We are trying to deploy keycloak with privacyideaidea plugin using EmailOTP for user.
1st & 2nd step login are smooth. But we have a question,
If user completed 1st step challenge login (username & password), then the browser is waiting the email token for input. In this moment, user press the “refresh button”, the browser page refreshed. Meanwhile, privacyidea server will be trigger the 1st step challenge again & send a new emailOTP to user mailbox. Even user click refresh, send emailOTP policy shall be trigger & process.
Do we have any method can be freeze 2nd+ time trigger the ‘send emailOTP policy’?
For idea workflow
- user 1st time trigger the ‘send emailOTP policy’, emailOTP send out normally.
- Then policy will be freeze in 1 min as follow for this username.
- If same username who refresh the browser, even trigger the 1st step challenge, since the policy freeze, so no any emailOTP send out in this window time period.
- besides, 1st emailOTP still valid.
- If user didn’t get any emailOTP in 1st time, he waited 1 min can be refresh the browser again or retry login keycloak. This time, he can get emailOTP since policy auto unfreeze for this username as like as go back to workflow 1.
This is our configure:
privacyidea 3.7.1
keycloak 15.1.1
privacyidea keyloak plugin 1.0.1
keycloak plugin configure:
Policy, Email_OTP_xxxxx.biz
active: **True**
scope: **authentication**
realm: **[]**
adminrealm: **[]**
adminuser: **[]**
resolver: **['xxxxx.biz']**
pinode: **[]**
check_all_resolvers: **False**
user: **[]**
client: **[]**
time: ****
conditions: **[('userinfo', 'email', 'matches', '.*@gmail.com', False), ('userinfo', 'email', 'in', '.*@yahoo.com,.*@gmail.com,.*@qq.com', False)]**
priority: **50**
action: **{'auth_cache': '1h/5m', 'challenge_response': 'email', 'emailsubject': 'Email OTP', 'emailtext': 'file:/etc/privacyidea/cfg/emailotp_template4.html', 'otppin': 'userstore'}**