On 12.08.22 14:04, Sam Kuper wrote:
On Thu, Aug 04, 2022 at 10:26:25PM +0000, Felix Singer wrote:
However, I have an idea for a solution. I took a look at the Redmine database and I played around with the Google login method. My tests showed that it creates a normal user account, as it is done with the registration, just with the little difference that no password is set disabling the login over password. These accounts also have an user name and an email address. As soon as I set a password, I was able to login using the user name.
So, my idea is that we just go with these changes and affected users use the functionality to reset their password, which means they will have a "normal" user account then. In preparation to that version update, we should disable these login methods so that no new users will make use of them.
Other ideas? What's your opinion?
Felix, I guess you know my opinion already: Whoever maintains the service should decide. If there's already a password database, responsibilities (e.g. to inform everybody in case of a breach) won't change. So it sounds like making password-based logins the only option would reduce chore on your end. And nobody objected, so please go ahead :)
I'm a bit unclear what you are proposing.
I'm also unclear whether, under your proposal, users without Google accounts would be able to register or log in to the Redmine instance.
Please can you clarify?
Currently one can login either with OpenID, a Google account or with a password that is stored on our Redmine host. With the intended changes, everybody will have to use a password.