From 849a920955407d44bc0864ecafb98ca66d063e2c Mon Sep 17 00:00:00 2001 From: Takashi Norimatsu Date: Mon, 19 Feb 2024 05:32:35 +0900 Subject: [PATCH] Rename Resident key to Discoverable Credential closes #9508 Signed-off-by: Takashi Norimatsu --- .../server_admin/topics/authentication/webauthn.adoc | 10 +++++----- .../keycloak.v2/admin/messages/messages_en.properties | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/documentation/server_admin/topics/authentication/webauthn.adoc b/docs/documentation/server_admin/topics/authentication/webauthn.adoc index babb1c87b7..29e1ebd897 100644 --- a/docs/documentation/server_admin/topics/authentication/webauthn.adoc +++ b/docs/documentation/server_admin/topics/authentication/webauthn.adoc @@ -130,8 +130,8 @@ The configurable items and their description are as follows: |Authenticator Attachment |The acceptable attachment pattern of a WebAuthn authenticator for the WebAuthn Client. This pattern is an optional configuration item applying to the registration of the WebAuthn authenticator. For more details, see https://www.w3.org/TR/webauthn/#enumdef-authenticatorattachment[WebAuthn Specification]. -|Require Resident Key -|The option requiring that the WebAuthn authenticator generates the Public Key Credential as https://www.w3.org/TR/webauthn/[Client-side-resident Public Key Credential Source]. This option applies to the registration of the WebAuthn authenticator. If left blank, its behavior is the same as selecting "No". For more details, see https://www.w3.org/TR/webauthn/#dom-authenticatorselectioncriteria-requireresidentkey[WebAuthn Specification]. +|Require Discoverable Credential +|The option requiring that the WebAuthn authenticator generates the Public Key Credential as https://www.w3.org/TR/webauthn-3/[Client-side discoverable Credential]. This option applies to the registration of the WebAuthn authenticator. If left blank, its behavior is the same as selecting "No". For more details, see https://www.w3.org/TR/webauthn/#dom-authenticatorselectioncriteria-requireresidentkey[WebAuthn Specification]. |User Verification Requirement |The option requiring that the WebAuthn authenticator confirms the verification of a user. This is an optional configuration item applying to the registration of a WebAuthn authenticator and the authentication of a user by a WebAuthn authenticator. If no option exists, its behavior is the same as selecting "preferred". For more details, see https://www.w3.org/TR/webauthn/#dom-authenticatorselectioncriteria-userverification[WebAuthn Specification for registering a WebAuthn authenticator] and https://www.w3.org/TR/webauthn/#dom-publickeycredentialrequestoptions-userverification[WebAuthn Specification for authenticating the user by a WebAuthn authenticator]. @@ -225,7 +225,7 @@ You can now add *WebAuthn Register Passwordless* as the required action to a use {project_name} uses WebAuthn for two-factor authentication, but you can use WebAuthn as the first-factor authentication. In this case, users with `passwordless` WebAuthn credentials can authenticate to {project_name} without submitting a login or a password. {project_name} can use WebAuthn as both the loginless/passwordless and two-factor authentication mechanism in the context of a realm. -An administrator typically requires that Security Keys registered by users for the WebAuthn loginless authentication meet different requirements. Loginless authentication requires users to authenticate to the security key (for example by using a PIN code or a fingerprint) and that the cryptographic keys associated with the loginless credential are stored physically on the security key. Not all security keys meet that kind of requirements. Check with your security key vendor if your device supports 'user verification' and 'resident key'. See <<_webauthn-supported-keys, Supported Security Keys>>. +An administrator typically requires that Security Keys registered by users for the WebAuthn loginless authentication meet different requirements. Loginless authentication requires users to authenticate to the security key (for example by using a PIN code or a fingerprint) and that the cryptographic keys associated with the loginless credential are stored physically on the security key. Not all security keys meet that kind of requirements. Check with your security key vendor if your device supports 'user verification' and 'discoverable credential'. See <<_webauthn-supported-keys, Supported Security Keys>>. {project_name} permits administrators to configure the `WebAuthn Passwordless Policy` in a way that allows loginless authentication. Note that loginless authentication can only be configured with `WebAuthn Passwordless Policy` and with `WebAuthn Passwordless` credentials. WebAuthn loginless authentication and WebAuthn passwordless authentication can be configured on the same realm but will share the same policy `WebAuthn Passwordless Policy`. @@ -236,7 +236,7 @@ Set up WebAuthn Loginless support as follows: . (if not already present) Register a new required action for WebAuthn passwordless support. Use the steps described in <<_webauthn-register, Enable WebAuthn Authenticator Registration>>. Register the `Webauthn Register Passwordless` action. -. Configure the `WebAuthn Passwordless Policy`. Perform the configuration in the Admin Console, `Authentication` section, in the tab `Policies` -> `WebAuthn Passwordless Policy`. You have to set *User Verification Requirement* to *required* and *Require Resident Key* to *Yes* when you configure the policy for loginless scenario. Note that since there isn't a dedicated Loginless policy it won't be possible to mix authentication scenarios with user verification=no/resident key=no and loginless scenarios (user verification=yes/resident key=yes). Storage capacity is usually very limited on security keys meaning that you won't be able to store many resident keys on your security key. +. Configure the `WebAuthn Passwordless Policy`. Perform the configuration in the Admin Console, `Authentication` section, in the tab `Policies` -> `WebAuthn Passwordless Policy`. You have to set *User Verification Requirement* to *required* and *Require Discoverable Credential* to *Yes* when you configure the policy for loginless scenario. Note that since there isn't a dedicated Loginless policy it won't be possible to mix authentication scenarios with user verification=no/discoverable credential=no and loginless scenarios (user verification=yes/discoverable credential=yes). Storage capacity is usually very limited on security keys meaning that you won't be able to store many discoverable credentials on your security key. . Configure the authentication flow. Create a new authentication flow, add the "WebAuthn Passwordless" execution and set the Requirement setting of the execution to *Required* @@ -255,7 +255,7 @@ Loginless authentication with {project_name} requires the security key to meet t ** FIDO2 compliance: not to be confused with FIDO/U2F ** User verification: the ability for the security key to authenticate the user (prevents someone finding your security key to be able to authenticate loginless and passwordless) -** Resident key: the ability for the security key to store the login and the cryptographic keys associated with the client application +** Discoverable Credential: the ability for the security key to store the login and the cryptographic keys associated with the client application ====== Windows Hello diff --git a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties index 2c8616a389..dbd604b90f 100644 --- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties +++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties @@ -415,7 +415,7 @@ x509CertificateHelp=X509 Certificate encoded in PEM format samlEndpointsLabel=SAML 2.0 Service Provider Metadata passCurrentLocaleHelp=Pass the current locale to the identity provider as a ui_locales parameter. lessThan=Must be less than {{value}} -webAuthnPolicyRequireResidentKeyHelp=It tells an authenticator create a public key credential as Resident Key or not. +webAuthnPolicyRequireResidentKeyHelp=It tells an authenticator create a public key credential as Discoverable Credential or not. logoutServiceRedirectBindingURL=Logout Service Redirect Binding URL createIdentityProviderSuccess=Identity provider successfully created emptyMappersInstructions=If you want to add mappers, please click the button below to add some predefined mappers or to configure a new mapper. @@ -716,7 +716,7 @@ policyEnforcementModes.ENFORCING=Enforcing rowSaveBtnAriaLabel=Save edits for {{messageBundle}} permanentLockout=Permanent lockout debug=Debug -webAuthnPolicyRequireResidentKey=Require resident key +webAuthnPolicyRequireResidentKey=Require discoverable credential unlockUsersConfirm=All the users that are temporarily locked will be unlocked. clear=Clear idpType.custom=Custom