Should a user be able to opt-out of saving their credentials locally?

[aowen-uwmad]

When the client acts on a protected namespace, it prompts the user to password-protect their local credentials that Pelican obtains. In discussing the reason for this prompt, a user asked if they could just skip saving the credentials at all.

To summarize the hypotheticals we discussed, the idea is that they want to authorize the client for exactly one protected action on a device, and so have no desire to save the local credentials for reuse.

Is this something that Pelican wants to support?

[bbockelm]

Great question!

What sequence of prompts do you propose we ask in this case?

[aowen-uwmad]

My initial thought was something like

Do you want to save your credentials locally for reuse? (yes/no/never/always)

• yes - continues to the normal create-password prompt
• no - skips create-password prompt
• never - skips create-password prompt and adds setting to local configuration to bypass these prompts in the future
• always - continues to normal create-password prompt and adds setting to local configuration that essentially turns on the existing behavior (always ask for local password)

Separately, add a flag to pelican object like --no-save-auth, that triggers the "no" behavior regardless of local configuration.