Description
This issue has been migrated from #14686.
Description
The documentation for password_config.enabled says:
Set to only_for_reauth to allow users with existing passwords to use them to log in and reauthenticate, whilst preventing new users from setting passwords.
In reality it seems that this settings only allows reauthentication, not log in.
The documentation should be fixed, but in addition the feature that is advertised in the documentation should also be made available, for example with a separate mode password_config.enabled = "hidden", that allows users with existing passwords to use them to log in. The use case is system accounts (e.g. admin, bots) which don't exist in SSO (for example in Nextcloud, when enabling SSO and disabling passwords, you can add ?direct=1 to the URL to use username+password anyway).
Steps to reproduce
- Set
password_config.enabled = "only_for_reauth" - Notice that Synapse doesn't advertise
m.login.passwordas an authentication flow - Try to log in with a username and password (you can't do this from unpatched Element), you will get
M_UNKNOWN: MatrixError: [400] Password login has been disabled
Homeserver
my own
Synapse Version
1.73.0
Installation Method
Docker (matrixdotorg/synapse)
Database
PostgreSQL
Workers
Single process
Platform
Kubernetes
Configuration
password_config.enabled = "only_for_reauth"
Relevant log output
{"errcode":"M_UNKNOWN","error":"Password login has been disabled."}
### Anything else that would be useful to know?
_No response_