In normal practise, should we allow our user go to change password page for those who sign up by External service like mentioned above? Is there any indicator to determine this type of user?
Please advise
Probably easiest to not let them unless this feature is somehow part of your core value proposition. Otherwise, they should be changing their facebook password. I’d just hide/show the form and do a few checks on the client and inside the method for if they have a service on their profile.