[keycloak-dev] disabling credential types

Bill Burke bburke at redhat.com
Mon Oct 31 08:42:32 EDT 2016 

User has lost their mobile phone (OTP).  User's laptop was stolen 
(CERT).  For OTP it used to be a switch on the User "isOtp, setOtp".  
There was no way to turn off any other credential type. FYI disabling a 
credential type doesn't mean that the user can just login.  If the auth 
flow requires a credential type and it is not configured it will either 
abort or, if the credential type is optional, it will fire a required 
action to set up that type.


On 10/31/16 1:46 AM, Stian Thorgersen wrote:
> Can you explain the rational behind this? I don't understand what the 
> use-case is and why you would want to "disable" credentials.
>
> On 28 October 2016 at 23:00, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     Admin console user credential tab has been changed.  It will now list
>     "disabable credential types".  This will be a list of credential types
>     that can be disabled by the admin (i.e. OTP, PASSWORD, CERT, etc..).
>     All this hooks into the Credential SPI that I went over a few weeks
>     ago.  So, if new credential types are created, they should show up in
>     the console too.
>
>     Note that disabling happens per credential type, and not per device
>     (i.e. OTP).  I honestly could not figure out how to have an SPI and
>     generic admin console UI that would take into account ideas like
>     multiple OTPs, certs, etc...So, disabling is done per type, not
>     per OTP
>     generator.  These are the SPI items that are the backbone of this
>     feature.  They are methods on UserCredentialManager
>
>     /** * Calls disableCredential on UserStorageProvider and
>     UserFederationProviders first, then loop through * each
>     CredentialProvider. * * @param realm * @param user * @param
>     credentialType */ void disableCredentialType(RealmModel realm,
>     UserModel user, String credentialType);
>
>     /** * Returns a set of credential types that can be disabled by
>     disableCredentialType() method * * @param realm * @param user *
>     @return */ Set<String> getDisableableCredentialTypes(RealmModel
>     realm, UserModel user);
>
>     CredentialProviders and UserStorageProviders will be required to
>     implement these methods if they support credential updates.
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>

More information about the keycloak-dev mailing list