Allow authentication only with specific token type depending on flexible conditions #3752
Labels
Topic: Authentication
Authentication-flow related issues
Topic: Policy
in regards to event handler modules and events (can be function, DB or UI)
Type: Feature request
A change requested or proposed by a user which is not on the default roadmap
Is your feature request related to a problem? Please describe.
In certain scenarios the authentication with a certain token type is not expected.
E.g. under certain conditions a user would not want to authenticate with an SMS token, since an SMS token triggers an SMS (sending/ receiving of SMS) although the user may have another token type.
(Add more scenarios)
Describe the solution you'd like
I would like to define conditions, under which certain tokentypes are removed fromt he list of the user's available tokens, so that these tokens are not check in the function
token.py::check_token_list()
. (seeprivacyidea/privacyidea/lib/token.py
Line 2143 in 2161983
To do so, maybe we can define a pre-auth-hook, similar to pre-event-handlers and script-handlers, so that these conditions can be added in a most flexible way.
Describe alternatives you've considered
We have some policies. However, policies in this case seem very static.
We have the parameter "type" in the /validate/check request, so that an application can define, which tokentype should be used for authentication in this request.
We could add a list of token types to this parameter, so that privacyIDEA could check
We could also do this as a policy.
Top level requirements and scenarios
Describe what needs to be achieved and how the scenario looks like
If a user has several tokentype enrolled, we somehow need to be able to only use a specific token type for authentication.
E.g. to avoid spamming user with SMS.
The text was updated successfully, but these errors were encountered: