KEYCLOAK-16134 Allow webauthn idless login flow#7860
Conversation
18d20b6 to
25f32a2
Compare
|
Added some modifications of the authenticator setup code in DefaultAuthenticationFlow.java. |
25f32a2 to
326f22b
Compare
326f22b to
287e3ef
Compare
|
@vanrar68 Sorry for late response. To me, the changes looks good. TBH I would prefer to let them in once we have WebAuthn automated tests in place to make sure that our currently supported WebAuthn use-cases (with WebAuthn as 2nd-factor or passwordless) are not somehow broken by this change. We have PR for WebAuthn automated testing already in progress and hopefully will be added soon #8534 . @tnorimat Does this change looks good to you or do you see any further issues with it? |
|
@vanrar68 It will be also good to have some documentation for this. If you have an example how to integrate Keycloak with WebAuthn idless login, it will be nice to be added to the WebAuthn section of Keycloak documentation. Ideally details like:
|
287e3ef to
ba326e3
Compare
There was a problem hiding this comment.
It seems that L435 and L436 changes the original codes' logic for condition of throwing AuthenticationFlowException in L442.
To keep the same condition for throwing it in the original codes, how about the following?
if (authUser != null && !authenticator.configuredFor(processor.getSession(), processor.getRealm(), authUser)) {
if (factory.isUserSetupAllowed() && model.isRequired() && authenticator.areRequiredActionsEnabled(processor.getSession(), processor.getRealm())) {
If you intentionally changed this condition, could you tell me this reason?
There was a problem hiding this comment.
The purpose of the modification is to handle credential setup for authenticators that don't require a user to be set. Your proposition looks good to me, I'll update the code accordingly in order to stay the closest possible to the existing code (though I think we should get rid of the meaningless comment line)
There was a problem hiding this comment.
processor.getAuthenticationSession().getAuthenticatedUser() can be replaced with authUser .
Yes I agree, but as mentioned by @mposolda there seem to be some major work going on right now on webauthn testing framework, see #8534. I'd rather wait until this work is merged and implement the loginless test on top of that even if this means waiting some more to have loginless support in Keycloak. What do you think ? |
Yes, I'll create a PR for keycloak-documentation regarding the configuration of webauthn idless auth |
a56a316 to
6da8bfe
Compare
|
Yes, I agree with you. |
@mposolda Does this need a JIRA/Github Issue to be opened on the keycloak-documentation project or is a PR enough ? |
+1 from me as well |
PR is enough. You can use the same JIRA in this PR to keycloak-documentation as you used in this PR. |
|
@vanrar68 @tnorimat Thanks for the review Takashi and Thanks Joaquim for incorporating Takashi's feedback! However I see there are failing tests and looks it may be regression of this PR. This may need to be investigated. I guess that is the consequence of the changes in the DefaultAuthenticationFlow. If it is possible to address this PR without changes in DefaultAuthenticationFlow, it will be great (Not 100% sure it is possible). |
|
@mposolda, @tnorimat |
I'll have a look |
LOL, actually there is a way to have webauthn loginless without touching DefaultAuthenticationFlow: PR7564 I'll have a look at the failing tests anyway |
|
Documentation PR: keycloak/keycloak-documentation#1306 |
440968d to
53e12c4
Compare
|
Includes an attempt at moving the "Try another way" link on the login page (before Identity Providers buttons). |
|
The failed tests are linked to the UI change not the idless feature itself |
|
@vanrar68 Thanks for the update. I'll check it. |
53e12c4 to
1b91b42
Compare
|
This is my best (and last) shot at the UI: |
|
@mabartos did you get a chance to review to UI part of this PR ? |
mabartos
left a comment
There was a problem hiding this comment.
@vanrar68 Great work! In general, LGTM.
Just one nitpick with the parameter in the template.ftl file, which could be solved (see below). The design changes look good. The test itself looks good as well, but it needs some polishing, regarding new changes in the WebAuthn testsuite, in order to make it stable for a long time, but IMO, it might be solved in some follow-up task, where I can solve it. @mposolda WDYT?
I executed the pipeline tests for WebAuthn and they passed.
See https://keycloak-jenkins.com/job/universal-test-pipeline-server/1290/
(We need to focus only on the results for the specific test and browser Chrome... I verify the other failures are expected for this PR.)
@vanrar68 Thanks!
There was a problem hiding this comment.
I was wondering if it's a proper solution to obtain sessionFactory in each iteration as the session (AFAIK) should be the same for the whole method. However, as one of the main purposes of the AuthenticationProcessor class is to manage the state of the authentication process and there are no other calls to dynamically changing objects, I don't consider this as a blocker for this PR. Just wanted to take it into consideration.
There was a problem hiding this comment.
@mabartos Something like this ? :
KeycloakSessionFactory sessionFactory = processor.getSession().getKeycloakSessionFactory();
typeAuthExecMap.forEach((key, value) -> {
AuthenticatorFactory credbasedAuthenticatorFactory = (AuthenticatorFactory) sessionFactory.getProviderFactory(Authenticator.class, value.getAuthenticator());
Authenticator credbasedAuthenticator = credbasedAuthenticatorFactory.create(processor.getSession());
if (!credbasedAuthenticator.requiresUser()) {
userlessCredBasedAuthenticationSelectionList.add(new AuthenticationSelectionOption(processor.getSession(), value));
}
});
There was a problem hiding this comment.
Yep, I have sth like that in my mind, or maybe for the whole method. But I think you can keep it there as is. It might not have any performance issues.
1b91b42 to
3ce59cc
Compare
|
@mabartos just rebased to latest main and removed the showAnotherWayIfPresent from template.ftl as requested |
3ce59cc to
9db55f2
Compare
|
@mposolda did you get a chance to review this PR ? |
Rework of a previously closed PR #7564 with changes requested by @mposolda
Prior to this PR WebAuthN authenticators (regular and passwordless) required a user to be set before asking for a webauthn device.
This PR removes the need for a user to be previously set when a webauthn credential containing a user id is submitted.