Documentation for recovery codes (deprecation of password policy and required action config)

closes #39245 Signed-off-by: mposolda <mposolda@gmail.com>
2026-01-06 14:59:55 -06:00 · 2025-04-28 12:42:04 +02:00
parent bea2c75f5f
commit e9283ee71d
3 changed files with 15 additions and 0 deletions
--- a/docs/documentation/server_admin/images/recovery-codes-account-console-warn.png
+++ b/docs/documentation/server_admin/images/recovery-codes-account-console-warn.png
--- a/docs/documentation/server_admin/topics/authentication/recovery-codes.adoc
+++ b/docs/documentation/server_admin/topics/authentication/recovery-codes.adoc
@@ -20,6 +20,15 @@ Check the Recovery Codes action is enabled in {project_name}:

 Toggle the *Default Action* switch to *On* if you want all the new users to register their Recovery Codes credentials in the first login.

+==== Configure the Recovery Codes required action
+
+From the *Required Actions* tab of the admin console, you have the option to configure the *Recovery Authentication Codes* required action. So far, there is a configuration option
+*Warning Threshold* available. When user has smaller amount of remaining recovery codes on his account than the value configured here, account console will show warning to the user, which will
+recommend him to setup new set of recovery codes. The warning displayed to the user may look similar to this:
+
+.Recovery Codes Account console warning
+image:images/recovery-codes-account-console-warn.png[Recovery Codes Account console warning]
+
 ==== Adding Recovery Codes to the browser flow

 The following procedure adds the `Recovery Authentication Code Form` as an alternative way of login in the default *Browser* flow.
--- a/docs/documentation/upgrading/topics/changes/changes-26_3_0.adoc
+++ b/docs/documentation/upgrading/topics/changes/changes-26_3_0.adoc
@@ -18,6 +18,12 @@ It has been a while since discussions started about any activity around the Inst
 and any objection from the community about deprecating it for removal. For more details, see
 https://github.com/keycloak/keycloak/issues/37967[Deprecate for removal the Instagram social broker].

+=== Deprecated password policy Recovery Codes Warning Threshold
+
+In relation to supported Recovery codes, we deprecated the password policy `Recovery Codes Warning Threshold`. This password policy might be removed in the future major version of {project_name}.
+This password policy was not related to passwords at all, but was related to recovery codes, and hence using password policy is not appropriate way for the configuration of the threshold. It is
+recommended to use the configuration option *Warning Threshold* of the *Recovery Authentication Codes* required action instead of using password policy. For more details, see the link:{adminguide_link}#_recovery-codes[Recovery codes documentation].
+
 === Deprecated proprietary protocol for client initiated linking to the identity provider account

 When you want the user, who is authenticated to your client application, to link his or her account to a specific identity provider, consider using the Application initiated action (AIA) based