Module kanidm::credential[][src]



This is how we store credentials in the server. An account can have many credentials, and a credential can have many factors. Only successful auth to a credential as a whole unit will succeed. For example: A: Credential { password: aaa } B: Credential { password: bbb, otp: … } In this case, if we selected credential B, and then provided password “aaa” we would deny the auth as the password of B was incorrect. Additionally, while A only needs the “password”, B requires both the password and otp to be valid.


The typo of credential that is stored. Each of these represents a full set of ‘what is required’ to complete an authentication session. The reason to have these typed like this is so we can apply policy later to what classes or levels of credentials can be used. We use these types to also know what type of auth session handler to initiate.