Details

    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Why

      Currently, the new Account Console allows the user to remove any credential type except password (which can be only updated). This is not ideal because e.g. user is unable to switch to passwordless creds as password cannot be removed. Another problem is that it's possible to remove the only credential (if password is not set) which makes the user unable to login again, or leaves the account unsecured (if the realm is configured to register required credential if it's missing).

      What

      Whether it is safe to remove a credential depends on authentication flows.

      One alternative is to Implement some independent rules system to define what credential types can be removed and when. Those rules could be configured in the Admin Console. E.g. those rules could specify that password can be remove only if another passwordless credential is configured, and vice versa.

      Another alternative is to base such rules only on authentication flows without the ability to configure them manually. This might be confusing for the admin, though.

      This requires more research.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  vmuzikar Václav Muzikář
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated: