Is it possible to register and authenticate passkeys programmatically ?
Does the keycloak expose any endpoint for doing this ? If not, how can i achieve this ?
Nothing officially, so not stable enough to build something on top of. However, If you’re interested in how it works, search the Keycloak code for WebAuthn.
1 Like
What exactly do you mean with that? How do you want to use passkeys?
what i mean is, i dont wanna use the UI provided by keycloak instead i wanna use a angular app as the FE.
when using username, password we can use the Direct grant flow and hit the url “{keycloak_address}/realms/{name}/protocol/openid-connect/token” from a spring boot app to authenticate the user.
im looking for a similar way to authenticate user from a spring boot app when using passkeys, basically i need the angular app to communicate with my spring boot application and then the spring boot will communicate with keycloak to authenticate user (maybe via a rest api call)
so when registering/authenticating passkey i need the spring boot app as my relying party
I’d recommend to overthink your complete approach!
“I don’t want to use the Keycloak UI” is the wrong approach when using OIDC. Using a custom login page/behavior in your app just produces a man-in-the-middle! The “Direct Grant Flow”, which is the “Resource Owner Password Credentials Grant” in OAuth2/OIDC is deprecated and MUST NOT be used! (and it will be omitted in the next version of OAuth2.1!)
And as Passkeys are bound to a domain and are being handled just by the users browser, there is no API like you expect. It’s a negotiation between the server and the client (browser) with the help of an authenticator (operating system, hardware security keys, password manager, smartphone, etc.)
Secure authentication is always about doing the proper things on the secure server, aka Keycloak, with the use of the users browser. Please, do yourself and your users a favor and read and understand the specs, before implementing “something that just somehow” works.
1 Like