Enable WebAuthn / passkey on master and ecosplay realms
- Add a configure_webauthn helper to sync.sh that sets the WebAuthn policy (both 2FA and passwordless variants) on a realm and enables the webauthn-register and webauthn-register-passwordless required actions so users can self-enroll passkeys via the account console. - Apply it to both master (RP "E-Cosplay Auth") and ecosplay (RP "E-Cosplay") on every sync run, idempotent. - Mirror the same policy fields and required actions in the ecosplay realm import JSON for fresh installs. Sensible defaults: ES256/RS256/EdDSA, user verification preferred, no attestation, resident key not specified. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
32
init/sync.sh
32
init/sync.sh
@@ -186,6 +186,32 @@ set_client_pkce() {
|
||||
info " client $2 PKCE method set to '${3:-none}' ($1)"
|
||||
}
|
||||
|
||||
configure_webauthn() {
|
||||
# $1=realm $2=Relying Party display name (shown in browser passkey prompt)
|
||||
local realm=$1 rp=$2
|
||||
$KC update "realms/$realm" \
|
||||
-s "webAuthnPolicyRpEntityName=$rp" \
|
||||
-s 'webAuthnPolicySignatureAlgorithms=["ES256","RS256","EdDSA"]' \
|
||||
-s 'webAuthnPolicyUserVerificationRequirement=preferred' \
|
||||
-s 'webAuthnPolicyAttestationConveyancePreference=none' \
|
||||
-s 'webAuthnPolicyRequireResidentKey=not specified' \
|
||||
-s "webAuthnPolicyPasswordlessRpEntityName=$rp" \
|
||||
-s 'webAuthnPolicyPasswordlessSignatureAlgorithms=["ES256","RS256","EdDSA"]' \
|
||||
-s 'webAuthnPolicyPasswordlessUserVerificationRequirement=preferred' \
|
||||
-s 'webAuthnPolicyPasswordlessAttestationConveyancePreference=none' \
|
||||
-s 'webAuthnPolicyPasswordlessRequireResidentKey=not specified' >/dev/null
|
||||
info " webauthn policies set ($realm, RP=$rp)"
|
||||
|
||||
# Enable required actions so users can self-enroll passkeys via the
|
||||
# account console (Sign-in -> Passkey / Two-factor authentication).
|
||||
for ra in webauthn-register webauthn-register-passwordless; do
|
||||
$KC update "authentication/required-actions/$ra" -r "$realm" \
|
||||
-s enabled=true \
|
||||
-s defaultAction=false >/dev/null 2>&1 || true
|
||||
info " required action $ra enabled ($realm)"
|
||||
done
|
||||
}
|
||||
|
||||
ensure_client() {
|
||||
# $1=realm $2=clientId $3=name $4=description $5=secret
|
||||
# $6=redirectUris(json) $7=webOrigins(json) $8=postLogoutUris(##-separated)
|
||||
@@ -299,6 +325,9 @@ $KC update realms/master \
|
||||
-s "defaultLocale=fr"
|
||||
info "master realm updated"
|
||||
|
||||
log "Configuring WebAuthn / passkey for master realm"
|
||||
configure_webauthn master "E-Cosplay Auth"
|
||||
|
||||
# =============================================================
|
||||
# Master realm: automation service account (sync-bot)
|
||||
# =============================================================
|
||||
@@ -316,6 +345,9 @@ ensure_user_realm_role master "$ADMIN_USER_USERNAME" admin
|
||||
# Ecosplay realm: groups + application admin user
|
||||
# =============================================================
|
||||
if realm_exists ecosplay; then
|
||||
log "Configuring WebAuthn / passkey for ecosplay realm"
|
||||
configure_webauthn ecosplay "E-Cosplay"
|
||||
|
||||
log "Ensuring groups on ecosplay realm"
|
||||
for grp in $ECOSPLAY_GROUPS; do
|
||||
ensure_group ecosplay "$grp"
|
||||
|
||||
@@ -40,6 +40,47 @@
|
||||
"offlineSessionIdleTimeout": 2592000,
|
||||
"actionTokenGeneratedByUserLifespan": 900,
|
||||
|
||||
"webAuthnPolicyRpEntityName": "E-Cosplay",
|
||||
"webAuthnPolicySignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
|
||||
"webAuthnPolicyUserVerificationRequirement": "preferred",
|
||||
"webAuthnPolicyAttestationConveyancePreference": "none",
|
||||
"webAuthnPolicyRequireResidentKey": "not specified",
|
||||
"webAuthnPolicyPasswordlessRpEntityName": "E-Cosplay",
|
||||
"webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
|
||||
"webAuthnPolicyPasswordlessUserVerificationRequirement": "preferred",
|
||||
"webAuthnPolicyPasswordlessAttestationConveyancePreference": "none",
|
||||
"webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
|
||||
|
||||
"requiredActions": [
|
||||
{
|
||||
"alias": "CONFIGURE_TOTP",
|
||||
"name": "Configure OTP",
|
||||
"providerId": "CONFIGURE_TOTP",
|
||||
"enabled": true,
|
||||
"defaultAction": false,
|
||||
"priority": 10,
|
||||
"config": {}
|
||||
},
|
||||
{
|
||||
"alias": "webauthn-register",
|
||||
"name": "Webauthn Register",
|
||||
"providerId": "webauthn-register",
|
||||
"enabled": true,
|
||||
"defaultAction": false,
|
||||
"priority": 70,
|
||||
"config": {}
|
||||
},
|
||||
{
|
||||
"alias": "webauthn-register-passwordless",
|
||||
"name": "Webauthn Register Passwordless",
|
||||
"providerId": "webauthn-register-passwordless",
|
||||
"enabled": true,
|
||||
"defaultAction": false,
|
||||
"priority": 80,
|
||||
"config": {}
|
||||
}
|
||||
],
|
||||
|
||||
"smtpServer": {
|
||||
"host": "email-smtp.eu-west-3.amazonaws.com",
|
||||
"port": "587",
|
||||
|
||||
Reference in New Issue
Block a user