users accessing the webUI from internal network are allowed to use any token they have configured
users accessing the webUI from outside are allowed to use only a token of type sms
So far, I have a WebUI policy with login_mode set to privacyIDEA and no IP associated to it. This means that anyone (but the admin) needs to provide an OTP to login in the web interface of PI. Perfect.
Now, as a first test, I created an authorization policy with tokentype set to sms and placed as Client the IP of my computer. Still I could log in the WebUI of PI with a paper-based token.
Thus I am wondering if the WebUI access is honouring authorization policies (and authentication policies as well).
Could anyone provide me with some information about it?