Hey, we’re building an e-identity platform where we’re gonna allow 3rd party sites to access user data through e.g. OIDC using Keycloak.
There will be 2 different ways of authenticating a user:
- [For users]: WebAuthn authentication through our app (using Keycloak WebAuthn passwordless flow)
- [For third party accessing user data]: Custom Keycloak authenticator that:
- Client starts an “authentication session”
- Client polls our backend for the “authentication session” to finish succesfully
- User authenticates through our app using WebAuthn, resolve some challenges and “finishes the authentication session”
- When step 3 is finished the client will get access to the users attributes
I’m new to both Keycloak and OIDC e.t.c. so there’s a lot of unknowns for me here.
I’ve managed to build an authenticator extension for step 1 and 2, but when I want to create a new login page with the WebAuthn authentication it seem like I can only add alternative authentication methods to the existing login page with my custom authenticator?
Can I only have 1 login page per realm and if so, should I then create multiple realms (one for each 3rd party and one for our “master” user base?
If it’s only possible to have 1 login page per realm, can I login using another method than the login page (WebAuthn) through an SDK or API?
Also, we would like users to be able to add attributes to their profile that they own and 3rd parties to add attributes to user profiles that the 3rd party owns (the user can’t change the value, but need to accept the attribute for it to be added).