Wrap deprecated passkeys authenticator behind the feature

closes #40696

Signed-off-by: mposolda <mposolda@gmail.com>

common/src/main/java/org/keycloak/common/Profile.java

@@ -125,6 +125,7 @@ public class Profile {
         ORGANIZATION("Organization support within realms", Type.DEFAULT),
 
         PASSKEYS("Passkeys", Type.PREVIEW, Feature.WEB_AUTHN),
+        PASSKEYS_CONDITIONAL_UI_AUTHENTICATOR("Passkeys conditional UI authenticator", Type.DEPRECATED, FeatureUpdatePolicy.ROLLING_NO_UPGRADE, Feature.PASSKEYS),
 
         USER_EVENT_METRICS("Collect metrics based on user events", Type.DEFAULT),
 

docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc

@@ -110,6 +110,14 @@ The options `+--spi-user-sessions--infinispan--offline-session-cache-entry-lifes
 
 Instead use the options `cache-embedded-offline-sessions-max-count` and `cache-embedded-offline-client-sessions-max-count` to limit the memory usage if the default of 10000 cache offline user and client sessions does not work in your scenario.
 
+=== Deprecated Passkeys Conditional UI Authenticator requires a feature
+
+The authenticator *Passkeys Conditional UI Authenticator*, which was deprecated in the previous version 26.3.0, is still available for now, but it requires the feature
+`passkeys_conditional_ui_authenticator` to be explicitly enabled during server startup. The feature itself is deprecated and disabled by default.
+This allows administrator to start the server and re-configure authentication flows for passkeys authentication in a recommended way as described
+in the link:{adminguide_link}#passkeys_server_administration_guide[Passkeys] chapter in the {adminguide_name}. In the future major version, we plan to remove the feature
+as well as the *Passkeys Conditional UI Authenticator* as already announced.
+
 // ------------------------ Removed features ------------------------ //
 == Removed features
 

services/src/main/java/org/keycloak/authentication/authenticators/browser/PasskeysConditionalUIAuthenticatorFactory.java

@@ -56,7 +56,7 @@ public class PasskeysConditionalUIAuthenticatorFactory extends WebAuthnPasswordl
 
     @Override
     public boolean isSupported(Config.Scope config) {
-        return Profile.isFeatureEnabled(Profile.Feature.PASSKEYS);
+        return Profile.isFeatureEnabled(Profile.Feature.PASSKEYS_CONDITIONAL_UI_AUTHENTICATOR);
     }
 
     @Override

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/passwordless/PasskeysConditionalUITest.java

@@ -45,6 +45,7 @@ import org.openqa.selenium.firefox.FirefoxDriver;
  * @author rmartinc
  */
 @EnableFeature(value = Profile.Feature.PASSKEYS, skipRestart = true)
+@EnableFeature(value = Profile.Feature.PASSKEYS_CONDITIONAL_UI_AUTHENTICATOR, skipRestart = true)
 @IgnoreBrowserDriver(FirefoxDriver.class) // See https://github.com/keycloak/keycloak/issues/10368
 public class PasskeysConditionalUITest extends AbstractWebAuthnVirtualTest {
 

testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json

@@ -167,6 +167,12 @@
         }
     },
 
+    "datastore": {
+        "legacy": {
+            "allowMigrateExistingDatabaseToSnapshot": "${keycloak.datastore.allowMigrateExistingDatabaseToSnapshot:false}"
+        }
+    },
+
     "realmCache": {
         "default" : {
             "enabled": "${keycloak.realmCache.enabled:true}"

testsuite/utils/src/main/resources/META-INF/keycloak-server.json

@@ -96,6 +96,12 @@
         }
     },
 
+    "datastore": {
+        "legacy": {
+            "allowMigrateExistingDatabaseToSnapshot": "${keycloak.datastore.allowMigrateExistingDatabaseToSnapshot:false}"
+        }
+    },
+
     "realmCache": {
         "default" : {
             "enabled": "${keycloak.realmCache.enabled:true}"