Best way to add WebAuthn when using password grant and custom login UI #46243
chungech-1
started this conversation in
Ideas
Replies: 1 comment
-
|
As far as I understand, that flow is not possible as webauthn is completed at browser level, where it has direct access to the website's information, and will perform other actions besides user authentication. One such action is making sure that the website you are currently on is the one where the token was registered. This is meant to prevent MITM attacks using platforms that clone the original website. Other authentication methods are susceptible to such attacks since the attacker can relay the client requests and server responses, with the user being responsible with ensuring that they are on the correct website. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
My application has a fully custom login UI and currently uses grant_type=password (Direct Grant) to obtain tokens from Keycloak.
I now need to add WebAuthn (passkeys), but the login UI must remain inside my application (no redirect to Keycloak login pages).
What would be the recommended architecture?
Should I implement a custom OAuth2 grant type (SPI) like grant_type=webauthn?
Or is there a better way to integrate WebAuthn while still issuing standard Keycloak tokens?
Is mixing Direct Grant and WebAuthn considered a bad practice in Keycloak?
I want a solution that is clean, maintainable, and compatible with future Keycloak upgrades.
Thanks
Beta Was this translation helpful? Give feedback.
All reactions