Allow specific token types only

arddg · December 16, 2023, 11:19am

Hi!

I have not found any option to force specific token type for different situations.
For example, I use push tokens with RD Gateway - it works great. But I do not need using any other tokens for RD Gateway. So now, if user does not Accept push token (or just the request became invalid by timeout) he still gets OTP by email. If user Accepts push then he does not get email OTP.
Can we do something to disable sending OTP by email if user haven’t accept push?

Thanks!

cornelinux · December 20, 2023, 2:11pm

You could work on

github.com/privacyidea/privacyidea

Allow authentication only with specific token type depending on flexible conditions

opened 02:32PM - 05 Sep 23 UTC

cornelinux

Type: Feature request Topic: Policy Topic: Authentication

**Is your feature request related to a problem? Please describe.** In certain… scenarios the authentication with a certain token type is not expected. E.g. under certain conditions a user would not want to authenticate with an SMS token, since an SMS token triggers an SMS (sending/ receiving of SMS) although the user may have another token type. (Add more scenarios) **Describe the solution you'd like** I would like to define conditions, under which certain tokentypes are removed fromt he list of the user's available tokens, so that these tokens are not check in the function `token.py::check_token_list()`. (see https://github.com/privacyidea/privacyidea/blob/216198383f7499e8749d6e837cec0fe0ea1cf5ba/privacyidea/lib/token.py#L2143) To do so, maybe we can define a pre-auth-hook, similar to pre-event-handlers and script-handlers, so that these conditions can be added in a most flexible way. **Describe alternatives you've considered** We have some policies. However, policies in this case seem very static. We have the parameter "type" in the /validate/check request, so that an application can define, which tokentype should be used for authentication in this request. We could add a *list* of token types to this parameter, so that privacyIDEA could check - authenticate user with the first tokentype in the list - if the user does not have such a tokentype, take the 2nd one... We could also do this as a policy. # Top level requirements and scenarios *Describe what needs to be achieved and how the scenario looks like* If a user has several tokentype enrolled, we somehow need to be able to only use a specific token type for authentication. E.g. to avoid spamming user with SMS.

arddg · December 20, 2023, 5:39pm

Thanks! Good to know that you have such feature request. But I can only hope that this feature will be released sometime

Actually we need email token only once for user’s first login to PI. I have done an event handler to enroll email token while user logs in to PI first time. After that user enrolls Push token and we do not need email token anymore.
So now I’m trying to disable email token with an event handler. I have tried several configurations but without success. Here is an example:

Events: auth
Handlermodule: Token
Position: post (tried Pre too)
Condition: otp_counter: >1 and tokentype: email (have tried some other conditions)
Action: disable
And this event handler doesn’t work. Cannot find anything useful in log files.
Absolutely similar event handler for SMS tokens works fine.

Do you have any ideas why this handler doesn’t work?