youngkingdom/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-05-05 17:57:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add disable_password_login configuration to support SSO-only authentication (#13151)

Browse Source 
### What problem does this PR solve?

Enterprise deployments that use an external Identity Provider (e.g.,
Microsoft Entra ID, Okta, Keycloak) need the ability to enforce SSO-only
authentication by hiding the email/password login form. Currently, the
login page always shows the password form alongside OAuth buttons, with
no way to disable it.

This PR adds a `disable_password_login` configuration option under the
existing `authentication` section in `service_conf.yaml`. When set to
`true`, the login page only displays configured OAuth/SSO buttons and
hides the email/password form, "Remember me" checkbox, and "Sign up"
link.

The flag can be set via:
- `service_conf.yaml` (`authentication.disable_password_login: true`)
- Environment variable (`DISABLE_PASSWORD_LOGIN=true`)

Default behavior is unchanged (`false`).

### Behavior

| `disable_password_login` | OAuth configured | Result |
|---|---|---|
| `false` (default) | No | Standard email/password form |
| `false` | Yes | Email/password form + SSO buttons below |
| `true` | Yes | **SSO buttons only** (no form, no sign up link) |
| `true` | No | Empty card (admin should configure OAuth first) |

### Type of change

- [x] New Feature (non-breaking change which adds functionality)

### Files changed (5)

1. `docker/service_conf.yaml.template` — added `disable_password_login:
false` under authentication
2. `common/settings.py` — added `DISABLE_PASSWORD_LOGIN` global variable
and loader in `init_settings()`
3. `common/config_utils.py` — fixed `TypeError` in `show_configs()` when
authentication section contains non-dict values (e.g., booleans)
4. `api/apps/system_app.py` — exposed `disablePasswordLogin` flag in
`/config` endpoint
5. `web/src/pages/login/index.tsx` — conditionally render password form
based on config flag; OAuth buttons always render when channels exist

---------

Co-authored-by: Ahmad Intisar <ahmadintisar@Ahmads-MacBook-M4-Pro.local>
This commit is contained in:
Ahmad Intisar
2026-03-02 11:06:03 +05:00
committed by GitHub
parent daec36e935
commit 184388879d
7 changed files with 63 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
test/testcases/test_web_api/test_system_app/test_system_routes_unit.py
View File

@ -76,6 +76,7 @@ def _load_system_module(monkeypatch):
settings_mod.STORAGE_IMPL_TYPE = "MINIO"
settings_mod.DATABASE_TYPE = "MYSQL"
settings_mod.REGISTER_ENABLED = True
settings_mod.DISABLE_PASSWORD_LOGIN = False
common_pkg.settings = settings_mod
monkeypatch.setitem(sys.modules, "common.settings", settings_mod)