From 3cc880846515c3b8ddc7e195d8e0118e0a9fc782 Mon Sep 17 00:00:00 2001 From: mposolda Date: Thu, 31 Jul 2025 15:11:10 +0200 Subject: [PATCH] Wrap deprecated passkeys authenticator behind the feature closes #40696 Signed-off-by: mposolda --- common/src/main/java/org/keycloak/common/Profile.java | 1 + .../upgrading/topics/changes/changes-26_4_0.adoc | 8 ++++++++ .../PasskeysConditionalUIAuthenticatorFactory.java | 2 +- .../webauthn/passwordless/PasskeysConditionalUITest.java | 1 + .../base/src/test/resources/META-INF/keycloak-server.json | 6 ++++++ .../src/main/resources/META-INF/keycloak-server.json | 6 ++++++ 6 files changed, 23 insertions(+), 1 deletion(-) diff --git a/common/src/main/java/org/keycloak/common/Profile.java b/common/src/main/java/org/keycloak/common/Profile.java index 1280e469e4e..2d7363719a0 100755 --- a/common/src/main/java/org/keycloak/common/Profile.java +++ b/common/src/main/java/org/keycloak/common/Profile.java @@ -125,6 +125,7 @@ public class Profile { ORGANIZATION("Organization support within realms", Type.DEFAULT), PASSKEYS("Passkeys", Type.PREVIEW, Feature.WEB_AUTHN), + PASSKEYS_CONDITIONAL_UI_AUTHENTICATOR("Passkeys conditional UI authenticator", Type.DEPRECATED, FeatureUpdatePolicy.ROLLING_NO_UPGRADE, Feature.PASSKEYS), USER_EVENT_METRICS("Collect metrics based on user events", Type.DEFAULT), diff --git a/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc b/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc index db34baedbd2..be523c04058 100644 --- a/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc +++ b/docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc @@ -110,6 +110,14 @@ The options `+--spi-user-sessions--infinispan--offline-session-cache-entry-lifes Instead use the options `cache-embedded-offline-sessions-max-count` and `cache-embedded-offline-client-sessions-max-count` to limit the memory usage if the default of 10000 cache offline user and client sessions does not work in your scenario. +=== Deprecated Passkeys Conditional UI Authenticator requires a feature + +The authenticator *Passkeys Conditional UI Authenticator*, which was deprecated in the previous version 26.3.0, is still available for now, but it requires the feature +`passkeys_conditional_ui_authenticator` to be explicitly enabled during server startup. The feature itself is deprecated and disabled by default. +This allows administrator to start the server and re-configure authentication flows for passkeys authentication in a recommended way as described +in the link:{adminguide_link}#passkeys_server_administration_guide[Passkeys] chapter in the {adminguide_name}. In the future major version, we plan to remove the feature +as well as the *Passkeys Conditional UI Authenticator* as already announced. + // ------------------------ Removed features ------------------------ // == Removed features diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/PasskeysConditionalUIAuthenticatorFactory.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/PasskeysConditionalUIAuthenticatorFactory.java index 3b072b0f37c..c50ab0444d1 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/PasskeysConditionalUIAuthenticatorFactory.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/PasskeysConditionalUIAuthenticatorFactory.java @@ -56,7 +56,7 @@ public class PasskeysConditionalUIAuthenticatorFactory extends WebAuthnPasswordl @Override public boolean isSupported(Config.Scope config) { - return Profile.isFeatureEnabled(Profile.Feature.PASSKEYS); + return Profile.isFeatureEnabled(Profile.Feature.PASSKEYS_CONDITIONAL_UI_AUTHENTICATOR); } @Override diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/passwordless/PasskeysConditionalUITest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/passwordless/PasskeysConditionalUITest.java index ce1d6ce293d..74fd72af7a2 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/passwordless/PasskeysConditionalUITest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/passwordless/PasskeysConditionalUITest.java @@ -45,6 +45,7 @@ import org.openqa.selenium.firefox.FirefoxDriver; * @author rmartinc */ @EnableFeature(value = Profile.Feature.PASSKEYS, skipRestart = true) +@EnableFeature(value = Profile.Feature.PASSKEYS_CONDITIONAL_UI_AUTHENTICATOR, skipRestart = true) @IgnoreBrowserDriver(FirefoxDriver.class) // See https://github.com/keycloak/keycloak/issues/10368 public class PasskeysConditionalUITest extends AbstractWebAuthnVirtualTest { diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json b/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json index 3822f4dd229..0a07beb652b 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json @@ -167,6 +167,12 @@ } }, + "datastore": { + "legacy": { + "allowMigrateExistingDatabaseToSnapshot": "${keycloak.datastore.allowMigrateExistingDatabaseToSnapshot:false}" + } + }, + "realmCache": { "default" : { "enabled": "${keycloak.realmCache.enabled:true}" diff --git a/testsuite/utils/src/main/resources/META-INF/keycloak-server.json b/testsuite/utils/src/main/resources/META-INF/keycloak-server.json index ca97dcb5756..86ebd65ac55 100755 --- a/testsuite/utils/src/main/resources/META-INF/keycloak-server.json +++ b/testsuite/utils/src/main/resources/META-INF/keycloak-server.json @@ -96,6 +96,12 @@ } }, + "datastore": { + "legacy": { + "allowMigrateExistingDatabaseToSnapshot": "${keycloak.datastore.allowMigrateExistingDatabaseToSnapshot:false}" + } + }, + "realmCache": { "default" : { "enabled": "${keycloak.realmCache.enabled:true}"