Passkey for ldap users

[Francis Augusto Medeiros]

Hi,

I watched this really cool presentation of Takashi and Thomas at KubeCon.

Among the things that were presented was a bit of how Passkeys work in KC 24.

For a login-less experience, so what Thomas did was to remove a user's password.

Can one achieve this when using LDAP user federation? Otherwise how can LDAP users get the same user experience? 

Best,

Francis 

[John Kohl]

I recently experimented with passkeys and followed a guide here: https://www.keycloak.org/docs/latest/server_admin/#creating-a-password-less-browser-login-flow

I came up with a slightly different config.  The behavior is the same for any type of user, either defined in the realm directly or federated from LDAP.

I have users configured to be required to create an OTP configuration on first login.  After that, a user can create a passkey in their account console (account security>signing in).  Once they've got a passkey, they can log in either with username and passkey, or username and password and OTP.