Hello there,
I would like to set up a browser authentication flow where :
- A user must first enter their username/password.
- A user must use a second authentication factor :
2a) If the user has already a WebAuthn credential, then he must use it.
2b) If that user don’t have a WebAuthn credential, then he must use his OTP without even be prompted for WebAuthn. All the users have an OTP.
As weird as it seems, I cannot get that work. My authentication flow is the following :
- Cookie [alternative]
- Identity Provider Redirector [alternative]
- Browser 2FA [alternative]
- Username Password Form [required]
- Second Factor [required]
- WebAuthn [conditional]
- Condition - User Configured [required]
- WebAuthn Authenticator [required]
- OTP [alternative]
- OTP Form [required]
- WebAuthn [conditional]
If I use this flow, it works for a user with webauthn credentials already configured.
But with a user without webauthn credentials, after having entered username + password, “invalid username or password” is displayed and the following error is generated in the server logs :
REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored
If I switch the WebAuthn to [alternative], then it always ask to register webauthn credentials for user that don’t already have one, which is not what I want.
How can I make it work ?