oidc-passkey

There are lots of FIDO2/WebAuthn demos out there. So what aspects are different with this one:

allows FIDO passkey as 1st (for 1FA) or 2nd (for 2FA) factor during authentication
employs LDAP during registration and as 1st (for 2FA) factor during authentication
fully implemented with Keycloak
allows further integration via OIDC (and SAML)
implementation resides in eight OCI containers (Keycloak, PostgreSQL, acme.sh, five Apaches for demos)
under Apache License (like Keycloak)

Demos

All demos are accessible from a common landing page https://$APACHE_HOSTNAME; they allow removal of registrations and addition of authenticators in specific account consoles; and they allow read-only inspection of Keycloak configurations in specific realm admin consoles.

demo	authentication	registration	user federation	protocol	OP	RP
#1	FIDO2 (1FA)	username/password	LDAP	OIDC	Keycloak	Apache (`mod_auth_openidc`)
#2	username/password + FIDO2 (2FA)	username/password	LDAP	OIDC	Keycloak	Apache (`mod_auth_openidc`)
#3	FIDO2 (1FA)	username/password	LDAP	SAML	Keycloak	Apache (`mod_shib`)
#4	username/password + FIDO2 (2FA)	username/password	LDAP	SAML	Keycloak	Apache (`mod_shib`))
#6	username/password + FIDO2 (2FA)	username/password	n/a	OIDC	Keycloak	vSphere (ADFS provider)

vSphere

Configure vCenter Server Identity Provider Federation for ADFS as follows:

option	value
Base distinguished name for users	`cn=users,dc=$(echo $VSPHERE_DOMAIN
Base distinguished name for groups	`cn=users,dc=$(echo $VSPHERE_DOMAIN
Username	`cn=demo-6-client,cn=bind,dc=$(echo $VSPHERE_DOMAIN
Password	client secret for client `demo-6-client` in realm `oidc-passkey-demo-6`
Primary server URL	`ldap://$KEYCLOAK_HOSTNAME:3893`
Secondary server URL	n/a
Certificates (for LDAPS)	n/a
Identity provider name	`demo-6-client`
Client identifier	`demo-6-client`
Share secret	client secret for client `demo-6-client` in realm `oidc-passkey-demo-6`
OpenID Address	`https://$KEYCLOAK_HOSTNAME:$KEYCLOAK_PORT/realms/oidc-passkey-demo-6/.well-known/openid-configuration`

(tested with vSphere 8.1)

Installation

sudo apt-get install xinetd
sudo sh -c "cat docs/xinetd.conf >> /etc/xinetd.d/services" # 1.
sudo systemctl reload xinetd.service
./scripts/build-base --no-cache
./scripts/build-demo --no-cache
cp docs/config.yaml .
editor config.yamla #2
./scripts/create-secrets #3
./scripts/reset-volumes
sudo loginctl enable-linger $(whoami)
./scripts/start-base
./scripts/start-base
podman pod ps

The reference deployment uses Podman as container runtime and podman kube play as orchestrator. Containers run in a rootless environment, hence ports 80 and 443 must be redirected to unprivileged ports.
see below
Podman 4.3.1 requires workaround for issue #16269.

(tested with Debian 12.1, Podman 4.3.1)

Environment variables

env		example
`ACME_EMAIL`		(email address)
`ACME_SERVER`	1.	`https://acme.zerossl.com/v2/DV90`
`APACHE_EMAIL`		(email address)
`APACHE_HOSTNAME`	2.	(FQDN)
`APACHE_LOG_LEVEL`	3.	`debug`
`APP_IDS`		`1 2 3 4 6`
`KEYCLOAK_EMAIL`		(email address)
`KEYCLOAK_HOSTNAME`	2.	(FQDN)
`KEYCLOAK_LOG_LEVEL`	3.	`debug`
`KEYCLOAK_OIDC_REMOTE_USER_CLAIM`		`given_name ^(.+?)(?:\s.+)?$ $1`
`KEYCLOAK_OIDC_SCOPE`		`openid profile`
`KEYCLOAK_PORT`	TODO	TODO
`LDAP_SERVER`	4.	`ldap://ldap.forumsys.com:389`
`REALM_IDS`		`1 2 3 4 6`
`SMTP_SERVER`
`VSPHERE_DOMAIN`
`VSPHERE_SERVER`

optional; default is https://acme.zerossl.com/v2/DV90
optional; default is $(hostname -f)
optional; default is info
optional

Secrets

secret	keys
`acme-eab`	`hmac_key`, `kid`	1.
`keycloak-admin-password`	`password`	2.
`postgres-keycloak-password`	`password`	3.
`postgres-password`	`password`	4.

leave empty for ACME HTTP Challenge instead of External Account Binding (EAB)
password for user admin on Keycloak Administration Console
password for PostgreSQL role keycloak
password for PostgreSQL role postgres

christian-2 / oidc-passkey