KEYCLOAK-16134 Allow webauthn idless login flow#7564
KEYCLOAK-16134 Allow webauthn idless login flow#7564vanrar68 wants to merge 1 commit intokeycloak:masterfrom
Conversation
d221b3f to
f233547
Compare
|
Created dedicated authenticator, required action, credential type and policy for usernameless authentication flows. |
45b8d65 to
3c787a0
Compare
3c787a0 to
a2928b0
Compare
mposolda
left a comment
There was a problem hiding this comment.
@vanrar68 Thanks for the pull request and sorry for late response. I appreciate all the changes in this PR, however we don't want to introduce another tab in the admin console and another set of "implementations" . We have plan some improvements, so that it is possible to create more configuration/policies inside the realm and then you can add authenticators to the authenticationFlows and bind them to the various configurations etc.
Will it be an option to just change the method "WebAuthnAuthenticator.requiresUser()" to false (which will effectively change it also for WebAuthnPasswordlessAuthenticator) and then just throw an exception during the authentication for the case that user is not set? It seems maybe it will just work to throw the exception from this line https://github.com/keycloak/keycloak/blob/12.0.0/services/src/main/java/org/keycloak/authentication/authenticators/browser/WebAuthnAuthenticator.java#L155 in case that user is not set?
|
@vanrar68 I am closing the PR due the lack of feedback, but feel free to re-open once you address the comments. Thanks |
|
Sorry, I can't find the time to update this right now |
|
@vanrar68 Hello. Can you help me with this problem? 14:15:34,791 WARN [org.keycloak.events] (default task-31) type=LOGIN_ERROR, I had reread commit and conversation again - as I understand correctly, this commit is only a part of needed idless to work? |
|
@mposolda I've made the changes as per your request but am unable to reopen the PR. Should I submit a new one ? |
|
Just created PR #7860 since this one can't be reopened |
Minor changes required to make webauthn idless scenario work with current code:
Don't know if this is the best approach. IDLess authentication flow requires resident key and user verification (realm level global configuration located in the WebauthenPasswordless Policy). Mixed scenarios (passwordless/non resident key and idless/resident key) won't be possible with the current policy configuration. Need for IDLess Policy/IDLess Credential/IDLess Authenticator ?