FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Is it possible to create a user without a password?

    Scheduled Pinned Locked Moved
    Q&A
    user creation saml
    0
    4
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trevorr
      last edited by

      Is it possible to create a user that never has a password (and never gets emailed to create one)? I want to create users/registrations for users that will only authenticate using another IdP, such as SAML.

      The documentation for POST /api/user says this about user.password:

      This field is optional only if sendSetPasswordEmail is set to true. By default sendSetPasswordEmail is false, and then this field will be required.

      I verified that this is enforced:

      {
  "fieldErrors": {
    "user.password": [
      {
        "code": "[blank]user.password",
        "message": "You must specify the [user.password] property."
      }
    ]
  }
}
      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        @trevorr ,

        Nope, a password is always required. However, you can set it to a long random string that your system immediately throws away.

        https://fusionauth.io/community/forum/topic/178/how-do-i-handle-users-without-passwords-during-import discusses this in a different, but related context.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • T
          trevorr
          last edited by

          Thanks for the quick response, Dan!

          That's somewhat confusing though, right? It seems like everyone is trying to get rid of passwords these days, and FA has such great support for external IdP's now. Also, it would be useful to know whether a user has a password set, and therefore whether that login method is available. (To be clear, no password would mean no ability to log in directly, not that the password is blank.) That could simplify security audits. Would changing this be a reasonable feature request?

          Note that the random password example in that other thread might fail sporadically because there's no guarantee that a base-64 string will contain a "special character". That edge case is another motivation for not wanting the password to be required.

          danD 1 Reply Last reply Reply Quote 0
          • danD
            dan @trevorr
            last edited by

            @trevorr said in Is it possible to create a user without a password?:

            Would changing this be a reasonable feature request?

            Sure, seems reasonable to me.

            I'm not quite sure of the ramifications because the identity providers are assigned at the application level and users are a tenant scoped entity, but I suppose you could just say that any user marked with a 'nolocalpassword' attribute would not be able to ever log in locally. They'd always have to be authenticated by a third party system. I haven't thought through all the ramifications but think this would be a fine feature request. Please file away 🙂 : https://github.com/fusionauth/fusionauth-issues/issues

            Note that the random password example in that other thread might fail sporadically because there's no guarantee that a base-64 string will contain a "special character".

            Maybe I misunderstand you here, but that's a matter of the password rules and the random string generation, correct? You could set up random long strings and make sure they included non alphanumeric characters. Should be a library for that (here's one for java). Or you could relax your password rules to allow for only alphanumeric characters (this may or not make sense, depending on what kind of users you have logging into the tenant).

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.