When using an external provider, it's currently possible to store the password of the user in the database, using the property "sonar.security.savePassword".
It should be no more possible to do that as it can be considered as a security hole.
As a consequence :
- Property "sonar.security.savePassword" should be removed
- When authentication on external provider is failing, no fallback will be made to authenticate the user from the database
A db migration should executed to remove crypted password and salt of every none local users