Fix: gate configuredFor on enrolment and restore skipSetup opt-in
Closes a follow-up regression on issue #108 reported by @hashworks: with v26.4.2, users were prompted for the email OTP form even when the Conditional - User Configured sub-flow's conditions weren't met.
Root cause
PR #136 made EmailAuthenticatorForm.configuredFor return true for any user with an email address. Keycloak's Conditional - User Configured iterates sibling executions and calls configuredFor on each, so non-enrolled users were unexpectedly satisfying the condition.
What changed
EmailAuthenticatorForm.configuredFornow returnstruewhen either the user has a storedemail-authenticatorcredential or an admin has explicitly opted in by settingskipSetup=trueon at least one email-authenticator execution in the realm and the user has an email.EmailAuthenticatorCredentialProvideris untouched — the architectural cleanup from #129 and the emptyuserCredentialMetadatasbehaviour from #108 are preserved.- The
skipSetupconfig property is re-exposed in the admin UI with help text that calls out the trade-off, andEmailConstants.SKIP_SETUP/DEFAULT_SKIP_SETUPare un-deprecated. The default flips fromtruetofalse.
When to flip skipSetup
| Use case | Setting |
|---|---|
Conditional - User Configured sub-flow that should fire only for enrolled users
| skipSetup=false (default)
|
| Admin-provisioned 2FA without enrolment (#112), plugin visible in "Try Another Way" alternatives (#50) | skipSetup=true on the email-authenticator execution
|
Backward compatibility
- Realms upgrading from v26.3.1 / v26.4.1 with explicit
skipSetup=false(e.g. @hashworks' setup) get the strict behaviour back without reconfiguration. - Realms upgrading from v26.4.2 default behaviour need to set
skipSetup=trueon the execution if they were relying on the permissive default.
Pull request
- #137:
fix: restore skipSetup opt-in and gate configuredFor on enrolment (#108 follow-up)