fix: add credential deletion configuration

docs/dev/authentication-flow-toggle-maps.md

@@ -10,7 +10,7 @@ See the [Authentication Flow Customization](../reference/UDS%20Core/IdAM/authent
 | [X509_LOGIN_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L22) | Control whether X509 ( CAC ) Login block is included on the login and registration pages. | `true`(default), `false`|
 | [USERNAME_PASSWORD_AUTH_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L23) | Control whether Username Password Login block is included on the login and registration pages. This will also control the realm configuration for updating passwords or setting a new password from users account management. | `true`(default), `false`|
 | [REGISTER_BUTTON_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether the register button is included on the login page. | `true`(default), `false`|
-| [WEBAUTHN_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether the `WebAuthn Passwordless Authenticator` pop-up shows the register new user. This can already be assumed since the WebAuthn is configured as an MFA. | `true`, `false`(default) |
+| [WEBAUTHN_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L30) | Control whether the `WebAuthn Authenticator` pop-up shows the register new user. This can already be assumed since the WebAuthn is configured as an MFA. This also controls whether a user can delete a credential or not. | `true`, `false`(default) |
 
 ### Realm Configuration Definitions
 | Setting | Description | Options |
@@ -19,12 +19,13 @@ See the [Authentication Flow Customization](../reference/UDS%20Core/IdAM/authent
 | [RESET_CREDENTIAL_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L26) | Control whether a the Reset Credential Auth Flow can be reached by user to reset or set their password. | `REQUIRED`(default), `DISABLED` |
 | [REGISTRATION_FORM_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L27) | Control whether the registration form can be reached for a new registration. | `REQUIRED`(default), `DISABLED` |
 | [OTP_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L28) | Control whether One Time Password is allowed. | `true`(default), `false` |
-| [OTP_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L28) | Control whether the OTP is required as an MFA method. | `REQUIRED`(default), `DISABLED` |
-| [WEBAUTHN_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether the `WebAuthn Register Passwordless` required action is enabled. | `true`, `false`(default) |
-| [WEBAUTHN_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether the `WebAuthn Register Passwordless` required action is enabled. | `REQUIRED`, `DISABLED`(default) |
-| [X509_MFA_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether X509 Authentication flows can also require MFA. This configuration is used in the custom `Registration Validation` plugin. | `true`, `false`(default) |
-| [X509_MFA_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether X509 Authentication flows require MFA. This is needed so that X509 MFA can be configured seperately from Username/Password MFA. | `REQUIRED`, `DISABLED`(default) |
-| [MFA_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L24) | Control whether the `MFA` authentication is required. | `REQUIRED`(default), `DISABLED` |
+| [OTP_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L29) | Control whether the OTP is required as an MFA method. | `REQUIRED`(default), `DISABLED` |
+| [WEBAUTHN_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L30) | Control whether the `WebAuthn Register` required action is enabled. | `true`, `false`(default) |
+| [WEBAUTHN_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L31) | Control whether the `WebAuthn Register` required action is enabled. | `REQUIRED`, `DISABLED`(default) |
+| [X509_MFA_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L32) | Control whether X509 Authentication flows can also require MFA. This configuration is used in the custom `Registration Validation` plugin. | `true`, `false`(default) |
+| [X509_MFA_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L33) | Control whether X509 Authentication flows require MFA. This is needed so that X509 MFA can be configured seperately from Username/Password MFA. | `REQUIRED`, `DISABLED`(default) |
+| [MFA_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L34) | Control whether the `MFA` authentication is required. | `true`(default), `false` |
+| [MFA_FLOW_ENABLED](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/templates/secret-kc-realm.yaml#L35) | Control whether the `MFA` authentication is required. | `REQUIRED`(default), `DISABLED` |
 
 ### Common Configurations
 

docs/reference/UDS Core/IdAM/upgrading-versions.md

@@ -78,6 +78,7 @@ If wanting to configure the MFA everywhere with both OTP and WebAuthn options, t
    - Enable the following `Required Actions`, only toggle the `Enabled` **DO NOT TOGGLE** `Set as default action`:
       - `Configure OTP`
       - `Webauthn Register`
+      - `Delete Credential`
    - Disable the `WebAuthn Register Passwordless`, make sure this is **not** the `WebAuthn Register` option ( this one should be enabled )
 3. The `UDS Authentication` authentication flow has undergone significant changes.
    - Click `Authentication` tab from left side menu

src/realm.json

@@ -3194,6 +3194,15 @@
             "defaultAction": false,
             "priority": 1003,
             "config": {}
+        },
+        {
+          "alias": "delete_credential",
+          "name": "Delete Credential",
+          "providerId": "delete_credential",
+          "enabled": "${MFA_ENABLED:false}",
+          "defaultAction": false,
+          "priority": 1006,
+          "config": {}
         }
     ],
     "browserFlow": "UDS Authentication",

src/test/cypress/realm.json

@@ -3227,6 +3227,15 @@
             "defaultAction": false,
             "priority": 1003,
             "config": {}
+        },
+        {
+          "alias": "delete_credential",
+          "name": "Delete Credential",
+          "providerId": "delete_credential",
+          "enabled": "${MFA_ENABLED:false}",
+          "defaultAction": false,
+          "priority": 1006,
+          "config": {}
         }
     ],
     "browserFlow": "UDS Authentication",