From 11763405ab1ed11bd65cd8aa9660ef50db71b2c6 Mon Sep 17 00:00:00 2001
From: Serreau Jovann <jovann@siteconseil.fr>
Date: Fri, 10 Apr 2026 18:23:30 +0200
Subject: [PATCH] Enable WebAuthn / passkey on master and ecosplay realms

- Add a configure_webauthn helper to sync.sh that sets the
  WebAuthn policy (both 2FA and passwordless variants) on a
  realm and enables the webauthn-register and
  webauthn-register-passwordless required actions so users can
  self-enroll passkeys via the account console.
- Apply it to both master (RP "E-Cosplay Auth") and ecosplay
  (RP "E-Cosplay") on every sync run, idempotent.
- Mirror the same policy fields and required actions in the
  ecosplay realm import JSON for fresh installs. Sensible
  defaults: ES256/RS256/EdDSA, user verification preferred,
  no attestation, resident key not specified.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 init/sync.sh               | 32 +++++++++++++++++++++++++++++
 realms/ecosplay-realm.json | 41 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+)

diff --git a/init/sync.sh b/init/sync.sh
index 4a62108..9da65fc 100755
--- a/init/sync.sh
+++ b/init/sync.sh
@@ -186,6 +186,32 @@ set_client_pkce() {
     info "  client $2 PKCE method set to '${3:-none}' ($1)"
 }
 
+configure_webauthn() {
+    # $1=realm $2=Relying Party display name (shown in browser passkey prompt)
+    local realm=$1 rp=$2
+    $KC update "realms/$realm" \
+        -s "webAuthnPolicyRpEntityName=$rp" \
+        -s 'webAuthnPolicySignatureAlgorithms=["ES256","RS256","EdDSA"]' \
+        -s 'webAuthnPolicyUserVerificationRequirement=preferred' \
+        -s 'webAuthnPolicyAttestationConveyancePreference=none' \
+        -s 'webAuthnPolicyRequireResidentKey=not specified' \
+        -s "webAuthnPolicyPasswordlessRpEntityName=$rp" \
+        -s 'webAuthnPolicyPasswordlessSignatureAlgorithms=["ES256","RS256","EdDSA"]' \
+        -s 'webAuthnPolicyPasswordlessUserVerificationRequirement=preferred' \
+        -s 'webAuthnPolicyPasswordlessAttestationConveyancePreference=none' \
+        -s 'webAuthnPolicyPasswordlessRequireResidentKey=not specified' >/dev/null
+    info "  webauthn policies set ($realm, RP=$rp)"
+
+    # Enable required actions so users can self-enroll passkeys via the
+    # account console (Sign-in -> Passkey / Two-factor authentication).
+    for ra in webauthn-register webauthn-register-passwordless; do
+        $KC update "authentication/required-actions/$ra" -r "$realm" \
+            -s enabled=true \
+            -s defaultAction=false >/dev/null 2>&1 || true
+        info "  required action $ra enabled ($realm)"
+    done
+}
+
 ensure_client() {
     # $1=realm $2=clientId $3=name $4=description $5=secret
     # $6=redirectUris(json) $7=webOrigins(json) $8=postLogoutUris(##-separated)
@@ -299,6 +325,9 @@ $KC update realms/master \
     -s "defaultLocale=fr"
 info "master realm updated"
 
+log "Configuring WebAuthn / passkey for master realm"
+configure_webauthn master "E-Cosplay Auth"
+
 # =============================================================
 # Master realm: automation service account (sync-bot)
 # =============================================================
@@ -316,6 +345,9 @@ ensure_user_realm_role master "$ADMIN_USER_USERNAME" admin
 # Ecosplay realm: groups + application admin user
 # =============================================================
 if realm_exists ecosplay; then
+    log "Configuring WebAuthn / passkey for ecosplay realm"
+    configure_webauthn ecosplay "E-Cosplay"
+
     log "Ensuring groups on ecosplay realm"
     for grp in $ECOSPLAY_GROUPS; do
         ensure_group ecosplay "$grp"
diff --git a/realms/ecosplay-realm.json b/realms/ecosplay-realm.json
index fce566f..4f7b480 100644
--- a/realms/ecosplay-realm.json
+++ b/realms/ecosplay-realm.json
@@ -40,6 +40,47 @@
   "offlineSessionIdleTimeout": 2592000,
   "actionTokenGeneratedByUserLifespan": 900,
 
+  "webAuthnPolicyRpEntityName": "E-Cosplay",
+  "webAuthnPolicySignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
+  "webAuthnPolicyUserVerificationRequirement": "preferred",
+  "webAuthnPolicyAttestationConveyancePreference": "none",
+  "webAuthnPolicyRequireResidentKey": "not specified",
+  "webAuthnPolicyPasswordlessRpEntityName": "E-Cosplay",
+  "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
+  "webAuthnPolicyPasswordlessUserVerificationRequirement": "preferred",
+  "webAuthnPolicyPasswordlessAttestationConveyancePreference": "none",
+  "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
+
+  "requiredActions": [
+    {
+      "alias": "CONFIGURE_TOTP",
+      "name": "Configure OTP",
+      "providerId": "CONFIGURE_TOTP",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 10,
+      "config": {}
+    },
+    {
+      "alias": "webauthn-register",
+      "name": "Webauthn Register",
+      "providerId": "webauthn-register",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 70,
+      "config": {}
+    },
+    {
+      "alias": "webauthn-register-passwordless",
+      "name": "Webauthn Register Passwordless",
+      "providerId": "webauthn-register-passwordless",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 80,
+      "config": {}
+    }
+  ],
+
   "smtpServer": {
     "host": "email-smtp.eu-west-3.amazonaws.com",
     "port": "587",