Disable an authentication method in the Angular front end without disabling it in the REST back end

[bram-atmire]

Is your feature request related to a problem? Please describe.

Let's say you are an institution with strict security policies that only allow SSO login through the web front end.
However, at the same time, you have important back end integrations that rely on password auth (local DSpace accounts)

In this situation it would be desirable to turn off the user interface components for password login, while still keeping the authentication method active on the back end.

Right now, the enabled authentication methods are only configured on REST, and there are no separate configuration options to turn off a specific authentication method in the front end.

Describe the solution you'd like

It should be possible to turn off a specific authentication method in the Angular front end, even when it's enabled in the back end.

[abollini]

Hi @bram-atmire I understand the business need but the proposed approach seems to me more a workaround with security implication than the real solution.
Usually, application that offers REST API for integration provide one or both of the following solutions:

• an OAuth2 compliant REST API so that also machine can get the permission from a user to interact with the application on its behalf
• support for Long Lived Token / Machine Token

Support for Machine Token has been implemented in DSpace-CRIS it would be in my opinion the solution to this specific business need

[bram-atmire]

I agree 100% that in an ideal world, integrators should use the most secure and most modern authentication methods.

But (backwards) compatibility is the reality: the two most important platforms that we need to integrate with: Pure (Elsevier) and Elements (Symplectic) only support password authentication right now for the API, so as long as they don't have a different method available, we need to at least do a best effort to continue to support this.