2 is enabled
« on: February 16, 2022, 09:23:45 AM »
Hi all,

I am writing regarding a feature that I believe might be missing.

What I'd like to achieve is to disable password authentication when the OAuth2 is enabled.

I know there's a possibility to do the redirect for OAuth2 configuration, to skip the login page. That, however, does not fit my needs for 2 reasons:

1. The first point is rather a nice-to-have: I don't necessarily want the redirect to happen automatically, because the next (login) page then has to explain and that might be confusing for some users. I would prefer if there's one button on the page "login with..." (and nothing else) and the user has to press the button.

2. More importantly, enabling the redirect I'm afraid does not prevent the password authentication. So a hacker / bot is still allowed to POST the login credentials and they will work (won't they?). One of the advantages of OAuth2 is decoupling the authentication from RC by using a provider with bullet-proof security, but that all is useless when login/password is still enabled. Since I'm authenticating towards a mail server that actually allows both login/password and (X)OAuth2, it's important to make sure that login/password brute force attack can't come through Roundcube. Disabling login/password and making sure OAuth2 is the only way of authentication would increase the security of the system as it would decrease the attack surface.

Now, if I am wrong and it's already possible to achieve that in RC, please accept my apologies and kindly point me to the right direction. If such a request already is filed, again, sorry, I didn't notice.

If it's okay, I can also prepare a pull request.

Thank you!