Credential managers are used to communicate with data-sources, in order to validate and manage credentials.
A Credential Manager is in charge of checking a password by pre-hashing it with a certain algorithm as needed or to leave it unchanged, so the back-end repository can do that work.
In addition, Credential Managers perform other operations on credentials only.
A Credential Manager can be used in several places in the configuration, (i.e. in authenticators, SDK plugins, script procedures), to verify or transform credentials; it is also used internally by OAuth flows that accept a credential directly (e.g., the Client Credentials flow and the Resource Owner Password Credentials flow).
The Curity Identity Server supports several algorithms for password transformation:
Keep in mind that the setting related to the cost of each algorithm is used only when creating/updating a password. Password verification doesn’t use this setting, it will work even when having a different cost configured than the one the saved password was created with, since the saved password’s hash is used to figure out how to verify it (using the cost and salt of the saved hash).
One of the use cases for Credential Managers is verifying credentials of user accounts that also exist in the system.
Depending on the data source that is used for credentials (and its settings), the status of an account may or may not be considered when verifying the credentials.
For scenarios where the account status is not considered at that point (e.g. credentials and accounts are stored in separate data sources),
a Credential Manager can be configured to additionally check whether a user account for the given username exists and is active. In this case, a data source
for user accounts must be configured, in addition to the credentials data source. Credentials for inactive accounts are deemed invalid.
Refer to the documentation of the chosen credentials data source to determine whether the account status is checked when retrieving/verifying credentials.