For the OTP SASL mechanism, the stored credential needs to be updated once a guess has been verified. In the standard case, this involves updating the stored hash based on the guess and decrementing the sequence number by 1. The OTP SASL mechanism also supports OTP sequence resets, where a user provides both a guess and a new OTP password with new parameters. If verification of the guess succeeds, then the stored credential is updated based on the new password and new parameters. However, if verification of the guess succeeds but the new password/parameters are invalid, then the stored hash is updated based on the guess and the sequence number is decremented by 1, as in the non-reset case (note that SASL auth fails in this case though).
PR #277 adds handling for a CredentialUpdateCallback in ServerAuthenticationContext. This is used to handle both the OTP sequence reset case as well as the non-reset case. Instead of manipulating the realm identity directly in the SAC callback handler, we should be able to make use of realm events so that the realm itself can handle OTP updates and resets.