Description

This issue is about adding the WebAuthn and Recovery-codes to the default browser flow by default. They can be still disabled by default. However it means that when someone wants to add WebAuthn/Recovery-codes as 2nd-factors, he will not need to create completely new flow, but he will be able to just update existing flow, which is easier.

Few points:

• I guess we can change form subflow to something like this:

- Forms: COnditional
  - Condition: User authenticated: REQUIRED
  - OTP: ALTERNATIVE
  - WebAuthn: DISABLED
  - Recovery-codes: DISABLED 

ATM it looks to me that the OTPcan be switched to alternative (currently it is REQUIRED) as it will make it easier to enable Webauthn or Recovery-codes. As when someone wants to enable recovery-codes, he will just need to switch Recovery-codes to ALTERNATIVE. But if OTP is still REQUIRED, he will also need to update OTP to ALTERNATIVE (As there cannot be both REQUIRED and ALTERNATIVE executions at same level).

At the same time, we might be careful as things may work bit differently by default when OTP is switched to ALTERNATIVE due to this: https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java#L445-L452 . Maybe changes would be needed in the DefaultAuthenticationFlow or we can make OTP still REQUIRED if it is hard to make this working with some existing scenarios...

• We can likely do the same for other flows. At least for First broker login flow

• IMO we should not do anything during migration. So people migrating from previous versions will still have their flows as before. This will affect just new deployments and/or newly created realms

• This will probably affect quite a few automated tests (As current tests assume to always create new flow for stuff like WebAuthn or Recovery-codes)

• Probably lots of changes needed in the documentation as docs for WebAuthn and Recovery-codes and authentication in general assume only OTP in the browser flow by default. Maybe documentation should be separate subtask?

Subtasks

• Make changes for the browser flow #39999
• Rename Browser - Conditional OTP to Browser - Conditional 2FA #40281
• Make changes for first-broker-login flow #40000
• Update documentation #40001