How/why to give new device credentials attributes to users

Extending the server
1

Hello,

I am not a Java developer.

I am looking for a way to assign the following JSON data to individual users:

{
“type”: “device-cert”,
“device_id”: “ios-uuid-123”,
“pubkey_fingerprint”: “AB:CD:EF”,
“platform”: “ios”,
“managed”: true
}

Even multiple devices.
The idea: The user or administrator registers the user’s devices.

Why would this be necessary?

  1. What does WebAuthn / Passkey do in Keycloak?

    The purpose of WebAuthn:

    User authentication
    Password replacement / MFA
    Phishing-resistant login

    What does it register?

    • An authenticator which can be:
      • Platform authenticator (e.g., iOS Secure Enclave)
      • Roaming authenticator (YubiKey)

    How does it store it?

    • credential ID
    • public key
    • sign counter

    The result: This is an authenticator, not a “device” identity.

  1. Why not device registration?

    Critical differences:

    WebAuthn Device registration
    Auth purpose Network access purpose
    Bound to user login VPN / eduroam auth
    Not exportable Cert / mTLS
    Not RADIUS compatible :check_mark:
    Not policy-able :check_mark:
    Browser context OS / app context

    The result: The WebAuthn credential cannot be used for EAP-TLS or VPN mTLS.

  1. But isn’t the passkey tied to the device?"

    /!\ Logically yes, operationally no.

    Passkey:

    • Internal use of the given OS / secure element
    • You cannot access it

    The result: You cannot use it to:

    • Generate a CSR
    • Create a client cert
    • Write a RADIUS policy

    The result: This is user authentication, not device identity.

  1. So what is a “device” in our model?

    An entity that:

    • has its own key
    • has its own lifecycle
    • has its own policy
    • can be revoked separately

    The result: This is NOT the same as a WebAuthn authenticator.

  1. Why is Keycloak’s built-in WebAuthn not enough?

    Because:

    • you cannot:
      • “only managed devices for VPN”
      • “max 3 devices / user”
      • “disable this laptop”
      • bind it to a certificate
      • export it to RADIUS
      • use it for eduroam roaming

  1. So what is WebAuthn good for in this system?

    It is an EXCELLENT user-auth layer.

    Typical combination:

    • User auth: WebAuthn / Passkey (Keycloak)
    • Device auth: device-bound client cert
    • Access: eduroam / eduVPN

    This is best practice.

  2. Is a Java extension required?

    In short:

    Yes, if you want true device registration.

    Why?

    Because Keycloak by default:

    • does not keep track of “device” entities
    • does not manage device lifecycle
    • does not export device policy

    Java SPI:

    • creates the concept of “device credential”
    • connects it to the user
    • can be integrated with CA

  1. Is there a workaround without Java?

    /!\ Temporarily, but not recommended for the long term:

    • User attributes hack
    • Group mapping
    • External DB + REST

    These:

    • are not revocable
    • cannot be audited
    • are not scalable

  1. Summary

    • WebAuthn != device registration
    • Passkey != device identity
    • Keycloak lacks device lifecycle
    • Custom credential provider == I think this is right direction

Thank you in advance for your help.
Regards,

2

Short answer: just review the device fingerprint SPIs offered by the community, since you can store the device as a custom credential (CredentialModel) instead of a user attribute.

As a side note, keep the post short, since explaining the differences between WebAuthn and device fingerprinting does not make sense, as the differences are already clear.

1 Like