Skip to content
/ keycloak-webauthn-conditional-mediation Public

Keycloak Authentication Provider implementation for Webauthn with Conditional Mediation (Passkey autofill)

License

Apache-2.0 license
15 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

embesozzi/keycloak-webauthn-conditional-mediation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits

.github

.github

 
 

docs

docs

 
 

src/main

src/main

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

pom.xml

pom.xml

 
 

Repository files navigation

Keycloak: Webauthn Conditional Meditation Authenticator

This is a webauthn authenticator that supports WebAuth Conditional UI or Passkey autofill. It's based on the OOTB WebAuthnPasswordlessAuthenticator, with a touch of customization and love ♥️ on the UI side.

When moving from passwords to passkeys, there might be challenges. User experience matters a lot. The default “modal” experience might not be good in some cases. But using the passkey with autofill (WebAuth Conditional UI) feature can improve the login process. Keycloak version 22 lacks this feature, which is why I developed this custom SPI. Furthermore, it is beneficial to have the flexibility to customize the user experience according to your business requirements.

This custom authenticator is utilized in the following workshop:

You will find there a cool workshop covering MFA, passkeys, and step-up authentication.

How does it work?

If this authenticator gets configured as part of a browser based login flow, Keycloak will do:

  • Enabling passkey autofill when supported by the browser.

  • Displaying the “Sign with passkeys” button if passkey autofill is not available.

  • If Passkeys (Webauthn) are not supported, it will present the traditional username and password login option.

Here's an example of the Browser login flow:

Here's the default user experience when trying to login with Passkeys, which is a dialog that pops up. In some cases the UX is not good.

  • Default user experience with Passkeys

By using the feature called conditional UI (a part of the WebAuthn standard), you can enhance the UX. You can include passkeys in autofill suggestions.

  • Improved Passkeys with suggestions

Considerations:
Check out the Passkeys Browser Autofill UI Device Support link. So far, Ubuntu doesnt not support Passkey Autofill UI.

How to install?

Build with:

mvn clean package

Follow the below instructions depending on your distribution and runtime environment.

Quarkus-based distro

Copy the jar to the providers folder and execute the following command:

${kc.home.dir}/bin/kc.sh build

Container image (Docker)

For Docker-based setups mount or copy the jar to /opt/keycloak/providers.

Warning:

With the release of Keycloak 17 the Quarkus-based distribution is now fully supported by the Keycloak team. Therefore, I have not tested this extension in Wildfly-based distro ❗ ️

Test Cases

The test cases are available in the workshop:

About

Keycloak Authentication Provider implementation for Webauthn with Conditional Mediation (Passkey autofill)

Topics

keycloak authenticator webauthn keycloak-spi keycloak-authenticator paswordless passkeys

Resources

Readme

License

Apache-2.0 license
Activity

Stars

15 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases 1

1.0.1 Latest
Nov 8, 2023

Packages

No packages published

Languages