UI: Allow org admin to hide change email and change password

[gagantrivedi]

Organizations using LDAP don't need the "Change Email" and "Change Password" UI elements.

[matthewelwell]

We need to determine if the fact that LDAP auth is used is surfaced anywhere for the FE.

Edit: yes - the UI can use the auth_type attribute returned on the /users/me endpoint.

[matthewelwell]

Also, this would likely be helpful in scenarios where a user authentication is OAuth.

[matthewelwell]

This might need some further thought. I'm not entirely certain that preventing OAuth users from changing their email address is correct.

Let's take a scenario here:

1. A user ([email protected]) authenticates with OAuth - a user account is created, and the ID from the OAuth provider is stored against the user
2. The user changes their email address (to [email protected])

In this case:

1. The next time they try to authenticate with the original OAuth method, a new account will be created
2. If they re-authenticate with the same OAuth method, but with the new email address, the ID from the OAuth provider will be updated

So maybe, what we should do is to re-add the ability to change your email as an OAuth user, but we should clear the ID from the OAuth provider when an email changes?

[khvn26]

we should clear the ID from the OAuth provider when an email changes

As long as we're not doing it silently, I'm in favour of this option.

[matthewelwell]

The change here did not fully resolve this issue since changing one's email requires the user's password. OAuth users will likely not have a password set so we need to find another workflow for this.

[Dcode2100]

Proposed Solution

1. Update Email Change Workflow for OAuth Users (Google/GitHub)

• Replace password requirement with OTP verification sent to current email

• After OTP verification, display modal explaining:

  • OAuth provider ID will be cleared (if switching methods)
  • Re-authentication required when switching providers or moving to email/password

• Modal Options

  • Maintain current OAuth provider
  • Switch to different OAuth provider
  • Transition to email/password authentication

Question for team: Is clearing the OAuth provider ID acceptable when switching methods?

2. Handle Updates and Redirect

• Stay with Same OAuth Provider
  • Clear previous OAuth_user_id, Update user details from new OAuth response
• Switch OAuth Providers
  • Clear previous OAuth_user_id, Prompt re-authentication with new provider, Update account details
• Transition to Email/Password
  • Clear OAuth_user_id, Prompt user to set password, Switch to email/password authentication