Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension

* Don't require clicking "Authenticate" button, it's confusing and should happen automatically * Use a required action for registration, not an authenticator and custom registration flow. This fits better with the future plans of application initiated actions, and also allows users not self-registered.

* Don't use custom table for credentials. I see it's marked as an open issue, but just wanted to mention it again. Custom entities are not supported, this has issues with hot-deployment and I don't want to have to add additional tables for each credential type.

* Problems on re-build/deploy as mentioned in open issues is related to two things I think. Firstly, the above with regards to custom entities. Secondly, we have an issue that theme resources are not re-loaded on re-load (see https://issues.jboss.org/browse/KEYCLOAK-8044).

With regards to testing have you done any research into possibility of functional testing? I know we've discussed this in the past, but not sure if any progress has been made here.

Hi, We've updated the webauthn authenticator prototype based on webauthn4j : https://clicktime.symantec.com/3WCzrfPNkLpaxtUGpjWEzmE7Vc?u=https%3A%2 F%2Fgithub.com%2Fwebauthn4j%2Fkeycloak-webauthn-authenticator%2Ftree%2 Fdemo-completed We've confirmed that this demo worked well under the following environments: * U2F with Resident Key Not supported Authenticator Scenario OS : Windows 10 Browser : Google Chrome (ver 73), Mozilla FireFox (ver 66) Authenticator : Yubico Security Key Server(RP) : keycloak-5.0.0 * U2F with Resident Key supported Authenticator Scenario OS : Windows 10 Browser : Microsoft Edge (ver 44) Authenticator : Internal Fingerprint Authentication Device Server(RP) : keycloak-5.0.0 * UAF with Resident Key supported Authenticator Scenario OS : Windows 10 Browser : Microsoft Edge (ver 44) Authenticator : Internal Fingerprint Authentication Device Server(RP) : keycloak-5.0.0 We will continue to improve the prototype, so feedback is welcomed. Regards, Yuichi Nakamura -----Original Message----- From: keycloak-dev-bounces(a)lists.jboss.org < keycloak-dev-bounces(a)lists.jboss.org&gt; On Behalf Of 中村雄一 / NAKAMURA，YUUICHI Sent: Tuesday, March 19, 2019 4:32 PM To: stian(a)redhat.com Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Subject: [!]Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension Hi, Sorry, we have implemented only for Edge now. Please wait for other browsers. > One comment is that it shouldn't create a new table, but rather just serialize the value to the existing credential table in the same way as the FIDO U2F example does [1]. Thank you, we will fix. Regards, Yuichi Nakamura From: Stian Thorgersen <sthorger(a)redhat.com&gt; Sent: Monday, March 18, 2019 5:49 PM To: 中村雄一 / NAKAMURA，YUUICHI <yuichi.nakamura.fe(a)hitachi.com&gt; Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>; 乗松隆志 / NORIMATSU，TAKASHI <takashi.norimatsu.ws(a)hitachi.com>; 茂木昂士 / MOGI，TAKASHI < takashi.mogi.ep(a)hitachi.com>; Yoshikazu Nojima <mail(a)ynojima.net&gt; Subject: [!]Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension Tried this out today and it didn't work for me. I was getting some JS error both on Chrome and Firefox when trying to register authenticator. One comment is that it shouldn't create a new table, but rather just serialize the value to the existing credential table in the same way as the FIDO U2F example does [1]. [1] https://clicktime.symantec.com/3XYorxFfnwRutc8N4z3Ubc77Vc?u=https%3A%2 F%2Fgithub.com%2Fstianst%2Fkeycloak-experimental%2Ftree%2Fmaster%2Ffid o-u2f On Fri, 15 Mar 2019 at 08:13, 中村雄一 / NAKAMURA，YUUICHI <mailto: yuichi.nakamura.fe(a)hitachi.com&gt; wrote: Hi, We’ve uploaded the initial prototype of webauthn authenticator below: https://clicktime.symantec.com/37NWG7BAMWtR42Swt5VUTw77Vc?u=https%3A%2 F%2Fgithub.com%2Fwebauthn4j%2Fkeycloak-webauthn-authenticator Feedback is welcomed. From: Stian Thorgersen <mailto:sthorger@redhat.com> Sent: Thursday, February 28, 2019 6:53 PM To: 中村雄一 / NAKAMURA，YUUICHI <mailto:yuichi.nakamura.fe@hitachi.com> Cc: keycloak-dev <mailto:keycloak-dev@lists.jboss.org> Subject: [!]Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension That's great, thanks. Do you have an idea on roughly when you can have a prototype ready? On Thu, 28 Feb 2019 at 00:32, 中村雄一 / NAKAMURA，YUUICHI <mailto:mailto: yuichi.nakamura.fe(a)hitachi.com&gt; wrote: Hi, My team has begun to help webauthn4j project, and is going to develop prototype of authenticator for keycloak. We'd like to take this. Regards, Yuichi Nakamura Hitachi, Ltd. -----Original Message----- From: mailto:mailto:keycloak-dev-bounces@lists.jboss.org <mailto:mailto: keycloak-dev-bounces(a)lists.jboss.org&gt; On Behalf Of Stian Thorgersen Sent: Thursday, February 28, 2019 12:26 AM To: keycloak-dev <mailto:mailto:keycloak-dev@lists.jboss.org> Subject: [!][keycloak-dev] Request for someone to contribute an WebAuthn4j extension A while back I created an experimental extension to Keycloak for FIDO U2F. It would be great if someone could adapt this to WebAuthn by leveraging webauthn4j library [1]. Any takers? It shouldn't be hard ;) [1] https://clicktime.symantec.com/3DJdi8ZVRTPPRjKw5d1qT287Vc?u=https%3A%2 F%2Fgithub.com%2Fwebauthn4j%2Fwebauthn4j _______________________________________________ keycloak-dev mailing list mailto:mailto:keycloak-dev@lists.jboss.org https://clicktime.symantec.com/35NVx3Bd41ZVjjssocqwjpK7Vc?u=https%3A%2 F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://clicktime.symantec.com/3K7AmDtC5f54UYS4NNrH1wo7Vc?u=https%3A%2 F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev