Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-4120

No "Sign in with Passkey" on first step with organization:<alias> scope [GHI#44735]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      authentication/webauthn

      Describe the bug

      When providing the organization:<alias> scope, a passkey can not be used on the first login page. You are forced to first enter an email address (of an existing account). Only on the password form can you then use the passkey.

      Any other variation of the organization scope allows a passkey to be used on the first page.

      Organization Scope Initial Login page
      none Email or passkey
      organization Email or passkey
      organization:* Email or passkey
      organization:<alias> Email

      Version

      26.4.7

      Regression

      [ ] The issue is a regression

      Expected behavior

      You can log in using a passkey without first entering your email address when using the organization:<alias> scope.

      Actual behavior

      "Sign in with passkey" is not available on the first page of the login flow when using the organization:<alias> scope.

      How to Reproduce?

      • Organizations enabled and at least one organization created
      • Passkeys enabled
      • Use Built-in browser flow (from 26.4)
      • (Email as Username enabled)

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: