Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication/webauthn

Describe the bug

Summary

With the introduction of Webauthn Conditional UI in keycloak (see #24305) an infinite (re-)loading situation was introduced. For any Webauthn/Passkey API error which occurs after the page is loaded, the browser goes into a infinite loop.

Analysis

Any error occurring when executing initAuthenticate() in https://github.com/keycloak/keycloak/blob/main/themes/src/main/resources/theme/base/login/resources/js/passkeysConditionalAuth.js#L54 is propagated to returnFailure().
This then sets the error to an invisible form-field, which is then POSTed to keycloak.

export function returnFailure(err) {
    document.getElementById("error").value = err;
    document.getElementById("webauth").submit();
}

Using this pattern of POSTing back the error causes infinite loops, especially for code paths that are directly executed again after the page has successfully loaded.

How to fix

Use a different pattern to show errors (not POSTing back?) or do not execute code path if error is currently displayed (from previous request).

Version

25.0.5

Regression

• The issue is a regression

Expected behavior

Keycloak should not send browser into infinite (re-)loading loop if certain features are not available.

Actual behavior

Keycloak sends browser into infinite loading loop.

How to Reproduce?

Install DuckDuckGo browser (for example on macOS or Android) or any other browser that does not yet support Passkey Conditional UI but already exposes PublicKeyCredential.isConditionalMediationAvailable as a function.

Anything else?

No response