Allow authentication only with specific token type depending on flexible conditions

[cornelinux]

Is your feature request related to a problem? Please describe.

In certain scenarios the authentication with a certain token type is not expected.
E.g. under certain conditions a user would not want to authenticate with an SMS token, since an SMS token triggers an SMS (sending/ receiving of SMS) although the user may have another token type.

(Add more scenarios)

Describe the solution you'd like

I would like to define conditions, under which certain tokentypes are removed fromt he list of the user's available tokens, so that these tokens are not check in the function token.py::check_token_list(). (see

privacyidea/privacyidea/lib/token.py

Line 2143 in 2161983

@log_with(log, hide_args=[1])

)

To do so, maybe we can define a pre-auth-hook, similar to pre-event-handlers and script-handlers, so that these conditions can be added in a most flexible way.

Describe alternatives you've considered

We have some policies. However, policies in this case seem very static.

We have the parameter "type" in the /validate/check request, so that an application can define, which tokentype should be used for authentication in this request.

We could add a list of token types to this parameter, so that privacyIDEA could check

• authenticate user with the first tokentype in the list
• if the user does not have such a tokentype, take the 2nd one...

We could also do this as a policy.

Top level requirements and scenarios

Describe what needs to be achieved and how the scenario looks like

If a user has several tokentype enrolled, we somehow need to be able to only use a specific token type for authentication.

E.g. to avoid spamming user with SMS.

[plettich]

Maybe related to #3695