I am new to OIDC and WebAuthn. I want to provide a progressive passwordless experience for my users. I understand that passkeys are supported by Windows/Mac/iOS/Android.
I want to configure a Keycloak client so that it can authenticate using OIDC flows. But I have two questions.
- Which OIDC flow should I be using? I know using Implicit flow is bad. What choice do I have given I cannot use authorization grant flow as I am developing a mobile app. Opening a web view on the phone app to provide fingerprint seems odd to me.
- How should I configure the authentication override for my client such that the default fallback is a username and password. But if the user has a passkey, then it will default to such mechanism?
In the mobile scenario, you have a public client. Therefore, in browser-based authentication, you open a browser (not a webview, as it is not recommended due to security best practices) with the Authorization Code + PKCE flow implementing OpenID Connect (OIDC). If you want to follow the standards, this is the only way.
However, for the API-based authentication scenario, there is a proposed standard called OAuth 2.0 for First-Party Applications, which improves the user experience by allowing the app to control the login process without requiring redirection or launching a browser. Here is an article [1] where I explain how it works in Keycloak with passkeys (disclaimer: it is not yet supported by Keycloak, which is why we developed custom extensions to enable these features).
[1] Deep Dive into Enhancing User Experience with Native Authentication and Passkeys in Keycloak | by Martin Besozzi | Jul, 2024 | Medium
1 Like
Is this still the case that it is not supported by Keycloak and thus the solution is to either use a browser, implement our own SPIs, or pay for a solution like yours?