Someone changed the local auth implementation to handle the "RetrievePassword" operation (by e-mailing a note to the user which links to a reset password page). This is cool. What's not cool is to change the behavior without running tests on the package and correcting the one that looked for the local auth implementation to return "not_supported" ...