Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-16075

WebAuthn with Safari 14.1 does not work (TouchID/FaceID WebAuthn Requires User Gesture)

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide
      1. Configure WebAuthn policy to match Apple's settings (ES256 + all other options at defaults should be sufficient)
      2. Set the "register WebAuthn credential" required action on a user
      3. Using a compatible device running Safari 14, authenticate as that user
      4. Note that no option for biometrics appears.
      Show
      Configure WebAuthn policy to match Apple's settings (ES256 + all other options at defaults should be sufficient) Set the "register WebAuthn credential" required action on a user Using a compatible device running Safari 14, authenticate as that user Note that no option for biometrics appears.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW
    • [QE] How to address?:
      ---
    • [QE] Why QE missed?:
      ---

      Description

      What

      WebAuthN with Keycloak is currently entirely unavailable for Safari users.

      Details

      The Webkit/Safari team has just published details of their implementation of WebAuthn using FaceID/TouchID as platform authenticators: https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/

      Notably, they have decided to require a user gesture before allowing FaceID/TouchID to be used in order to prevent abuse / unwanted authentication requests. Keycloak currently invokes WebAuthn on page load, which fails this requirement. As a result, FaceID/TouchID is unusable with Keycloak regardless of settings. 

      Keycloak should, perhaps at the administrator's option, modify the WebAuthn login flow to involve a user gesture in order to allow Apple device users to gain the benefits of their platform authenticator.

      More details in the comment https://issues.redhat.com/browse/KEYCLOAK-16075?focusedCommentId=16118913&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16118913

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              scales Shea Polansky (Inactive)
              Votes:
              11 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: