[keycloak-dev] disabling credential types

Bill Burke bburke at redhat.com
Fri Oct 28 17:00:29 EDT 2016


Admin console user credential tab has been changed.  It will now list 
"disabable credential types".  This will be a list of credential types 
that can be disabled by the admin (i.e. OTP, PASSWORD, CERT, etc..).  
All this hooks into the Credential SPI that I went over a few weeks 
ago.  So, if new credential types are created, they should show up in 
the console too.

Note that disabling happens per credential type, and not per device 
(i.e. OTP).  I honestly could not figure out how to have an SPI and 
generic admin console UI that would take into account ideas like 
multiple OTPs, certs, etc...So, disabling is done per type, not per OTP 
generator.  These are the SPI items that are the backbone of this 
feature.  They are methods on UserCredentialManager

/** * Calls disableCredential on UserStorageProvider and 
UserFederationProviders first, then loop through * each 
CredentialProvider. * * @param realm * @param user * @param 
credentialType */ void disableCredentialType(RealmModel realm, UserModel user, String credentialType);

/** * Returns a set of credential types that can be disabled by 
disableCredentialType() method * * @param realm * @param user * @return */ Set<String> getDisableableCredentialTypes(RealmModel realm, UserModel user);

CredentialProviders and UserStorageProviders will be required to 
implement these methods if they support credential updates.


More information about the keycloak-dev mailing list