From 5468ac8f0b317a336a483d8d7ff731d2557cf974 Mon Sep 17 00:00:00 2001 From: rmartinc Date: Thu, 23 Apr 2026 12:10:48 +0200 Subject: [PATCH 1/3] Make acceptable AAGUID ckeck in WebAuthn stricter Closes #48388 Signed-off-by: rmartinc --- .../topics/authentication/webauthn.adoc | 2 +- .../topics/changes/changes-26_6_2.adoc | 12 +++++ .../admin/messages/messages_en.properties | 2 +- .../requiredactions/WebAuthnRegister.java | 31 ++++++----- .../webauthn/AbstractWebAuthnVirtualTest.java | 1 + .../WebAuthnOtherSettingsTest.java | 53 +++++++++++++++++-- 6 files changed, 80 insertions(+), 21 deletions(-) create mode 100644 docs/documentation/upgrading/topics/changes/changes-26_6_2.adoc diff --git a/docs/documentation/server_admin/topics/authentication/webauthn.adoc b/docs/documentation/server_admin/topics/authentication/webauthn.adoc index d14a38fe6785..3bb2c93d5415 100644 --- a/docs/documentation/server_admin/topics/authentication/webauthn.adoc +++ b/docs/documentation/server_admin/topics/authentication/webauthn.adoc @@ -122,7 +122,7 @@ The configurable items and their description are as follows: |If enabled, {project_name} cannot re-register an already registered WebAuthn authenticator. |Acceptable AAGUIDs -|The white list of AAGUIDs which a WebAuthn authenticator must register against. +|The list of allowed AAGUIDs which a WebAuthn authenticator must register against. An AAGUID (Authenticator Attestation Global Unique Identifier) is a 128-bit identifier indicating the authenticator's type (e.g., make and model). This option needs the **Attestation conveyance preference** to be configured (normally `Direct`) to ensure a trusted AAGUID is passed. Default attestation `None` is not reliable, and can anonymize the AAGUID to zero value. If you setup **Acceptable AAGUIDs** only those authenticators are valid to register new WebAuthn credentials. |=== diff --git a/docs/documentation/upgrading/topics/changes/changes-26_6_2.adoc b/docs/documentation/upgrading/topics/changes/changes-26_6_2.adoc new file mode 100644 index 000000000000..e7522d0f579f --- /dev/null +++ b/docs/documentation/upgrading/topics/changes/changes-26_6_2.adoc @@ -0,0 +1,12 @@ +== Notable changes + +Notable changes may include internal behavior changes that prevent common misconfigurations, bugs that are fixed, or changes to simplify running {project_name}. +It also lists significant changes to internal APIs. + +=== WebAuthn acceptable AAGUIDs option restricts authenticators strictly + +The WebAuthn policy presents the option **Acceptable AAGUIDs** to restrict the authenticators that are allowed to register new credentials. The AAGUID (Authenticator Attestation Global Unique Identifier) is an identifier for the authenticator's type (e.g., make and model). This option requires the **Attestation conveyance preference** to be configured too (normally `Direct`), in order to force the authenticator to include the attestation inside the registration data. + +Since this release, when this option is setup, the attestation is required to be present and signed with a valid certificate for the {project_name} trust-store. The `None` attestation format is explicitly not permitted. Previously, there were some corner cases in which a self attestation was accepted. The change is expected to be harmless, but maybe there are combinations of authenticators and WebAuthn policies that can present issues. + +See chapter link:{adminguide_link}#_webauthn-policy[Managing policy] in the {adminguide_name} for more information. \ No newline at end of file diff --git a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties index 4f64e43033ce..8ece80a6cc2b 100644 --- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties +++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties @@ -1309,7 +1309,7 @@ revoke=Revoke admin=Admin syncUsersError=Could not sync users\: '{{error}}' generatedAccessTokenHelp=See the example access token, which will be generated and sent to the client when the selected user is authenticated. You can see claims and roles that the token will contain based on the effective protocol mappers and role scope mappings and also based on the claims and roles assigned to the actual user. -webAuthnPolicyAcceptableAaguidsHelp=The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model). +webAuthnPolicyAcceptableAaguidsHelp=The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model). This option needs the Attestation conveyance preference to be configured (normally `Direct`) to ensure a trusted AAGUID is passed. Default attestation `None` is not reliable, and can anonymize the AAGUID to zero value. keyPasswordHelp=Password for the private key frontchannelLogout=Front channel logout clientUpdaterTrustedHostsTooltip=List of Hosts, which are trusted. If that client registration or update request comes from the host/domain specified in this configuration, the condition evaluates to true. You can use hostnames or IP addresses. If you use star at the beginning (for example '*.example.com'), the whole domain example.com is trusted. diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/WebAuthnRegister.java b/services/src/main/java/org/keycloak/authentication/requiredactions/WebAuthnRegister.java index 67c356961151..8142786513ae 100644 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/WebAuthnRegister.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/WebAuthnRegister.java @@ -65,6 +65,7 @@ import com.webauthn4j.data.attestation.authenticator.AttestedCredentialData; import com.webauthn4j.data.attestation.statement.AttestationStatement; import com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier; +import com.webauthn4j.data.attestation.statement.NoneAttestationStatement; import com.webauthn4j.data.client.Origin; import com.webauthn4j.data.client.challenge.Challenge; import com.webauthn4j.data.client.challenge.DefaultChallenge; @@ -266,7 +267,7 @@ public void processAction(RequiredActionContext context) { AuthenticatorUtil.logoutOtherSessions(context); } - WebAuthnRegistrationManager webAuthnRegistrationManager = createWebAuthnRegistrationManager(policy.getAttestationConveyancePreference()); + WebAuthnRegistrationManager webAuthnRegistrationManager = createWebAuthnRegistrationManager(policy); try { // parse RegistrationData registrationData = webAuthnRegistrationManager.parse(registrationRequest); @@ -316,11 +317,12 @@ public void processAction(RequiredActionContext context) { * Create WebAuthnRegistrationManager instance * Can be overridden in subclasses to customize the used attestation validators * - * @param attestationPreference The attestation selected in the policy + * @param policy The webauthn policy defined * @return webauthn4j WebAuthnRegistrationManager instance */ - protected WebAuthnRegistrationManager createWebAuthnRegistrationManager(String attestationPreference) { + protected WebAuthnRegistrationManager createWebAuthnRegistrationManager(WebAuthnPolicy policy) { List verifiers = new ArrayList<>(6); + final String attestationPreference = policy.getAttestationConveyancePreference(); if (attestationPreference == null || Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED.equals(attestationPreference) || AttestationConveyancePreference.NONE.getValue().equals(attestationPreference)) { @@ -332,10 +334,15 @@ protected WebAuthnRegistrationManager createWebAuthnRegistrationManager(String a verifiers.add(new AndroidSafetyNetAttestationStatementVerifier()); verifiers.add(new FIDOU2FAttestationStatementVerifier()); + DefaultSelfAttestationTrustworthinessVerifier selfAttestationVerifier = new DefaultSelfAttestationTrustworthinessVerifier(); + final List acceptableAaguids = policy.getAcceptableAaguids(); + // self attestation should be disabled to be sure the AAGUID can be trusted + selfAttestationVerifier.setSelfAttestationAllowed(acceptableAaguids == null || acceptableAaguids.isEmpty()); + return new WebAuthnRegistrationManager( verifiers, this.certPathtrustVerifier, - new DefaultSelfAttestationTrustworthinessVerifier(), + selfAttestationVerifier, Collections.emptyList(), // Custom Registration Verifier is not supported new ObjectConverter() ); @@ -404,20 +411,12 @@ private void showInfoAfterWebAuthnApiCreate(RegistrationData response) { private void checkAcceptedAuthenticator(RegistrationData response, WebAuthnPolicy policy) throws Exception { String aaguid = response.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getAaguid().toString(); List acceptableAaguids = policy.getAcceptableAaguids(); - boolean isAcceptedAuthenticator = false; if (acceptableAaguids != null && !acceptableAaguids.isEmpty()) { - for(String acceptableAaguid : acceptableAaguids) { - if (aaguid.equals(acceptableAaguid)) { - isAcceptedAuthenticator = true; - break; - } + if (NoneAttestationStatement.FORMAT.equals(response.getAttestationObject().getFormat())) { + throw new WebAuthnException("Acceptable AAGUIDs require an attestation format other than 'none'."); + } else if (acceptableAaguids.stream().noneMatch(acceptableAaguid -> aaguid.equals(acceptableAaguid))) { + throw new WebAuthnException("not acceptable aaguid = " + aaguid); } - } else { - // no accepted authenticators means accepting any kind of authenticator - isAcceptedAuthenticator = true; - } - if (!isAcceptedAuthenticator) { - throw new WebAuthnException("not acceptable aaguid = " + aaguid); } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/AbstractWebAuthnVirtualTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/AbstractWebAuthnVirtualTest.java index 0f60a0e14e17..f26a2e486abc 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/AbstractWebAuthnVirtualTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/AbstractWebAuthnVirtualTest.java @@ -118,6 +118,7 @@ public abstract class AbstractWebAuthnVirtualTest extends AbstractChangeImported protected static final String ALL_ZERO_AAGUID = "00000000-0000-0000-0000-000000000000"; protected static final String ALL_ONE_AAGUID = "11111111-1111-1111-1111-111111111111"; + protected static final String CHROME_AAGUID = "01020304-0506-0708-0102-030405060708"; protected static final String USERNAME = "UserWebAuthn"; protected static final String EMAIL = "UserWebAuthn@email"; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/WebAuthnOtherSettingsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/WebAuthnOtherSettingsTest.java index 8862c554cd3c..bf6b4b85c6bd 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/WebAuthnOtherSettingsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/WebAuthnOtherSettingsTest.java @@ -167,19 +167,66 @@ public void acceptableAaguidsShouldBeEmptyOrNullByDefault() { @Test @IgnoreBrowserDriver(FirefoxDriver.class) // See https://github.com/keycloak/keycloak/issues/10368 public void excludeCredentials() throws IOException { - List acceptableAaguids = Collections.singletonList(ALL_ONE_AAGUID); + List acceptableAaguids = Collections.singletonList(ALL_ZERO_AAGUID); + + try (Closeable u = getWebAuthnRealmUpdater() + .setWebAuthnPolicyAcceptableAaguids(acceptableAaguids) + .setWebAuthnPolicyAttestationConveyancePreference(AttestationConveyancePreference.DIRECT.getValue()) + .update()) { + // webauthn virtual emulator in chrome sets a self signed certificate every time, truststore needs to be disabled + testingClient.testing().disableTruststoreSpi(); + + WebAuthnRealmData realmData = new WebAuthnRealmData(managedRealm.admin().toRepresentation(), isPasswordless()); + assertThat(realmData.getAcceptableAaguids(), Matchers.contains(ALL_ZERO_AAGUID)); + + registerDefaultUser(); + + webAuthnErrorPage.assertCurrent(); + assertThat(webAuthnErrorPage.getError(), allOf(containsString("not acceptable aaguid"), containsString(CHROME_AAGUID))); + } finally { + testingClient.testing().reenableTruststoreSpi(); + } + } + + @Test + @IgnoreBrowserDriver(FirefoxDriver.class) // See https://github.com/keycloak/keycloak/issues/10368 + public void excludeCredentialsSuccess() throws IOException { + List acceptableAaguids = Collections.singletonList(CHROME_AAGUID); + + try (Closeable u = getWebAuthnRealmUpdater() + .setWebAuthnPolicyAcceptableAaguids(acceptableAaguids) + .setWebAuthnPolicyAttestationConveyancePreference(AttestationConveyancePreference.DIRECT.getValue()) + .update()) { + // webauthn virtual emulator in chrome sets a self signed certificate every time, truststore needs to be disabled + testingClient.testing().disableTruststoreSpi(); + + WebAuthnRealmData realmData = new WebAuthnRealmData(managedRealm.admin().toRepresentation(), isPasswordless()); + assertThat(realmData.getAcceptableAaguids(), Matchers.contains(CHROME_AAGUID)); + + registerDefaultUser(); + + appPage.assertCurrent(); + } finally { + testingClient.testing().reenableTruststoreSpi(); + } + } + + @Test + @IgnoreBrowserDriver(FirefoxDriver.class) // See https://github.com/keycloak/keycloak/issues/10368 + public void excludeCredentialsUsingNone() throws IOException { + List acceptableAaguids = Collections.singletonList(ALL_ZERO_AAGUID); try (Closeable u = getWebAuthnRealmUpdater() .setWebAuthnPolicyAcceptableAaguids(acceptableAaguids) .update()) { WebAuthnRealmData realmData = new WebAuthnRealmData(testRealm().toRepresentation(), isPasswordless()); - assertThat(realmData.getAcceptableAaguids(), Matchers.contains(ALL_ONE_AAGUID)); + assertThat(realmData.getAcceptableAaguids(), Matchers.contains(ALL_ZERO_AAGUID)); registerDefaultUser(); webAuthnErrorPage.assertCurrent(); - assertThat(webAuthnErrorPage.getError(), allOf(containsString("not acceptable aaguid"), containsString(ALL_ZERO_AAGUID))); + assertThat(webAuthnErrorPage.getError(), containsString("Acceptable AAGUIDs require an attestation format other than 'none'.")); } } } From f53abf1abaddf07965ffddba2202e533c645060b Mon Sep 17 00:00:00 2001 From: rmartinc Date: Fri, 24 Apr 2026 14:01:50 +0200 Subject: [PATCH 2/3] Check Acceptable AAGUIDs sets a attestation preference different to None in admin console Closes #48388 Signed-off-by: rmartinc --- .../admin/messages/messages_en.properties | 3 ++- .../policies/WebauthnPolicy.tsx | 21 +++++++++++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties index 8ece80a6cc2b..d27a5335ebf2 100644 --- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties +++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties @@ -604,7 +604,8 @@ regenerate=Regenerate ignoreMissingGroups=Ignore missing groups sslType.external=External requests showMetaData=Show metadata -webAuthnPolicyAttestationConveyancePreferenceHelp=Communicates to an authenticator the preference of how to generate an attestation statement. +webAuthnPolicyAttestationConveyancePreferenceHelp=Communicates to an authenticator the preference of how to generate an attestation statement. None is used by specification if not specified. +acceptableAAGUIDsRequiresAttestation=Acceptable AAGUIDs require an attestation conveyance preference other than None top-level-flow-type.basic-flow=Basic flow groupRemoveError=Error removing group {error} temporaryPasswordHelpText=If enabled, the user must change the password on the next login diff --git a/js/apps/admin-ui/src/authentication/policies/WebauthnPolicy.tsx b/js/apps/admin-ui/src/authentication/policies/WebauthnPolicy.tsx index e7d1d7610737..952b0f5ad485 100644 --- a/js/apps/admin-ui/src/authentication/policies/WebauthnPolicy.tsx +++ b/js/apps/admin-ui/src/authentication/policies/WebauthnPolicy.tsx @@ -1,4 +1,5 @@ import type RealmRepresentation from "@keycloak/keycloak-admin-client/lib/defs/realmRepresentation"; +import type { FieldValues } from "react-hook-form"; import { ActionGroup, AlertVariant, @@ -12,7 +13,7 @@ import { } from "@patternfly/react-core"; import { QuestionCircleIcon } from "@patternfly/react-icons"; import { useEffect } from "react"; -import { FormProvider, useForm } from "react-hook-form"; +import { FormProvider, useForm, Validate } from "react-hook-form"; import { useTranslation } from "react-i18next"; import { HelpItem, @@ -71,6 +72,7 @@ type WeauthnSelectProps = { options: readonly string[]; labelPrefix?: string; isMultiSelect?: boolean; + validate?: Validate; }; const WebauthnSelect = ({ @@ -80,6 +82,7 @@ const WebauthnSelect = ({ options, labelPrefix, isMultiSelect = false, + validate, }: WeauthnSelectProps) => { const { t } = useTranslation(); return ( @@ -88,7 +91,7 @@ const WebauthnSelect = ({ label={label} labelIcon={labelIcon} variant={isMultiSelect ? "typeaheadMulti" : "single"} - controller={{ defaultValue: options[0] }} + controller={{ defaultValue: options[0], rules: { validate: validate } }} options={options.map((option) => ({ key: option, value: labelPrefix ? t(`${labelPrefix}.${option}`) : option, @@ -119,6 +122,7 @@ export const WebauthnPolicy = ({ setValue, handleSubmit, formState: { isDirty }, + watch, } = form; const namePrefix = isPasswordLess @@ -143,6 +147,7 @@ export const WebauthnPolicy = ({ }; const isFeatureEnabled = useIsFeatureEnabled(); + const acceptableAAGUIDs = watch(`${namePrefix}AcceptableAaguids`, []); return ( @@ -187,6 +192,18 @@ export const WebauthnPolicy = ({ labelIcon={t("webAuthnPolicyAttestationConveyancePreferenceHelp")} options={ATTESTATION_PREFERENCE} labelPrefix="attestationPreference" + validate={(value) => { + const hasValidAAGUIDs = acceptableAAGUIDs.some( + (guid: string) => guid?.trim().length > 0, + ); + + if ( + (value === "none" || value === "not specified") && + hasValidAAGUIDs + ) { + return t("acceptableAAGUIDsRequiresAttestation"); + } + }} /> Date: Mon, 27 Apr 2026 10:57:08 +0200 Subject: [PATCH 3/3] Changes for rebase and review. Closes #48388 Signed-off-by: rmartinc --- .../upgrading/topics/changes/changes-26_4_12.adoc | 13 +++++++++++++ .../upgrading/topics/changes/changes-26_6_2.adoc | 12 ------------ .../admin/messages/messages_en.properties | 2 +- .../src/authentication/policies/WebauthnPolicy.tsx | 2 +- .../webauthn/WebAuthnRegisterAndLoginTest.java | 10 +--------- .../registration/WebAuthnOtherSettingsTest.java | 4 ++-- 6 files changed, 18 insertions(+), 25 deletions(-) delete mode 100644 docs/documentation/upgrading/topics/changes/changes-26_6_2.adoc diff --git a/docs/documentation/upgrading/topics/changes/changes-26_4_12.adoc b/docs/documentation/upgrading/topics/changes/changes-26_4_12.adoc index 3c45e7e348d1..09b3af47fac1 100644 --- a/docs/documentation/upgrading/topics/changes/changes-26_4_12.adoc +++ b/docs/documentation/upgrading/topics/changes/changes-26_4_12.adoc @@ -15,3 +15,16 @@ bin/kc.[sh|bat] start --spi-connections-http-client--default--allow-redirects tr ---- See link:{server_guide_base_link}/outgoinghttp[Outgoing HTTP requests documentation] for more information. + +== Notable changes + +Notable changes may include internal behavior changes that prevent common misconfigurations, bugs that are fixed, or changes to simplify running {project_name}. +It also lists significant changes to internal APIs. + +=== WebAuthn acceptable AAGUIDs option restricts authenticators strictly + +The WebAuthn policy presents the option **Acceptable AAGUIDs** to restrict the authenticators that are allowed to register new credentials. The AAGUID (Authenticator Attestation Global Unique Identifier) is an identifier for the authenticator's type (e.g., make and model). This option requires the **Attestation conveyance preference** to be configured too (normally `Direct`), in order to force the authenticator to include the attestation inside the registration data. + +Since this release, when this option is set up, the attestation is required to be present and signed with a valid certificate for the {project_name} trust-store. The `None` attestation format is explicitly not permitted. Previously, there were some corner cases in which a self attestation was accepted. The change is expected to be harmless, but maybe there are combinations of authenticators and WebAuthn policies that can present issues. + +See chapter link:{adminguide_link}#_webauthn-policy[Managing policy] in the {adminguide_name} for more information. diff --git a/docs/documentation/upgrading/topics/changes/changes-26_6_2.adoc b/docs/documentation/upgrading/topics/changes/changes-26_6_2.adoc deleted file mode 100644 index e7522d0f579f..000000000000 --- a/docs/documentation/upgrading/topics/changes/changes-26_6_2.adoc +++ /dev/null @@ -1,12 +0,0 @@ -== Notable changes - -Notable changes may include internal behavior changes that prevent common misconfigurations, bugs that are fixed, or changes to simplify running {project_name}. -It also lists significant changes to internal APIs. - -=== WebAuthn acceptable AAGUIDs option restricts authenticators strictly - -The WebAuthn policy presents the option **Acceptable AAGUIDs** to restrict the authenticators that are allowed to register new credentials. The AAGUID (Authenticator Attestation Global Unique Identifier) is an identifier for the authenticator's type (e.g., make and model). This option requires the **Attestation conveyance preference** to be configured too (normally `Direct`), in order to force the authenticator to include the attestation inside the registration data. - -Since this release, when this option is setup, the attestation is required to be present and signed with a valid certificate for the {project_name} trust-store. The `None` attestation format is explicitly not permitted. Previously, there were some corner cases in which a self attestation was accepted. The change is expected to be harmless, but maybe there are combinations of authenticators and WebAuthn policies that can present issues. - -See chapter link:{adminguide_link}#_webauthn-policy[Managing policy] in the {adminguide_name} for more information. \ No newline at end of file diff --git a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties index d27a5335ebf2..0d61e891c03e 100644 --- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties +++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties @@ -605,7 +605,7 @@ ignoreMissingGroups=Ignore missing groups sslType.external=External requests showMetaData=Show metadata webAuthnPolicyAttestationConveyancePreferenceHelp=Communicates to an authenticator the preference of how to generate an attestation statement. None is used by specification if not specified. -acceptableAAGUIDsRequiresAttestation=Acceptable AAGUIDs require an attestation conveyance preference other than None +acceptableAAGUIDsRequiresAttestation=Acceptable AAGUIDs require an attestation conveyance preference to be set and not None top-level-flow-type.basic-flow=Basic flow groupRemoveError=Error removing group {error} temporaryPasswordHelpText=If enabled, the user must change the password on the next login diff --git a/js/apps/admin-ui/src/authentication/policies/WebauthnPolicy.tsx b/js/apps/admin-ui/src/authentication/policies/WebauthnPolicy.tsx index 952b0f5ad485..d2297fba09d7 100644 --- a/js/apps/admin-ui/src/authentication/policies/WebauthnPolicy.tsx +++ b/js/apps/admin-ui/src/authentication/policies/WebauthnPolicy.tsx @@ -121,8 +121,8 @@ export const WebauthnPolicy = ({ const { setValue, handleSubmit, - formState: { isDirty }, watch, + formState: { isDirty }, } = form; const namePrefix = isPasswordLess diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/WebAuthnRegisterAndLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/WebAuthnRegisterAndLoginTest.java index c7eac86bb782..71e972a510e4 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/WebAuthnRegisterAndLoginTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/WebAuthnRegisterAndLoginTest.java @@ -55,7 +55,6 @@ import org.openqa.selenium.firefox.FirefoxDriver; import java.io.IOException; -import java.util.ArrayList; import java.util.Collections; import java.util.List; import java.util.Objects; @@ -86,12 +85,6 @@ public class WebAuthnRegisterAndLoginTest extends AbstractWebAuthnVirtualTest { public void addTestRealms(List testRealms) { RealmRepresentation realmRepresentation = AbstractAdminTest.loadJson(getClass().getResourceAsStream("/webauthn/testrealm-webauthn.json"), RealmRepresentation.class); - List acceptableAaguids = new ArrayList<>(); - acceptableAaguids.add("00000000-0000-0000-0000-000000000000"); - acceptableAaguids.add("6d44ba9b-f6ec-2e49-b930-0c8fe920cb73"); - - realmRepresentation.setWebAuthnPolicyAcceptableAaguids(acceptableAaguids); - testRealms.add(realmRepresentation); configureTestRealm(realmRepresentation); } @@ -506,8 +499,7 @@ private static WebAuthnRealmAttributeUpdater updateRealmWithDefaultWebAuthnSetti .setWebAuthnPolicyAuthenticatorAttachment("cross-platform") .setWebAuthnPolicyRequireResidentKey("No") .setWebAuthnPolicyRpId(null) - .setWebAuthnPolicyUserVerificationRequirement("preferred") - .setWebAuthnPolicyAcceptableAaguids(Collections.singletonList(ALL_ZERO_AAGUID)); + .setWebAuthnPolicyUserVerificationRequirement("preferred"); } /** diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/WebAuthnOtherSettingsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/WebAuthnOtherSettingsTest.java index bf6b4b85c6bd..c0e42c8bc6ae 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/WebAuthnOtherSettingsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/WebAuthnOtherSettingsTest.java @@ -176,7 +176,7 @@ public void excludeCredentials() throws IOException { // webauthn virtual emulator in chrome sets a self signed certificate every time, truststore needs to be disabled testingClient.testing().disableTruststoreSpi(); - WebAuthnRealmData realmData = new WebAuthnRealmData(managedRealm.admin().toRepresentation(), isPasswordless()); + WebAuthnRealmData realmData = new WebAuthnRealmData(testRealm().toRepresentation(), isPasswordless()); assertThat(realmData.getAcceptableAaguids(), Matchers.contains(ALL_ZERO_AAGUID)); registerDefaultUser(); @@ -200,7 +200,7 @@ public void excludeCredentialsSuccess() throws IOException { // webauthn virtual emulator in chrome sets a self signed certificate every time, truststore needs to be disabled testingClient.testing().disableTruststoreSpi(); - WebAuthnRealmData realmData = new WebAuthnRealmData(managedRealm.admin().toRepresentation(), isPasswordless()); + WebAuthnRealmData realmData = new WebAuthnRealmData(testRealm().toRepresentation(), isPasswordless()); assertThat(realmData.getAcceptableAaguids(), Matchers.contains(CHROME_AAGUID)); registerDefaultUser();