Description

This RFE is about the ability that application can request user to register WebAuthn security key (passkey) during his login by AIA just in case when user does not yet have security key on his account. The desired functionality is:

1. User will see the option to register security key (passkey) after he finish Keycloak authentication. He can choose to register passkey or he can click "Cancel" in which case, he would be redirected to the application
2. In case that user already has passkey, the screen should not be displayed as there is no need to ask user to register other passkey if he already has one

The (1) can be realized by using AIA (which is already supported) . The (2) is currently not supported as when application sends kc_action=webauthn-register-passwordless, then the registration of passkey is always displayed to the user (Regardless of whether he has already security key or not).

Note that application does not know in advance if user has passkey as user is usually not yet authenticated.

Proposal

Make the actions webauthn-register and webauthn-register-passwordless to be parameterized. So it would be possible to use something like kc_action=webauthn-register-passwordless:skip-if-exists. When this parameter skip-if-exists is used and user already has credential of type webauthn-register-passwordless, then the AIA will be ignored and will not be shown to the user. When the parameter is not used and request is sent with kc_action=webauthn-register-passwordless, the behaviour will be same as like in Keycloak 26.2. So the screen to register passkey would be always displayed.

Discussion

No response

Motivation

No response

Details

No response