The 2fa email authenticator is always being shown as active/configured even if it's not

[mustafa-kamel]

After pulling the latest updates on main and testing the email authenticator, I found that the email authenticator is always shown as active and the delete button is enabled, even if the email authenticator is not set up.

I have debugged this and I found it's because the email authenticator always returns a dummy credential object if the authenticator is not configured.

  {
        "type": "email-authenticator",
        "category": "two-factor",
        "displayName": "email-authenticator-display-name",
        "helptext": "email-authenticator-help-text",
        "iconCssClass": "kcAuthenticatorEmailClass",
        "createAction": "email-authenticator-setup",
        "removeable": true,
        "userCredentialMetadatas": [
            {
                "credential": {
                    "id": "email-authenticator-id",
                    "type": "email-authenticator",
                    "createdDate": -1,
                    "priority": 0
                }
            }
        ]
    } 

Since I have a custom theme that doesn't show the Set up Email Authenticator button for the email authenticator if there's one 2FA email credentail is returned, for the same reason, to allow only having one email authenticator configured. This results in not being able to configure the 2FA email authenticator.

I think a better approach for enforcing only one 2FA email authenticator at most is to do that in the backend by raising an error when the user requests to set it up again if he has one 2FA email authenticator configured, and keep returning userCredentialMetadatas empty if it's not configured.

[pantshaswat-zerotheft]

Any updates on this? I am also facing the same issue. Even though the user hasn't configured the Email otp, and the flow has condition: user configured, the email otp screen is being triggered anyways.

[valerio2405]

Hello, same problem here. There are some updates?

[ssill2]

I guess I've not seen this. The way I configured it was if a user had a certain role they would be emailed a code and would be prompted for it after entering user and pass.

[ssill2]

So this role

And this in my auth flow. it works like a charm

[mustafa-kamel]

So this role

And this in my auth flow. it works like a charm

@ssill2 I think the issue doesn’t occur in your case because you’re using a user role condition. The problem appears with the user configured condition, which causes the email authenticator to be shown as always configured—even when it isn’t.

[ssill2]

I see. In my case we basically make this decision for the users. I figured when I set this up that since every user has an email that I just wanted to turn it on for certain groups of users and it required no configuration on the user's part.

[pantshaswat-zerotheft]

This PR should fix it: #107