Affects Version/s: None
Fix Version/s: v2.6.0
Endpoint should have authenticators configuration reworked. Now it should be configured as a simple list of authentication flows. I.e.
should become unsupported.
Instead a new option:
should be added.
What is the biggest part of this task is to that the flows should drive endpoints login process:
Initially endpoint should show a union of all 1st factor authenticators from all login flows.
After authentication with a chosen 1st factor authenticator the further processing should be determined by its authentication flow's 2nd factor policy:
- require - show the first 2nd factor authenticator from the list, for which the user has valid credential. If there is no such credential then fail authN with appropriate error.
- userOptIn - if user opted-in for 2nd factor show the first 2nd factor authenticator from the list, for which the user has a credential. If user opted out or has no such credential finish authN with success.
- never - finish authN with success just after 1st factor.
Obvious: in any case if 2nd factor authentication is used then it is mandatory to succeed.