Keycloak/IOS webauthn

[Lebriq Zakariae]

Hi, 

I'm trying to configure a browser flow with  the webauthn authenticator. However it doesn't work as expected with IOS. My phone prompt me to use a key instead of my touchID or faceID. 

Is there any one who had the same issue before? 

thanks.

[Colin Bontemps]

Hi Zakaria, have you tried setting the param "Authenticator Attachment" to "platform" ?

This param should let the OS/browser choose wether to prefer an external key or integrated hardware such as touchID.

Colin

[Ionel GARDAIS]

Hi,

WebAuthn in Keycloak is failing with macOS/iOS TouchID.

There seem to be 2 explanations for this :

- Safari requires auth to be triggered by a user interaction, not directly onload() as currently

- the signature counter is not incremented by the integrated WebAuthn device representing TouchID

The first issue can be worked-around by adjusting the webauthn login page to add a button to be clicked for the auth process to be triggered.

However, it would allow to register the TouchID device but you would then hit the second issue and subsequent logins would fail.

--
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

---

De: "Colin Bontemps" <colin.bon...@gmail.com>
À: "keycloak-user" <keyclo...@googlegroups.com>
Envoyé: Vendredi 2 Avril 2021 13:59:21
Objet: [*EXT*] [keycloak-user] Re: Keycloak/IOS webauthn

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/7159a53c-c7eb-46c2-a736-04ece3701497n%40googlegroups.com.