I’m trying to get Keycloak user authentication to work with a Yubikey. Unfortunately, I’m a little out of my depth here and would be grateful for some advice.
When logging into Office365, my login page provides a button for selecting a certificate. When my Yubkey is plugged in, the cert is available from a selection popup, I can then select it, enter my pin, and then I’m authenticated and can access my email.
Is this the same as I can expect with Keycloak? In the blog post above, the author mentions this: “the end user is redirected to the Keycloak login page. The user is asked to select a certificate, and then the user/cert confirmation page is displayed.” Which sounds like the same thing.
When I setup the ‘X509/Validate Username Form’ execution to Alternative then nothing happens (it simply goes to the username and password page, and there isn’t anything in the logs), and when I set it to Required then I simply get an error message saying wrong username and password.
I’m testing this from a Docker container running locally (so using a self-signed cert).
Yubikey is about W3C Web Authentication (WebAuthn), which has initial support in the Keycloak from recent version 8.0.0. See doc how about webauthn configuration, there are examples how to configure flows: Server Administration Guide
Keep in mind the note:
Please note that WebAuthn support is still in development and not yet complete, so we recommend that you use this feature experimentally. Also, this support’s specification and user interfaces may change.
Was anyone able to get the certificate challenge to work with a Keycloak Docker container? I have configured my browser flow exactly like various instructions, but cannot get the challenge to appear on “Alternative”. On “Required” it instantly fails.