Register a user without their password in passwordless authentication use case

[tnorimat]

In passwordless authentication senario, it is not needed for a user to set and use their password.

[cdanger]

Hello, I'm very interested in this feature. Just to confirm, does this means that a FIDO2 security key protected by PIN code (e.g. Yubikey 5) does not work yet with this plugin?

[tnorimat]

Hello, it does not means that. This issue means that the user registers their account onto keycloak in the first place, keycloak prompts the user to input username and password, but in passwordless scenario, keycloak should not prompt the user to input password.

As for FIDO2 security key protected by PIN code, this prototype might work well using this security key.

[tnorimat]

Sorry, in passwordless scenario, I'm afraid that FIDO2 security key protected by PIN code can not be used. In passwordless scenario, the end user's authenticator need to have capability of Resident Key. I'm not sure whether your authenticator has this capability or not.

[ynojima]

For passwordless authentication uses cases, security keys must support two features.

• resident key
• user verification (PIN or embedded sensor like Fingerprint scanner)

Some security keys support user verification by PIN code (Yubikey5), and some by embedded sensor (Feitian BioPass2). Not sure all the FIDO2 security keys support resident key feature, but at least Yubikey5 supports it. So Yubikey5 can be used for passwordless authentication scenario (but you need to provide PIN during authentication instead of password).

[cdanger]

Thanks for the prompt reply :-) In the meantime, I managed to have my Yubikey 5 to work with the Webauthn Authenticator and with a PIN (only on latest Windows 10 with latest Firefox), but only if I have the username/password form first, which I'd like to skip. Indeed, if I have Webauthn Authenticator in the Authentication flow and I remove the Username Password Form, then when I try to authenticate, Keycloak returns the "Invalid user/password" error right away. It seems to ignore the Webauthn Authenticator in this case. Tested on Keycloak v6.0.1.

So is it a known issue related to what you are trying to fix here, i.e. passwordless authentication use case? Or is the Webauthn Authenticator supposed to work on Keycloak even if there is no Username/Password form (or any other username/authentication mechanism) in the authentication flow? Just checking whether I need to create a different issue in order to address this.

My answers to your comments below, in case that helps.

Hello, it does not means that. This issue means that the user registers their account onto keycloak in the first place, keycloak prompts the user to input username and password, but in passwordless scenario, keycloak should not prompt the user to input password.

As for FIDO2 security key protected by PIN code, this prototype might work well using this security key.

Yes, that's what I'm looking for as well, because in my case, the PIN code should replace the password as second factor; and therefore I'd rather get rid of the username/password form in the authentication flow, and jump to the FIDO/Webauthn authentication right away (using PIN) on Keycloak.

Sorry, in passwordless scenario, I'm afraid that FIDO2 security key protected by PIN code can not be used. In passwordless scenario, the end user's authenticator need to have capability of Resident Key. I'm not sure whether your authenticator has this capability or not.

Yes, my authenticators do. I am indeed using the Yubikey 5 series which support PIN code and resident keys. The Yubico developer guide on Resident keys is quite explicit: https://developers.yubico.com/FIDO2/FIDO2_WebAuthn_Developer_Guide/Resident_Keys.html ... especially the last paragraph, describing my use case pretty well: A username-less flow with a PIN and with no password sent over the wire. But I am unable to make this work with the Webauthn authenticator on Keycloak. Looking for any help.

[tnorimat]

@cdanger One point I would like to ask you, did you conduct the following procedures?

1) set up flow - set up authentication flow described in Authentication Flow Settings - Browser Flow (Use Resident Key) of https://github.com/webauthn4j/keycloak-webauthn-authenticator .

2) user account and authenticator registration - you firstly create your user account on keycloak (inputting username and password) and register your Yubiko 5 authenticator. (navigator.credentials.create())

3) authentication - along with the authentication flow set up in 1), you try to authenticate. (navigator.credentials.get())

[cdanger]

Yes, I did:

1. Step 1 OK. I have the same flow, applied to a specific Client of mine (Client ID: my-webapp) via Settings > Authentication Flow Overrides > Browser Flow option on the client (didn't want to break the access to the User Account service or Admin Console).
2. Step 2 OK. To be accurate, I first created the user account as an admin, set a password, and made sure the Webauthn Register action is set in Required User Actions. Then, with a different browser (Edge v44.18362.1.0), I logged in as the new user with username/password on the User Account service, was asked to register the authenticator (prompted for the PIN first), and accessed the account page successfully. At this point, from the admin console (in a different browser), I can check in Attributes tab of the user entry that a PUBLIC_KEY_CREDENTIAL_ID attribute is set. So I assume the authenticator is successfully registered (?).
3. Step 3: for the authentication, with the Edge browser, I sign out my user from the User Account (and cleared the browser cache and restart the browser to make sure), then attempt an OpenID Connect authentication request with client ID my-webapp (to which the Webauthn flow is applied as mentioned). I get a Windows popup with this error message: This security key doesn't look familiar. Please try a different one. Screenshot:

   Then I can only cancel, so I'm stuck there.

My environment:

• OS: Windows 10 Pro v1903
• Browser: Microsoft Edge v44.18362.1.0
• Authenticator: Yubikey 5C Nano.
• Server: Keycloak v6.0.1

A few other interesting tests:

• Passwordless login works for me on the Yubico playground website with the same OS/browser/authenticator.
• If I log on keycloak User Account service using default browser flow (with username/password only) first, then does the OIDC authentication request for my Webauthn-enabled Client (my-webapp), without signing out from Keycloak this time, the Webauthn authentication happens (I am prompted to enter the PIN, touch the key) and succeeds!

I guess in the latter case, Keycloak already knows the username somehow from the previous username/password authentication; whereas in the other case Keycloak is trying to get the username from the authenticator, in vain. But that's a wild guess on my part. Any idea why? Could it be that the user.id property is not set properly on the authenticator during registration?

[tnorimat]

@cdanger thank you for information. I will investigate codes.

[tnorimat]

@cdanger From your information, I guess that your Microsoft Edge v44 judged that your Yubikey 5C Nano can not treat ResidentKey and User Verification option and returned such the error.

I'm still not sure why this happens. If it is possible, could you use other browsers (chrome, firefox)?

Aside from that, In Step 2, you've successfully registered.

If I log on keycloak User Account service using default browser flow (with username/password only) first, then does the OIDC authentication request for my Webauthn-enabled Client (my-webapp), without signing out from Keycloak this time, the Webauthn authentication happens (I am prompted to enter the PIN, touch the key) and succeeds!

I guess that when you first logged in by default browser flow, your browser got SSO Cookie from keycloak, and next you tried OIDC authentication request without siging out, keycloak found the user from SSO Cookie, found their public key credential ID, set it as allowedCredential option of navigator.credentials.get() and its call by the browser succeeded.

[cdanger]

Yes, I tried with Firefox 67 as well, and I got the same behavior (same error message) with Keycloak webauthn plugin.

I want to emphasize the fact that both Edge and Firefox browsers work for me on the Yubico's password-less login demo website (with same PC, OS and authenticator). (Chrome is not officially supported there on the contrary to Edge/Firefox, so I am ignoring Chrome for now.)

[tnorimat]

@cdanger I've found why this problem occurs and how to resolve this problem.

After resolving this problem, in Authentication with Resident Key supported Authenticator Scenario, I've confirmed that I was able to register my YubiKey and authenticate using it in Edge.

I'll newly create the issue and comment on it in detail.

[tnorimat]

refer to https://github.com/webauthn4j/keycloak-webauthn-authenticator/issues/26

[cdanger]

Great news! Thanks for the fix. Now looking forward to the next release :+1: (I'll test with the latest commit anyway in the meantime.)

[tnorimat]

@cdanger thank you for comment, the latest release is the following resolving the case you've reported: https://github.com/webauthn4j/keycloak-webauthn-authenticator/tree/0.3.RELEASE

If you try this on your environment and work well, could I add on Environment section of README that this program works well in Authentication with Resident Key supported Authenticator Scenario under your environment?

Whether WebAuthn works well depends on several factors, especially, OS (and version), browser (and version), authenticator. Therefore, I'm collecting information on under which environment this program works well.

[cdanger]

Yes, I confirm 0.3.RELEASE works for me 👍 in the following environment: Windows 10 (v1903) / Firefox (v68) / Yubikey 5C Nano / keycloak 6.0.1 on localhost. Feel free to mention it in the README. On a side note, there are a few typos in the warning message showing up at registration time, so I submitted a pull request to fix it if you could have a look.

[tnorimat]

I've added your reported environment where this project works to README.md and I've merged your pull request. Thank you for the contribution!

[hypermine-bc]

@tnorimat We tried to replicate following scenario.

1. Created a new Realm
2. Created a client inside that
3. Added a new Flow with the Use Resident Key mentioned in readme
4. Added a new user with password and Required User Actions = webauthn register
5. Added the new flow as the browser flow of my client.

But when We try to access We get invalid user name and password error. Why we are getting this ? can you please help us setup?

19:20:43,320 WARN  [org.keycloak.events] (default task-12) type=LOGIN_ERROR, realmId=hypermine, clientId=auth-server, userId=null, ipAddress=172.17.0.1, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:3000/, code_id=eeb33ae9-c358-4ec0-98b4-5a893add7e2a

Failed authentication: org.keycloak.authentication.AuthenticationFlowException: exception raised from navigator.credentials.get() : NotSupportedError: Resident credentials or empty 'allowCredentials' lists are not supported at this time.

[tnorimat]

@hypermine-bc Hello, could you please confirm that you have used the Resident Key supported browser and authenticator?

For example, the combination of Microsoft Edge (ver 44 or later) and Yubico Security Key will work well.