Enable WebAuthn / passkey on master and ecosplay realms

- Add a configure_webauthn helper to sync.sh that sets the WebAuthn policy (both 2FA and passwordless variants) on a realm and enables the webauthn-register and webauthn-register-passwordless required actions so users can self-enroll passkeys via the account console. - Apply it to both master (RP "E-Cosplay Auth") and ecosplay (RP "E-Cosplay") on every sync run, idempotent. - Mirror the same policy fields and required actions in the ecosplay realm import JSON for fresh installs. Sensible defaults: ES256/RS256/EdDSA, user verification preferred, no attestation, resident key not specified. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 18:23:30 +02:00
parent 4484b70c19
commit 11763405ab
2 changed files with 73 additions and 0 deletions
--- a/realms/ecosplay-realm.json
+++ b/realms/ecosplay-realm.json
@@ -40,6 +40,47 @@
  "offlineSessionIdleTimeout": 2592000,
  "actionTokenGeneratedByUserLifespan": 900,

+  "webAuthnPolicyRpEntityName": "E-Cosplay",
+  "webAuthnPolicySignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
+  "webAuthnPolicyUserVerificationRequirement": "preferred",
+  "webAuthnPolicyAttestationConveyancePreference": "none",
+  "webAuthnPolicyRequireResidentKey": "not specified",
+  "webAuthnPolicyPasswordlessRpEntityName": "E-Cosplay",
+  "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
+  "webAuthnPolicyPasswordlessUserVerificationRequirement": "preferred",
+  "webAuthnPolicyPasswordlessAttestationConveyancePreference": "none",
+  "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
+
+  "requiredActions": [
+    {
+      "alias": "CONFIGURE_TOTP",
+      "name": "Configure OTP",
+      "providerId": "CONFIGURE_TOTP",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 10,
+      "config": {}
+    },
+    {
+      "alias": "webauthn-register",
+      "name": "Webauthn Register",
+      "providerId": "webauthn-register",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 70,
+      "config": {}
+    },
+    {
+      "alias": "webauthn-register-passwordless",
+      "name": "Webauthn Register Passwordless",
+      "providerId": "webauthn-register-passwordless",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 80,
+      "config": {}
+    }
+  ],
+
  "smtpServer": {
    "host": "email-smtp.eu-west-3.amazonaws.com",
    "port": "587",