[ https://issues.jboss.org/browse/ELY-281?page=com.atlassian.jira.plugin.sy... ] Farah Juma commented on ELY-281: -------------------------------- *OTP credential updates* For the OTP SASL mechanism, the stored credential needs to be updated once a guess has been verified. In the standard case, this involves updating the stored hash based on the guess and decrementing the sequence number by 1. Note that the OTP SASL mechanism also supports OTP sequence resets, where a user provides both a guess and a new OTP password with new parameters. If verification of the guess succeeds, then the stored credential is updated based on the new password and new parameters. However, if verification of the guess succeeds but the new password/parameters are invalid, then the stored hash is updated based on the guess and the sequence number is decremented by 1, as in the non-reset case (note that SASL auth fails in this case though). *How OTP credential updates are currently handled* PR [#277|https://github.com/wildfly-security/wildfly-elytron/pull/277] adds handling for {{CredentialUpdateCallback}} in {{ServerAuthenticationContext}}, as shown below. This is used for both the OTP sequence reset case as well as the non-reset case. https://github.com/kabir/wildfly-elytron/blob/otp-test/src/main/java/org/... *Using the credential verification API instead* An alternative option is to pass the guess that's being verified to the realm and have the realm update the stored credential if verification succeeds. I've got an initial implementation of this approach here (see the three latest commits): https://github.com/fjuma/wildfly-elytron/commits/ELY-281 However, there are a couple of issues with this approach: 1. The [OTP sequence reset case|https://github.com/fjuma/wildfly-elytron/blob/ELY-281/src/main/java/...] still needs to be handled by {{ServerAuthenticationContext}} via {{CredentialUpdateCallback}}. This might be ok though since other mechanisms may also need to support password resets. 2. This approach relies on {{PasswordFactory#verify}} being called from {{ModifiableRealmIdentity#verifyCredential}}. Once PR [#271|https://github.com/wildfly-security/wildfly-elytron/pull/271] is merged, support for OTP passwords will also be available in the LDAP realm. However, {{LdapRealmIdentity#verifyCredential}} does not call {{PasswordFactory#verify}} so it's not clear yet how OTP credential verification and updates would be handled in cases like this with this approach. -- This message was sent by Atlassian JIRA (v6.3.15#6346)