This is a webauthn authenticator that supports WebAuth Conditional UI or Passkey autofill. It's based on the OOTB WebAuthnPasswordlessAuthenticator, with a touch of customization and love
When moving from passwords to passkeys, there might be challenges. User experience matters a lot. The default “modal” experience might not be good in some cases. But using the passkey with autofill (WebAuth Conditional UI) feature can improve the login process. Keycloak version 22 lacks this feature, which is why I developed this custom SPI. Furthermore, it is beneficial to have the flexibility to customize the user experience according to your business requirements.
This custom authenticator is utilized in the following workshop:
You will find there a cool workshop covering MFA, passkeys, and step-up authentication.
If this authenticator gets configured as part of a browser based login flow, Keycloak will do:
-
Enabling passkey autofill when supported by the browser.
-
Displaying the “Sign with passkeys” button if passkey autofill is not available.
-
If Passkeys (Webauthn) are not supported, it will present the traditional username and password login option.
Here's an example of the Browser login flow:
Here's the default user experience when trying to login with Passkeys, which is a dialog that pops up. In some cases the UX is not good.
- Default user experience with Passkeys
By using the feature called conditional UI (a part of the WebAuthn standard), you can enhance the UX. You can include passkeys in autofill suggestions.
- Improved Passkeys with suggestions
Considerations:
Check out the Passkeys Browser Autofill UI Device Support link. So far, Ubuntu doesnt not support Passkey Autofill UI.
Build with:
mvn clean package
Follow the below instructions depending on your distribution and runtime environment.
Copy the jar to the providers
folder and execute the following command:
${kc.home.dir}/bin/kc.sh build
For Docker-based setups mount or copy the jar to /opt/keycloak/providers
.
Warning:
With the release of Keycloak 17 the Quarkus-based distribution is now fully supported by the Keycloak team. Therefore, I have not tested this extension in Wildfly-based distro ❗ ️
The test cases are available in the workshop: