[keycloak-user] Keycloak 8 and WebAuthn
Chris Boot
lists at bootc.boo.tc
Tue Nov 19 07:51:56 EST 2019
Hi all,
I'm *so* glad to see WebAuthn and multiple authenticator support, but
I'm having trouble making use of it.
I'm following the documentation:
https://www.keycloak.org/docs/latest/server_admin/index.html#_webauthn
The scenario I would like to achieve is:
- No user registration. We use LDAP federated accounts.
- Login *requires* either OTP *or* WebAuthn.
- Users must be able to manage their WebAuthn and OTP tokens themselves.
I can achieve most of this by having a custom browser flow with a
required sub-flow of the Browser Forms that has WebAuthn and OTP as
alternatives. It's a bit unfriendly that a user has to select WebAuthn
from the popup and then click again to make it happen, but I expect we
can live with that.
What I cannot achieve is user self-management. The WebAuthn stuff
doesn't appear anywhere in the User Account Service screens despite the
documentation suggesting it should:
https://www.keycloak.org/docs/latest/server_admin/index.html#view-registered-webauthn-authenticator
Is the documentation incorrect? How do I make this show up?
I really need for users to not have to take any action to replace their
OTP tokens if they don't want to, but they should be able to add
multiple WebAuthn tokens without admin intervention.
Thanks,
Chris
--
Chris Boot
bootc at boo.tc
More information about the keycloak-user
mailing list