]
Farah Juma commented on ELY-535:
--------------------------------
For handling OTP credential updates, my initial thought was that we’d be able to eliminate
the {{CredentialUpdateCallback}} and just make use of a {{RealmAuthenticationEvent}} to
update an OTP credential once authentication has completed. However, there doesn’t seem to
be a good way for {{ServerAuthenticationContext}} to keep track of the actual credential
that was used in an authentication in order to pass it to a {{RealmAuthenticationEvent}}.
Thus, it seems to make more sense to add support for a new event that indicates a
credential change for a realm identity and then handle a {{CredentialUpdateCallback}} by
handling this new event.
Make use of realm events to handle password updates and resets for
the OTP SASL mechanism
-----------------------------------------------------------------------------------------
Key: ELY-535
URL:
https://issues.jboss.org/browse/ELY-535
Project: WildFly Elytron
Issue Type: Feature Request
Components: SASL
Reporter: Farah Juma
Assignee: Farah Juma
For the OTP SASL mechanism, the stored credential needs to be updated once a guess has
been verified. In the standard case, this involves updating the stored hash based on the
guess and decrementing the sequence number by 1. The OTP SASL mechanism also supports OTP
sequence resets, where a user provides both a guess and a new OTP password with new
parameters. If verification of the guess succeeds, then the stored credential is updated
based on the new password and new parameters. However, if verification of the guess
succeeds but the new password/parameters are invalid, then the stored hash is updated
based on the guess and the sequence number is decremented by 1, as in the non-reset case
(note that SASL auth fails in this case though).
PR #277 [adds
handling|https://github.com/kabir/wildfly-elytron/blob/otp-test/src/main/...]
for a {{CredentialUpdateCallback}} in {{ServerAuthenticationContext}}. This is used to
handle both the OTP sequence reset case as well as the non-reset case. Instead of
manipulating the realm identity directly in the SAC callback handler, we should be able to
make use of [realm
events|https://github.com/wildfly-security/wildfly-elytron/pull/295] so
that the realm itself can handle OTP updates and resets.