Is it possible to register and authenticate passkeys programmatically ?
Does the keycloak expose any endpoint for doing this ? If not, how can i achieve this ?
Is it possible to register and authenticate passkeys programmatically ?
Does the keycloak expose any endpoint for doing this ? If not, how can i achieve this ?
Nothing officially, so not stable enough to build something on top of. However, If youâre interested in how it works, search the Keycloak code for WebAuthn
.
What exactly do you mean with that? How do you want to use passkeys?
what i mean is, i dont wanna use the UI provided by keycloak instead i wanna use a angular app as the FE.
when using username, password we can use the Direct grant flow and hit the url â{keycloak_address}/realms/{name}/protocol/openid-connect/tokenâ from a spring boot app to authenticate the user.
im looking for a similar way to authenticate user from a spring boot app when using passkeys, basically i need the angular app to communicate with my spring boot application and then the spring boot will communicate with keycloak to authenticate user (maybe via a rest api call)
so when registering/authenticating passkey i need the spring boot app as my relying party
Iâd recommend to overthink your complete approach!
âI donât want to use the Keycloak UIâ is the wrong approach when using OIDC. Using a custom login page/behavior in your app just produces a man-in-the-middle! The âDirect Grant Flowâ, which is the âResource Owner Password Credentials Grantâ in OAuth2/OIDC is deprecated and MUST NOT be used! (and it will be omitted in the next version of OAuth2.1!)
And as Passkeys are bound to a domain and are being handled just by the users browser, there is no API like you expect. Itâs a negotiation between the server and the client (browser) with the help of an authenticator (operating system, hardware security keys, password manager, smartphone, etc.)
Secure authentication is always about doing the proper things on the secure server, aka Keycloak, with the use of the users browser. Please, do yourself and your users a favor and read and understand the specs, before implementing âsomething that just somehowâ works.
Hi,
I wanted to do the same thing as @svr666, do webauthn authentication via API. Because itâs easier to make and maintains real custom login page instead of keycloak theme. Itâs just my point of vue, maybe I make a mistake.
I just came across your answer.
It seems like a bad idea to try make authentication by API.
However I cannot understand why there is more risk of man in the middle with the API than with the UI keycloak, both are https exchanges.
Can you give me some details about these risks please?
I doubt.
Complete functionality is already available, securely implemented. Lookânâfeel can be completely adjusted to custom layouts.
OAuth2/OIDC is NOT about using an API to do things! There are good security reasons to use browser-based flows to authenticate users. Donât try to think to know it better. Or if, just donât use OAuth2/OIDC.
Just in the moment a user enters its credentials somewhere else than on the secure server (aka Authorization Server in terms of OAuth2 or Identity Provider in terms of OIDC), the âelsewhereâ (you app) is the man-in-the-middle. MITM is not only about some attackers listening to the trafficâŚ
Thanks for you answer.
So itâs really deprecated to authenticate user throught rest api ?
Even with webauthn we just send public key or signed challenge with private key, so no password transit ?
But you right, I read some thread about authenticate with rest api and pass user/password is bad practice.
Iâm bit desappointed.
Thanks for your explanations.
I have somehow the same usecase - basically I want to use OIDC with Passkeys rather than passwords. Do you think there is a simple way to achieve that with Keycloak ?
I have a similar use case, where I want to pre-provision user accounts with registered security keys (with a FIDO2 discoverable credential), and it would help tremendously if it was possible to do this programmatically to avoid user error.
I.e., Iâd only like to automate the registration part. Preferably without ever having to set a password for the user, but that is secondary.
In pseudo code I would like to do this:
# Insert 2-3 unprovisioned / fresh security keys at trusted admin workstation
for each key ...
# Prepare security key config
...
pin = random()
key.set_fido2_pin(pin)
pins[key] = pin
# Login to keycloak REST API
...
# Create a user
id = ...
# for each key, register it
for each key ...
# contact keycloak instance for challenge / options
options = handle-request("GET /admin/realms/{realm}/users/{id}/webauthn-register-begin")
# Talk to local FIDO2 key, supply pin if necessary...
client_data = FIDO2Client.create_credential(options, pins[key])
# Finish registration
result = handle-request("PUT /admin/realms/{realm}/users/{id}/webauthn-register-complete client_data")
# Do something with the result
.... ??
# finished with registration of security keys to user id
# loop again for additional users and keys