Default to required otp auth type

This is likely what most people expect, and works around keycloak/keycloak#28979

Author: wouterh-dev

spi/src/main/java/nl/wouterh/keycloak/trusteddevice/authenticator/CredentialConfiguredCondition.java

@@ -22,11 +22,17 @@ public boolean matchCondition(AuthenticationFlowContext context) {
     if (authConfig != null && authConfig.getConfig() != null) {
       boolean negateOutput = Boolean.parseBoolean(
           authConfig.getConfig().get(CredentialConfiguredConditionFactory.CONF_NEGATE));
-      String[] authenticatorNames = Constants.CFG_DELIMITER_PATTERN.split(
-          authConfig.getConfig().get(CredentialConfiguredConditionFactory.CONF_AUTH));
-      boolean hasAuthenticator = Arrays.stream(authenticatorNames)
-          .anyMatch(authenticator -> context.getUser().credentialManager()
-              .isConfiguredFor(authenticator));
+      boolean hasAuthenticator = false;
+
+      String authenticatorNamesStr = authConfig.getConfig()
+          .get(CredentialConfiguredConditionFactory.CONF_AUTH);
+      if (authenticatorNamesStr != null) {
+        String[] authenticatorNames = Constants.CFG_DELIMITER_PATTERN.split(
+            authenticatorNamesStr);
+        hasAuthenticator = Arrays.stream(authenticatorNames)
+            .anyMatch(authenticator -> context.getUser().credentialManager()
+                .isConfiguredFor(authenticator));
+      }
 
       return hasAuthenticator != negateOutput;
     }

spi/src/main/java/nl/wouterh/keycloak/trusteddevice/authenticator/CredentialConfiguredConditionFactory.java

@@ -63,6 +63,7 @@ public List<ProviderConfigProperty> getConfigProperties() {
     authTypes.setLabel("Authenticator types");
     authTypes.setHelpText(
         "Condition matches if one of the user has one of the authenticator types configured");
+    authTypes.setDefaultValue("otp");
 
     ProviderConfigProperty negateOutput = new ProviderConfigProperty();
     negateOutput.setType(ProviderConfigProperty.BOOLEAN_TYPE);