embesozzi · StevenBuglione · Jan 20, 2024
diff --git a/...com/twogenidentity/keycloak/authenticator/WebAuthnConditionalEnrollmentAuthenticator.java b/...com/twogenidentity/keycloak/authenticator/WebAuthnConditionalEnrollmentAuthenticator.java
@@ -0,0 +1,69 @@
+package com.twogenidentity.keycloak.authenticator;
+
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.Response;
+import org.jboss.logging.Logger;
+import org.keycloak.authentication.AuthenticationFlowContext;
+import org.keycloak.authentication.Authenticator;
+import org.keycloak.forms.login.freemarker.model.WebAuthnAuthenticatorsBean;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.sessions.AuthenticationSessionModel;
+
+public class WebAuthnConditionalEnrollmentAuthenticator implements Authenticator {
+    private static final Logger LOG = Logger.getLogger(WebAuthnConditionalEnrollmentAuthenticator.class);
+
+    private static final String TEMPLATE_NAME = "webauthn-conditional-enrollment.ftl";
+
+    private static final String FORM_PARAM_USER_CONFIRM_ANSWER = "user-confirm-answer";
+
+    public void authenticate(AuthenticationFlowContext context) {
+        if (userHasWebAuthnAuthenticator(context).booleanValue()) {
+            LOG.debugf("User already registered webauthn authenticator", new Object[0]);
+            context.success();
+            return;
+        }
+        Response challenge = context.form().createForm("webauthn-conditional-enrollment.ftl");
+        context.challenge(challenge);
+    }
+
+    private Boolean userHasWebAuthnAuthenticator(AuthenticationFlowContext context) {
+        UserModel user = context.getUser();
+        if (user != null) {
+            LOG.debugf("Looking for webauthn-passworless authenticator...", new Object[0]);
+            WebAuthnAuthenticatorsBean authenticators = new WebAuthnAuthenticatorsBean(context.getSession(), context.getRealm(), user, "webauthn-passwordless");
+            if (authenticators.getAuthenticators().isEmpty()) {
+                LOG.debugf("Looking for webauthn authenticator...", new Object[0]);
+                authenticators = new WebAuthnAuthenticatorsBean(context.getSession(), context.getRealm(), user, "webauthn");
+            }
+            return Boolean.valueOf(!authenticators.getAuthenticators().isEmpty());
+        }
+        return Boolean.valueOf(false);
+    }
+
+    public void action(AuthenticationFlowContext context) {
+        MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
+        String answer = (String)formData.getFirst("user-confirm-answer");
+        LOG.debugf("Username answer is: %s", answer);
+        if ("yes".equalsIgnoreCase(answer)) {
+            AuthenticationSessionModel authenticationSession = context.getAuthenticationSession();
+            if (!authenticationSession.getRequiredActions().contains("webauthn-register-passwordless"))
+                authenticationSession.addRequiredAction("webauthn-register-passwordless");
+        }
+        context.success();
+    }
+
+    public boolean requiresUser() {
+        return false;
+    }
+
+    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
+        return true;
+    }
+
+    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {}
+
+    public void close() {}
+}
+
diff --git a/...genidentity/keycloak/authenticator/WebAuthnConditionalEnrollmentAuthenticatorFactory.java b/...genidentity/keycloak/authenticator/WebAuthnConditionalEnrollmentAuthenticatorFactory.java
@@ -0,0 +1,59 @@
+package com.twogenidentity.keycloak.authenticator;
+
+import org.keycloak.Config;
+import org.keycloak.authentication.Authenticator;
+import org.keycloak.authentication.AuthenticatorFactory;
+import org.keycloak.models.AuthenticationExecutionModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.provider.ProviderConfigProperty;
+
+import java.util.List;
+
+public class WebAuthnConditionalEnrollmentAuthenticatorFactory implements AuthenticatorFactory {
+    private static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = new AuthenticationExecutionModel.Requirement[] { AuthenticationExecutionModel.Requirement.REQUIRED, AuthenticationExecutionModel.Requirement.DISABLED };
+
+    static final String PROVIDER_ID = "webauthn-conditional-enrollment";
+
+    public String getDisplayType() {
+        return "WebAuthn conditional enrollment";
+    }
+
+    public String getReferenceCategory() {
+        return "WebAuthn Enrollment";
+    }
+
+    public boolean isConfigurable() {
+        return true;
+    }
+
+    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
+        return REQUIREMENT_CHOICES;
+    }
+
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
+    public String getHelpText() {
+        return "Allows user to enroll for WebAuthn device";
+    }
+
+    public List<ProviderConfigProperty> getConfigProperties() {
+        return null;
+    }
+
+    public Authenticator create(KeycloakSession keycloakSession) {
+        return new WebAuthnConditionalEnrollmentAuthenticator();
+    }
+
+    public void init(Config.Scope scope) {}
+
+    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {}
+
+    public void close() {}
+
+    public String getId() {
+        return "webauthn-conditional-enrollment";
+    }
+}
diff --git a/.../com/twogenidentity/keycloak/authenticator/WebAuthnConditionalMediationAuthenticator.java b/.../com/twogenidentity/keycloak/authenticator/WebAuthnConditionalMediationAuthenticator.java
@@ -1,5 +1,7 @@
 package com.twogenidentity.keycloak.authenticator;
 
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.Response;
 import org.jboss.logging.Logger;
 import org.keycloak.authentication.AuthenticationFlowContext;
 import org.keycloak.authentication.authenticators.browser.UsernameForm;
@@ -8,9 +10,6 @@
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.utils.StringUtil;
 
-import jakarta.ws.rs.core.MultivaluedMap;
-import jakarta.ws.rs.core.Response;
-
 public class WebAuthnConditionalMediationAuthenticator extends WebAuthnPasswordlessAuthenticator {
 
     private static final Logger LOG = Logger.getLogger(WebAuthnConditionalMediationAuthenticator.class);

diff --git a/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory b/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory
@@ -1 +1,2 @@
-com.twogenidentity.keycloak.authenticator.WebAuthnConditionalMediationAuthenticatorFactory
+com.twogenidentity.keycloak.authenticator.WebAuthnConditionalMediationAuthenticatorFactory
+com.twogenidentity.keycloak.authenticator.WebAuthnConditionalEnrollmentAuthenticatorFactory
diff --git a/src/main/resources/theme-resources/templates/webauthn-conditional-enrollment.ftl b/src/main/resources/theme-resources/templates/webauthn-conditional-enrollment.ftl
@@ -0,0 +1,31 @@
+<#import "template.ftl" as layout>
+<@layout.registrationLayout displayInfo=false; section>
+    <#if section = "title">
+    <#elseif section = "header">
+    <#elseif section = "form">
+        <form id="kc-confirm-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
+            <div class="col-xs-12 col-sm-12 col-md-12 col-lg-12">
+                <h2 style="margin-top:0px;text-align: center;">Upgrade your security with Passkey</h2>
+                <p class="lead">Passkeys allow you to sign in safety and easily with TouchID or Face ID, without requiring a password.</p>
+            </div>
+            <div class="${properties.kcFormButtonsClass!}">
+                <button
+                    class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}"
+                    name="user-confirm-answer"
+                    type="submit"
+                    style="background-color: #04AA6D;"
+                    value="yes">
+                    Upgrade to Passkey
+                </button>
+               <button
+                    class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}"
+                    style="margin-top: 10px"
+                    name="user-confirm-answer"
+                    type="submit"
+                    value="no">
+                    Cancel
+                </button>
+            </div>
+        </form>
+    </#if>
+</@layout.registrationLayout>