admin/authser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enable WebAuthn / passkey on master and ecosplay realms

Browse Source 
- Add a configure_webauthn helper to sync.sh that sets the
  WebAuthn policy (both 2FA and passwordless variants) on a
  realm and enables the webauthn-register and
  webauthn-register-passwordless required actions so users can
  self-enroll passkeys via the account console.
- Apply it to both master (RP "E-Cosplay Auth") and ecosplay
  (RP "E-Cosplay") on every sync run, idempotent.
- Mirror the same policy fields and required actions in the
  ecosplay realm import JSON for fresh installs. Sensible
  defaults: ES256/RS256/EdDSA, user verification preferred,
  no attestation, resident key not specified.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
2026-04-10 18:23:30 +02:00
parent 4484b70c19
commit 11763405ab
2 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
init/sync.sh
View File

@@ -186,6 +186,32 @@ set_client_pkce() {
info " client $2 PKCE method set to '${3:-none}' ($1)" info " client $2 PKCE method set to '${3:-none}' ($1)"
} }
configure_webauthn() {
# $1=realm $2=Relying Party display name (shown in browser passkey prompt)
local realm=$1 rp=$2
$KC update "realms/$realm" \
-s "webAuthnPolicyRpEntityName=$rp" \
-s 'webAuthnPolicySignatureAlgorithms=["ES256","RS256","EdDSA"]' \
-s 'webAuthnPolicyUserVerificationRequirement=preferred' \
-s 'webAuthnPolicyAttestationConveyancePreference=none' \
-s 'webAuthnPolicyRequireResidentKey=not specified' \
-s "webAuthnPolicyPasswordlessRpEntityName=$rp" \
-s 'webAuthnPolicyPasswordlessSignatureAlgorithms=["ES256","RS256","EdDSA"]' \
-s 'webAuthnPolicyPasswordlessUserVerificationRequirement=preferred' \
-s 'webAuthnPolicyPasswordlessAttestationConveyancePreference=none' \
-s 'webAuthnPolicyPasswordlessRequireResidentKey=not specified' >/dev/null
info " webauthn policies set ($realm, RP=$rp)"
# Enable required actions so users can self-enroll passkeys via the
# account console (Sign-in -> Passkey / Two-factor authentication).
for ra in webauthn-register webauthn-register-passwordless; do
$KC update "authentication/required-actions/$ra" -r "$realm" \
-s enabled=true \
-s defaultAction=false >/dev/null 2>&1 || true
info " required action $ra enabled ($realm)"
done
}
ensure_client() { ensure_client() {
# $1=realm $2=clientId $3=name $4=description $5=secret # $1=realm $2=clientId $3=name $4=description $5=secret
# $6=redirectUris(json) $7=webOrigins(json) $8=postLogoutUris(##-separated) # $6=redirectUris(json) $7=webOrigins(json) $8=postLogoutUris(##-separated)
@@ -299,6 +325,9 @@ $KC update realms/master \
-s "defaultLocale=fr" -s "defaultLocale=fr"
info "master realm updated" info "master realm updated"
log "Configuring WebAuthn / passkey for master realm"
configure_webauthn master "E-Cosplay Auth"
# ============================================================= # =============================================================
# Master realm: automation service account (sync-bot) # Master realm: automation service account (sync-bot)
# ============================================================= # =============================================================
@@ -316,6 +345,9 @@ ensure_user_realm_role master "$ADMIN_USER_USERNAME" admin
# Ecosplay realm: groups + application admin user # Ecosplay realm: groups + application admin user
# ============================================================= # =============================================================
if realm_exists ecosplay; then if realm_exists ecosplay; then
log "Configuring WebAuthn / passkey for ecosplay realm"
configure_webauthn ecosplay "E-Cosplay"
log "Ensuring groups on ecosplay realm" log "Ensuring groups on ecosplay realm"
for grp in $ECOSPLAY_GROUPS; do for grp in $ECOSPLAY_GROUPS; do
ensure_group ecosplay "$grp" ensure_group ecosplay "$grp"

41
realms/ecosplay-realm.json
View File

@@ -40,6 +40,47 @@
"offlineSessionIdleTimeout": 2592000, "offlineSessionIdleTimeout": 2592000,
"actionTokenGeneratedByUserLifespan": 900, "actionTokenGeneratedByUserLifespan": 900,
"webAuthnPolicyRpEntityName": "E-Cosplay",
"webAuthnPolicySignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
"webAuthnPolicyUserVerificationRequirement": "preferred",
"webAuthnPolicyAttestationConveyancePreference": "none",
"webAuthnPolicyRequireResidentKey": "not specified",
"webAuthnPolicyPasswordlessRpEntityName": "E-Cosplay",
"webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
"webAuthnPolicyPasswordlessUserVerificationRequirement": "preferred",
"webAuthnPolicyPasswordlessAttestationConveyancePreference": "none",
"webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
"requiredActions": [
{
"alias": "CONFIGURE_TOTP",
"name": "Configure OTP",
"providerId": "CONFIGURE_TOTP",
"enabled": true,
"defaultAction": false,
"priority": 10,
"config": {}
},
{
"alias": "webauthn-register",
"name": "Webauthn Register",
"providerId": "webauthn-register",
"enabled": true,
"defaultAction": false,
"priority": 70,
"config": {}
},
{
"alias": "webauthn-register-passwordless",
"name": "Webauthn Register Passwordless",
"providerId": "webauthn-register-passwordless",
"enabled": true,
"defaultAction": false,
"priority": 80,
"config": {}
}
],
"smtpServer": { "smtpServer": {
"host": "email-smtp.eu-west-3.amazonaws.com", "host": "email-smtp.eu-west-3.amazonaws.com",
"port": "587", "port": "587",