Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Passkeys: Supporting WebAuthn Conditional UI #24305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mposolda merged 2 commits into from
May 16, 2024
Merged

Passkeys: Supporting WebAuthn Conditional UI #24305

mposolda merged 2 commits into from
May 16, 2024

Conversation

@tnorimat
Copy link
Contributor

@tnorimat tnorimat commented Oct 25, 2023

closes #24264

@tnorimat tnorimat mentioned this pull request Oct 26, 2023
Closed
@tnorimat tnorimat force-pushed the ISSUE-24264-passkey-conditional-ui branch from e4112f9 to 8b5a84b Compare October 26, 2023 04:24
@mposolda
Copy link
Contributor

mposolda commented Oct 26, 2023

@tnorimat Nice, Thanks!

Does it worth to cover this also in the passkeys.adoc documentation? IMO I am completely fine with including all the screenshots you attached to #24264 directly to the documentation (for illustration purposes) if it is OK to you.

@mposolda mposolda self-assigned this Oct 26, 2023
@mposolda
Copy link
Contributor

mposolda commented Oct 26, 2023

@thomasdarimont What do you think?

@tnorimat
Copy link
Contributor Author

tnorimat commented Oct 26, 2023

@mposolda Yes, I will add a documentation.

@mposolda mposolda marked this pull request as ready for review October 26, 2023 14:55
@mposolda mposolda requested a review from a team as a code owner October 26, 2023 14:55
@tnorimat tnorimat force-pushed the ISSUE-24264-passkey-conditional-ui branch from 8b5a84b to 3a2062c Compare October 27, 2023 02:47
@ghost ghost added the flaky-test label Oct 27, 2023
@ghost ghost mentioned this pull request Oct 27, 2023
Closed
@tnorimat tnorimat force-pushed the ISSUE-24264-passkey-conditional-ui branch from 3a2062c to f03157c Compare October 27, 2023 06:07
@tnorimat tnorimat requested a review from a team as a code owner October 27, 2023 06:07
@ghost ghost added the team/cloud-native label Oct 27, 2023
@tnorimat tnorimat force-pushed the ISSUE-24264-passkey-conditional-ui branch 3 times, most recently from be1e778 to 1185596 Compare October 27, 2023 09:16
@ghost
Copy link

ghost commented Oct 27, 2023

Unreported flaky test detected

If the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginSuccessWithCRLSignedWithIntermediateCA3FromTruststore

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithIntermediateRevocationListFromFile

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithIntermediateRevocationListFromHttp

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithInvalidSignatureCRL

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginWithMultipleRevocationLists

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginSuccessWithEmptyRevocationListFromFile

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginSuccessWithEmptyRevocationListFromHttp

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithRevocationListFromDistributionPoints

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginWithMultipleRevocationListsUsingInvalidCert

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

ghost
ghost reviewed Oct 27, 2023
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@tnorimat tnorimat force-pushed the ISSUE-24264-passkey-conditional-ui branch 2 times, most recently from 646a6ca to b5f797c Compare October 27, 2023 20:54
@ghost ghost mentioned this pull request Oct 27, 2023
Closed
@ghost
Copy link

ghost commented Oct 27, 2023

Unreported flaky test detected

If the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.admin.IdentityProviderTest#testMapperTypes

Keycloak CI - Base IT (1)

jakarta.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:250)
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:216)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:59)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:136)
...

Report flaky test

ghost
ghost reviewed Oct 27, 2023
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@tnorimat tnorimat force-pushed the ISSUE-24264-passkey-conditional-ui branch from b5f797c to adca614 Compare October 27, 2023 22:48
@ghost ghost mentioned this pull request Oct 28, 2023
Closed
@tnorimat tnorimat force-pushed the ISSUE-24264-passkey-conditional-ui branch from adca614 to cfb0161 Compare October 28, 2023 00:42
@tnorimat
Copy link
Contributor Author

tnorimat commented Oct 28, 2023

@mposolda I fixed the points and added documentation. Could you check it?

thomasdarimont
thomasdarimont reviewed Oct 29, 2023
View reviewed changes
themes/src/main/resources/theme/base/login/messages/messages_en.properties Outdated
Copy link
Contributor

@thomasdarimont thomasdarimont Oct 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
passkey-unsupported-browser-text=Passkey is not supported by this browser. Try another one or contact your administrator.
passkey-unsupported-browser-text=Passkey is not supported by this browser. Try another authentication method or contact your administrator.

Copy link
Contributor Author

@tnorimat tnorimat Oct 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I will fix it.

@mposolda
Copy link
Contributor

mposolda commented Apr 29, 2024

@tnorimat @rmartinc Few points to this:

  • I don't think about removing of Passkeys: Supporting WebAuthn Conditional UI #24264 issue from the passkeys epic. As AFAIK we want passkeys conditional UI support as part of the passkeys effort as this is important use-case. Any reason for removing it from the epic?

  • IMO it is important to support both the use-cases where the authenticator is "standalone" as well as the use-case where it is possible to use the passkeys directly on the username & password form and choose the passkeys as alternative to password. The use-case with standalone "passkeys" is important IMO as I can imagine some people may want to use passkey and don't use passwords at all.

  • My vote ATM is to keep the PR as is and just document the fact that for the "passkeys" flow, it is important that user must have passkeys credential. We can document it with the registration flow adjustements I pointed above for now as in this case, self-registered users will have passkeys credential set on their accounts. IMO this is sufficient to keep the passkeys as PREVIEW for now with this.

As a follow-up, we can improve also for the use-case of username & password authentication (something like @rmartinc did) and improve also the UX for the case when admin creates users instead of them self-registering themselves (maybe with slightly adjusted "Reset credentials" flow and added link for "Forget passkey" into the passkeys authenticator in case that "Forgot password" is enabled for the realm).

WDYT?

@rmartinc
Copy link
Contributor

rmartinc commented Apr 29, 2024

@mposolda OK to me, I would also document that the current implementation does not integrate webauthn conditional UI with the normal username-password login.

@mposolda
Copy link
Contributor

mposolda commented Apr 29, 2024

@mposolda OK to me, I would also document that the current implementation does not integrate webauthn conditional UI with the normal username-password login.

+1, can be added in this PR as a NOTE to the docs with the notice that we plan to support this use-case in the future?

@tnorimat tnorimat marked this pull request as ready for review May 15, 2024 01:26
@tnorimat tnorimat force-pushed the ISSUE-24264-passkey-conditional-ui branch from 699c81e to 7bfab28 Compare May 15, 2024 02:13
@tnorimat
Copy link
Contributor Author

tnorimat commented May 15, 2024

@mposolda @rmartinc Sorry for my late reply.

IMO the ideal experience is, that we have a flow where user is able to login with passkeys loginless credential, but at the same time, he is able to fallback to username + password (+ two-factor if needed) if he doesn't have passkeys. I am not yet sure how to best achieve this experience without duplicating too much code...

The "passkey or password" authentication case is discussed in the following issue:
#25779

mposolda
mposolda previously approved these changes May 15, 2024
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tnorimat Thanks!

@andymunro Are you please able to re-review documentation changes in this PR?

@mposolda mposolda requested a review from andymunro May 15, 2024 06:20
jonkoops
jonkoops previously approved these changes May 15, 2024
View reviewed changes
Copy link
Contributor

@jonkoops jonkoops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

andymunro
andymunro reviewed May 16, 2024
View reviewed changes
docs/documentation/server_admin/topics/authentication/passkeys.adoc Outdated
Copy link
Contributor

@andymunro andymunro May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
NOTE: Storage capacity is usually very limited on hardware passkeys meaning that you cannot store many discoverable credentials on your passkey. However this limitation may be mitigated for instance if you use Android phone backed by Google account as a passkey device or iPhone backed by Bitwarden.
NOTE: Storage capacity is usually very limited on hardware passkeys meaning that you cannot store many discoverable credentials on your passkey. However, this limitation may be mitigated for instance if you use an Android phone backed by a Google account as a passkey device or an iPhone backed by Bitwarden.

Copy link
Contributor Author

@tnorimat tnorimat May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I fixed it as you suggested.

andymunro
andymunro reviewed May 16, 2024
View reviewed changes
docs/documentation/server_admin/topics/authentication/passkeys.adoc Outdated
Copy link
Contributor

@andymunro andymunro May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
. Configure the authentication flow. Create a new authentication flow, add the *Passkeys Conditional UI Authenticator* execution and set the Requirement setting of the execution to *Required*
. Configure the authentication flow. Create a new authentication flow, add the *Passkeys Conditional UI Authenticator* execution and set the Requirement setting of the execution to *Required*.

Copy link
Contributor Author

@tnorimat tnorimat May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I fixed it as you suggested.

andymunro
andymunro reviewed May 16, 2024
View reviewed changes
docs/documentation/server_admin/topics/authentication/passkeys.adoc Outdated
Copy link
Contributor

@andymunro andymunro May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
. Bind the flow above as *browser* authentication flow in the realm as described in the <<_webauthn-register, WebAuthn section above>>.
. Bind the flow above as a *browser* authentication flow in the realm as described in the <<_webauthn-register, WebAuthn section above>>.

Copy link
Contributor Author

@tnorimat tnorimat May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I fixed it as you suggested.

andymunro
andymunro reviewed May 16, 2024
View reviewed changes
docs/documentation/server_admin/topics/authentication/passkeys.adoc Outdated
Copy link
Contributor

@andymunro andymunro May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The authentication flow above requires that user must already have passkey credential on his account to be able to login. This means that all users in the realm must have passkeys already set.
The authentication flow above requires that user must already have passkey credential on his or her account to be able to log in. This requirement means that all users in the realm must have passkeys already set.

Copy link
Contributor Author

@tnorimat tnorimat May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I fixed it as you suggested.

andymunro
andymunro reviewed May 16, 2024
View reviewed changes
docs/documentation/server_admin/topics/authentication/passkeys.adoc Outdated
Copy link
Contributor

@andymunro andymunro May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
That can be achieved for instance by enable user registration as described below.
That can be achieved for instance by enabling user registration as described below.

Copy link
Contributor Author

@tnorimat tnorimat May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I fixed it as you suggested.

andymunro
andymunro reviewed May 16, 2024
View reviewed changes
docs/documentation/server_admin/topics/authentication/passkeys.adoc Outdated
Copy link
Contributor

@andymunro andymunro May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This means that newly registered users will not be required to create the passwords as for this example setup, we want the users to always use passkeys instead of the passwords.
This means that newly registered users will not be required to create the passwords in this example setup. Users must always use passkeys instead of passwords.

Copy link
Contributor Author

@tnorimat tnorimat May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I fixed it as you suggested.

andymunro
andymunro reviewed May 16, 2024
View reviewed changes
docs/documentation/server_admin/topics/authentication/passkeys.adoc Outdated
Copy link
Contributor

@andymunro andymunro May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
. Go back to *Required actions* sub-tab of the tab *Authentication* tab and find the `Webauthn Register Passwordless` action and mark it with *Set as default action*.
. Return to the *Required actions* sub-tab of the tab *Authentication* tab and find the `Webauthn Register Passwordless` action and mark it with *Set as default action*.

Copy link
Contributor Author

@tnorimat tnorimat May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I fixed it as you suggested.

andymunro
andymunro reviewed May 16, 2024
View reviewed changes
docs/documentation/server_admin/topics/authentication/passkeys.adoc Outdated
Copy link
Contributor

@andymunro andymunro May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what "to test this" means.

Copy link
Contributor Author

@tnorimat tnorimat May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"to test this" is not needed so that I removed the words. Thank you.

andymunro
andymunro reviewed May 16, 2024
View reviewed changes
docs/documentation/server_admin/topics/authentication/passkeys.adoc Outdated
Copy link
Contributor

@andymunro andymunro May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
We plan to improve the usability and allow to integrate conditional passkeys with the existing authenticators and forms like the default username / password form.
We plan to improve the usability and allow integration of conditional passkeys with the existing authenticators and forms such as the default username / password form.

Copy link
Contributor Author

@tnorimat tnorimat May 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I fixed it as you suggested.

andymunro
andymunro suggested changes May 16, 2024
View reviewed changes
Copy link
Contributor

@andymunro andymunro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. A few suggestions for you, however.

@tnorimat tnorimat dismissed stale reviews from jonkoops and mposolda via 761bbb3 May 16, 2024 02:13
@tnorimat tnorimat force-pushed the ISSUE-24264-passkey-conditional-ui branch from 7bfab28 to 761bbb3 Compare May 16, 2024 02:13
@tnorimat
Copy link
Contributor Author

tnorimat commented May 16, 2024

@andymunro Thank you for your review. I fixed points you have suggested.
@mposolda I have fixed the documentation.

mposolda
mposolda approved these changes May 16, 2024
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tnorimat @andymunro Thanks!

@mposolda mposolda merged commit b4e7d9b into keycloak:main May 16, 2024
@UBaggeler UBaggeler mentioned this pull request Sep 18, 2024
Closed
2 tasks
@tnorimat tnorimat deleted the ISSUE-24264-passkey-conditional-ui branch May 21, 2025 05:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mabartos mabartos mabartos left review comments

@mposolda mposolda mposolda approved these changes

+6 more reviewers

@thomasdarimont thomasdarimont thomasdarimont left review comments

@embesozzi embesozzi embesozzi requested changes

@andymunro andymunro andymunro requested changes

@edewit edewit edewit left review comments

@jonkoops jonkoops jonkoops left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@mposolda mposolda

Labels

flaky-test team/cloud-native team/core-clients team/core-iam team/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Passkeys: Supporting WebAuthn Conditional UI

9 participants

@tnorimat @mposolda @thomasdarimont @jonkoops @rmartinc @edewit @embesozzi @mabartos @andymunro