Revise help icons for WebauthnPolicy settings (#34465) (#34466)

- Add missing icons with help labels
- Use correct help text for webAuthnPolicyCreateTimeout

Fixes #34465

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>

js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties

@@ -231,7 +231,7 @@ eventTypes.USER_DISABLED_BY_TEMPORARY_LOCKOUT_ERROR.name=User disabled by tempor
 deleteUser=Delete user
 addedNodeSuccess=Node successfully added
 eventTypes.INTROSPECT_TOKEN_ERROR.description=Introspect token error
-webAuthnPolicyUserVerificationRequirementHelp=Communicates to an authenticator to confirm actually verifying a user.
+webAuthnPolicyUserVerificationRequirementHelp=Communicates to an authenticator whether to require to verify a user.
 syncModes.import=Import
 realmSaveError=Realm could not be updated\: {{error}}
 authDataDescription=Represents a token carrying authorization data as a result of the processing of an authorization request. This representation is basically what Keycloak issues to clients asking for permission. Check the `authorization` claim for the permissions that where granted based on the current authorization request.
@@ -418,7 +418,7 @@ x509CertificateHelp=X509 Certificate encoded in PEM format
 samlEndpointsLabel=SAML 2.0 Service Provider Metadata
 passCurrentLocaleHelp=Pass the current locale to the identity provider as a ui_locales parameter.
 lessThan=Must be less than {{value}}
-webAuthnPolicyRequireResidentKeyHelp=It tells an authenticator create a public key credential as Discoverable Credential or not.
+webAuthnPolicyRequireResidentKeyHelp=It tells an authenticator whether to create a public key credential as a Discoverable Credential.
 logoutServiceRedirectBindingURL=Logout Service Redirect Binding URL
 createIdentityProviderSuccess=Identity provider successfully created
 emptyMappersInstructions=If you want to add mappers, please click the button below to add some predefined mappers or to configure a new mapper.
@@ -689,7 +689,7 @@ clientPolicySearch=Search client policy
 refreshTokens=Refresh tokens
 eventTypes.UPDATE_EMAIL_ERROR.description=Update email error
 credentials=Credentials
-webAuthnPolicyCreateTimeoutHelp=Timeout value for creating user's public key credential in seconds. if set to 0, this timeout option is not adapted.
+webAuthnPolicyCreateTimeoutHelp=The timeout value for creating the user's public key credential in seconds. If set to 0, this timeout option is not adapted.
 policyType.hotp=Counter based
 claimFilterValue=Essential claim value
 eventTypes.REGISTER_ERROR.name=Register error
@@ -1250,7 +1250,7 @@ realmRoles=Realm roles
 fineGrainOpenIdConnectConfigurationHelp=This section is used to configure advanced settings of this client related to OpenID Connect protocol.
 searchForUserDescription=This realm may have a federated provider. Viewing all users may cause the system to slow down, but it can be done by searching for "*". Please search for a user above.
 expirationHelp=Sets the expiration for events. Expired events are periodically deleted from the database.
-webAuthnPolicySignatureAlgorithmsHelp=What signature algorithms should be used for Authentication Assertion.
+webAuthnPolicySignatureAlgorithmsHelp=The signature algorithms that should be used for the Authentication Assertion.
 setToNowError=Error\! Failed to set notBefore to current date and time: {{error}}
 eventTypes.UNREGISTER_NODE_ERROR.description=Unregister node error
 clientScopeTypes.optional=Optional
@@ -1272,7 +1272,7 @@ revoke=Revoke
 admin=Admin
 syncUsersError=Could not sync users\: '{{error}}'
 generatedAccessTokenHelp=See the example access token, which will be generated and sent to the client when selected user is authenticated. You can see claims and roles that the token will contain based on the effective protocol mappers and role scope mappings and also based on the claims/roles assigned to user himself
-webAuthnPolicyAcceptableAaguidsHelp=The list of AAGUID of which an authenticator can be registered.
+webAuthnPolicyAcceptableAaguidsHelp=The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model).
 keyPasswordHelp=Password for the private key
 frontchannelLogout=Front channel logout
 clientUpdaterTrustedHostsTooltip=List of Hosts, which are trusted. In case that client registration/update request comes from the host/domain specified in this configuration, condition evaluates to true. You can use hostnames or IP addresses. If you use star at the beginning (for example '*.example.com' ) then whole domain example.com will be trusted.
@@ -1721,7 +1721,7 @@ mappedGroupAttributes=Mapped group attributes
 localization=Localization
 importConfig=Import config from file
 replyToDisplayNameHelp=A user-friendly name for the 'Reply-To' address (optional).
-webAuthnPolicyRpIdHelp=This is ID as WebAuthn Relying Party. It must be origin's effective domain.
+webAuthnPolicyRpIdHelp=The WebAuthn Relying Party ID (RpID). It must be the origin's effective domain, e.g. 'company.com' or 'auth.company.com'.
 signingKeysConfigExplain=If you enable the "Client signature required" below, you must configure the signing keys by generating or importing keys, and the client will sign their saml requests and responses. The signature will be validated.
 newClientProfile=Create client profile
 consoleDisplayConnectionUrlHelp=Connection URL to your LDAP server
@@ -2853,7 +2853,7 @@ credentialData=Data
 clientRolesConditionTooltip=Client roles, which will be checked during this condition evaluation. Condition evaluates to true if client has at least one client role with the name as the client roles specified in the configuration.
 invalidateSecret=Invalidate
 emptyPermissionInstructions=If you want to create a permission, please click the button below to create a resource-based or scope-based permission.
-webAuthnPolicyAvoidSameAuthenticatorRegisterHelp=Avoid registering the authenticator that has already been registered.
+webAuthnPolicyAvoidSameAuthenticatorRegisterHelp=Avoid registering an authenticator that has already been registered.
 memberofLdapAttribute=Member-of LDAP attribute
 supportedLocales=Supported locales
 showPasswordDataValue=Value
@@ -2936,7 +2936,7 @@ clientSecretHelp=The client secret registered with the identity provider. This f
 offlineSessionMax=Offline Session Max
 generatedUserInfoHelp=See the example User Info, which will be provided by the User Info Endpoint
 dynamicScopeFormat=Dynamic scope format
-webAuthnPolicyExtraOriginsHelp=The list of extra origin for non-web application.
+webAuthnPolicyExtraOriginsHelp=The list of extra origins for non-web applications.
 updatePermissionSuccess=Successfully updated the permission
 idpLinkSuccess=Identity provider has been linked
 removeAnnotationText=Remove annotation

js/apps/admin-ui/src/authentication/policies/WebauthnPolicy.tsx

@@ -66,6 +66,7 @@ const USER_VERIFY = [
 type WeauthnSelectProps = {
   name: string;
   label: string;
+  labelIcon?: string;
   options: readonly string[];
   labelPrefix?: string;
   isMultiSelect?: boolean;
@@ -74,6 +75,7 @@ type WeauthnSelectProps = {
 const WebauthnSelect = ({
   name,
   label,
+  labelIcon,
   options,
   labelPrefix,
   isMultiSelect = false,
@@ -82,7 +84,8 @@ const WebauthnSelect = ({
   return (
     <SelectControl
       name={name}
-      label={t(label)}
+      label={label}
+      labelIcon={labelIcon}
       variant={isMultiSelect ? "typeaheadMulti" : "single"}
       controller={{ defaultValue: options[0] }}
       options={options.map((option) => ({
@@ -165,7 +168,8 @@ export const WebauthnPolicy = ({
           />
           <WebauthnSelect
             name={`${namePrefix}SignatureAlgorithms`}
-            label="webAuthnPolicySignatureAlgorithms"
+            label={t("webAuthnPolicySignatureAlgorithms")}
+            labelIcon={t("webAuthnPolicySignatureAlgorithmsHelp")}
             options={SIGNATURE_ALGORITHMS}
             isMultiSelect
           />
@@ -176,32 +180,36 @@ export const WebauthnPolicy = ({
           />
           <WebauthnSelect
             name={`${namePrefix}AttestationConveyancePreference`}
-            label="webAuthnPolicyAttestationConveyancePreference"
+            label={t("webAuthnPolicyAttestationConveyancePreference")}
+            labelIcon={t("webAuthnPolicyAttestationConveyancePreferenceHelp")}
             options={ATTESTATION_PREFERENCE}
             labelPrefix="attestationPreference"
           />
           <WebauthnSelect
             name={`${namePrefix}AuthenticatorAttachment`}
-            label="webAuthnPolicyAuthenticatorAttachment"
+            label={t("webAuthnPolicyAuthenticatorAttachment")}
+            labelIcon={t("webAuthnPolicyAuthenticatorAttachmentHelp")}
             options={AUTHENTICATOR_ATTACHMENT}
             labelPrefix="authenticatorAttachment"
           />
           <WebauthnSelect
             name={`${namePrefix}RequireResidentKey`}
-            label="webAuthnPolicyRequireResidentKey"
+            label={t("webAuthnPolicyRequireResidentKey")}
+            labelIcon={t("webAuthnPolicyRequireResidentKeyHelp")}
             options={RESIDENT_KEY_OPTIONS}
             labelPrefix="residentKey"
           />
           <WebauthnSelect
             name={`${namePrefix}UserVerificationRequirement`}
-            label="webAuthnPolicyUserVerificationRequirement"
+            label={t("webAuthnPolicyUserVerificationRequirement")}
+            labelIcon={t("webAuthnPolicyUserVerificationRequirementHelp")}
             options={USER_VERIFY}
             labelPrefix="userVerify"
           />
           <TimeSelectorControl
             name={`${namePrefix}CreateTimeout`}
             label={t("webAuthnPolicyCreateTimeout")}
-            labelIcon={t("otpPolicyPeriodHelp")}
+            labelIcon={t("webAuthnPolicyCreateTimeoutHelp")}
             units={["second", "minute", "hour"]}
             controller={{
               defaultValue: 0,