Do not disclose if the user exists in the database on reset password form.
Having openid_connect module enabled, when trying to reset a password for a registered user with an 'openid connect set own password' permissions set, then we should not show a message '%name is connected to an external authentication system.' which discloses if the user exists in the database or not. We should display a general message: If %email% is a valid account, an email will be sent with instructions to reset your password.
_openid_connect_user_pass_form_validate can be removed or show more general message that does not disclose if users exists '$form_state->setErrorByName('name', t('%name is connected to an external authentication system.', ['%name' => $name]));'
Active
3.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
The proposed solution is to implement a custom validation process that throws a custom exception. This exception will then be caught and handled by an EventSubscriber.
An alternative approach could be to implement custom validation and a custom submit handler, similar to the username enumeration prevention module → .
I am working on the exception-throwing approach.