Change PIN on First Use + Event Trigger not working as expected

I have an enrollment policy with change_pin_on_first_use selected. This works expected and sets the next_pin_change value within the tokeninfo once a token is initially created or the PIN is set.

I then also have an event trigger that fires on token_init and token_setpin (I have also tried adding token_assign, unassign, enable, disable, and set to troubleshoot) that will delete the next_pin_change tokeninfo if the token is a RADIUS token with local_checkpin set to 0.

Unfortunately this is not working as expected, so please let me know if I am doing something incorrectly. When the token is created, the trigger fires to delete the token info, but it appears the policy takes effect even after the trigger and still sets that tokeninfo value.

If I later go back into the token and do a fake PIN change, the event fires as expected and removes the tokeninfo.

The decorator, that sets the pin_change in the tokeninfo is executed after the event wrapper decorator.

Okay, I’ll just leave my workaround in place where I fake an “enable” token after I initialize them forcing the event to take place and remove the tokeninfo entry.

Thank you for confirming!