Problem
When an admin disables an OAuth provider via the admin UI, users whose only authentication method is a login linked to that provider could be stranded - unable to sign in once their current session expires.
Proposed solution
Phase 1 - Backend guard:
- Add an API endpoint (or extend the existing PUT) that counts users whose only auth method is the provider being disabled (no password set, no other OAuth link)
- Return the count in the disable response or as a pre-check
Phase 2 - UI confirmation:
- Before disabling, show a confirmation dialog: "X users only authenticate via this provider. They will be unable to sign in. Are you sure?"
- If count is 0, allow without confirmation
Phase 3 (optional) - Proactive mitigation:
- Send an email to affected users prompting them to set a password before the provider is disabled
- Or block the disable entirely until affected users have an alternative auth method
Context
Came up during Phase 2 of DB-backed OAuth provider config (#391). Current PRs (#396, #397) don't address this since it requires new backend logic. Existing sessions are not invalidated when a provider is disabled, so there is a grace period before users are actually locked out.
Problem
When an admin disables an OAuth provider via the admin UI, users whose only authentication method is a login linked to that provider could be stranded - unable to sign in once their current session expires.
Proposed solution
Phase 1 - Backend guard:
Phase 2 - UI confirmation:
Phase 3 (optional) - Proactive mitigation:
Context
Came up during Phase 2 of DB-backed OAuth provider config (#391). Current PRs (#396, #397) don't address this since it requires new backend logic. Existing sessions are not invalidated when a provider is disabled, so there is a grace period before users are actually locked out.