Passkeys, conditional ui, etc...
147 views
Skip to first unread message
Francis Augusto Medeiros-Logeay
Sep 1, 2025, 2:01:22 AM (7 days ago) Sep 1
to Keycloak User
Hi,
I just saw Niko’s presentation on KeyConf - it was great, btw.
I have been following the implementation of Passkeys closely over the last two years, and after watching his presentation, I went running to see what was different.
It seems to me that the login after enabling passkeys is much better and straightforward in 26.3.3.
But I wonder, will we ever see automatic pop up of passkeys login without the user having to click on “Sign in with passkey?
Or are there many challenges to that/ Is it even in the roadmap for passkeys?
Best,
Francis
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
Niko Köbler
Sep 1, 2025, 3:43:40 AM (7 days ago) Sep 1
to Keycloak User
Hi Francis,
first, thanks for watching my talk at KeyConf and I'm happy you liked it.
What exactly do you expect with "automatic pop up of passkeys login"?
As shown in my demo, my browser automatically provided the existing passkeys in a kind of a popup in the username field to the user. I hadn't to click on the button to sign in with a passkey. Of course, this is also depending on the browser and if the browser implements the "WebAuthn Conditional UI" properly. With Firefox for example, I've also some problems.
For me(!) this behavior is exactly what I want to have and get from Keycloak, as there will be a lot of time coming up, where we need both ways to offer to the user, username/password (hopefully with mfa) _or_ passwordless passkeys only.
But from my experience from a lot of other customers and projects, the "requirements" and wishes vary a lot from customer to customer. The all want "authentication with passkeys", but the exact "how" differs much in details...
So, what is your exact expectation?
Best,
- Niko
Francis Augusto Medeiros
Sep 1, 2025, 3:54:56 AM (7 days ago) Sep 1
to Niko Köbler, Keycloak User
Hi Niko,
Thanks a lot for your reply.
Well, the thing is, from the user’s perspective, having the passkey available on the username field is just too similar as of using saved passwords. While the authentication flow will be different, this might lead to a lot of confusion.
What I would like is that a javascript would already check if you have a passkey for that webside and start the authentication without the user having to choose a save passkey or clicking on the “Sign in with Passkey”. This way, a user would only use his fingerprint (or pin, or whatever method) to login.
So, in other words:
- user user is redirected by the app to keycloak
- Keycloak would then check if the user has a passkey for that domain
- if so, the passkey authentication (with the pop up for the user verification showing automatically) would start right away - no need to click on a button or choose a passkey on the username field.
If the user doesn’t have a passkey for that website, he’d use the username/password form normally.
Is it clear now? Let me know if you’d like me to create a little storyboard for that.
Best,
Francis
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/a488a336-0db2-4c2f-b66c-5ebc2f4c4f26n%40googlegroups.com.
Niko Köbler
Sep 1, 2025, 4:13:10 AM (7 days ago) Sep 1
to Keycloak User
Thanks for the more detailed explanation.
Well, that's exactly the thing I meant with "differs a lot from customer to customer". Believe me, even if you think(!) that every company wants to have this experience....
IMHO, the existing way will work greatly, I don't have the doubts to confuse the users.
To the rescue, you can still implement your custom authenticator with your desired custom logic.
That's how Keycloak works, it won't implement and provide all the different things and ways to anything in a certain way, but you always have the possibility to implement your desired behavior through SPIs.
Best,
- Niko
Thomas Darimont
Sep 1, 2025, 4:40:28 AM (7 days ago) Sep 1
to Keycloak User
Hello all,
AFAIK you can't detect if a user has registered a passkey for your site using JavaScript without prompting them.
This is a deliberate security and privacy feature of the Web Authentication API (WebAuthn).
However, you could build such a mechanism yourself based on a persistent (http-only, secure) cookie that gives Keycloak a hint that a passkey with certain characteristics
was created for this user in this browser. Then you could inspect that cookie with a custom authenticator and send the user to an optimized user experience.
Note that the FIDO Alliance provides some IMHO useful guidelies for passkey adoption https://www.passkeycentral.org/design-guidelines/
and UX recommendations for sign-in experiences: https://www.passkeycentral.org/design-guidelines/required-patterns/sign-in-with-a-passkey
There is also this big list of sites supporting passkeys where you could take some inspiration from: https://www.passkeys.io/who-supports-passkeys
Cheers,
Thomas
Francis Augusto Medeiros-Logeay
Sep 1, 2025, 7:03:23 AM (7 days ago) Sep 1
to 'Thomas Darimont' via Keycloak User
Thanks Thomas,
I think I read somewhere that you can use javascript to silent start the check and handle it elegantly when the user doesn’t have a passkey for that domain. But I am probably wrong. This is what I got by searching a bit a while ago.
Best,
Francis
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/8f9f9af1-606d-4ca5-84a1-7bcbec52ca55n%40googlegroups.com.
Martin Besozzi
Sep 1, 2025, 8:19:00 AM (7 days ago) Sep 1
to Francis Augusto Medeiros-Logeay, 'Thomas Darimont' via Keycloak User
As Niko and Thomas mentioned, you can check in a custom SPI whether the user has WebAuthn passwordless credentials available, and then show or hide that authenticator in the next step accordingly.
Regards,
Martin
Regards,
Martin
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/4C155110-8AC5-4F97-9C43-0040A25CEB68%40med-lo.eu.
Francis Augusto Medeiros
Sep 4, 2025, 2:50:18 AM (4 days ago) Sep 4
to Keycloak User, Niko Köbler
Thanks Niko.
Yeah, I understand that. I just wanted to check if this was in the roadmap and/or anyone else was asking for the same thing.
I have no doubt that the existing way works great, but I disagree about the confusion. The interface on a Mac does say when it is a a passkey and when it is a save password, but the difference is subtle and I am not sure that the difference will be noted for many users.
I’ll run this by our UX team - if they agree with you, then I don’t think I’ll need to change anything.
Best,
Francis
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/ad7ef114-9d4c-450e-bb3a-ba863dc4104bn%40googlegroups.com.
Francis Augusto Medeiros
Sep 4, 2025, 2:50:18 AM (4 days ago) Sep 4
to Thomas Darimont, 'Thomas Darimont' via Keycloak User
Thanks Thomas,
I think I read somewhere that you can use javascript to silent start the check and handle it elegantly when the user doesn’t have a passkey for that domain. But I am probably wrong. This is what I got by searching a bit a while ago.
Best,
Francis
On 1 Sep 2025, at 10:40, 'Thomas Darimont' via Keycloak User <keyclo...@googlegroups.com> wrote:
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/8f9f9af1-606d-4ca5-84a1-7bcbec52ca55n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages