request #42974 Do not keep passwords of users authenticating with an OIDC provider

Infos

Artifact ID#42974

Submitted byThomas Gerbet (tgerbet)

Last Modified On2025-05-09 14:04

Submitted on2025-05-09 10:55

Rank44656

Details

Summary *

Do not keep passwords of users authenticating with an OIDC provider

Original Submission

It appears Tuleap does not properly remove passwords of users authenticating via an OIDC provider from the database. This is unexpected since Tuleap do not let users authenticating via an OIDC provider to fallback to a password-based auth (this behavior is expected).

Tuleap cannot ask users to keep managing a password they cannot use. Passwords are considered PII, Tuleap should not store PII that are not absolutely needed for it to work (under GDPR this is called data minimization, see GDPR art 5.1.c).

CategoryAuthentication & LDAP

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusUnder review

Close dateEmpty

Attachments

Connected artifacts

Artifact links

Empty

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Show items referenced by request #42974

Referenced by request #42974

Other

gerrit #34409

Follow-ups

Thomas Gerbet (tgerbet)

2025-05-09 14:04

See gerrit #34409

Status changed from Under implementation to Under review

Public

Artifact links

Reverse artifact links

Referenced by request #42974

Other

Follow-ups