I've configured Keycloak authentication for the following behaviour:
- The user inputs its userid
- Keycloak should try to authenticate it with the passwordless flow
- As an alternative the user could switch to password authentication
NOTE: The user already has a registered passwordless device:
The authentication flow has been configured as follows:
I access localhost:8080/realms/myrealm/account and click on Sign in:
I input the userid:
But, instead of being offered to sign up with the security device, I'm asked for the password:
If I select Try another way and click on Security Key:
I am now offered to login with the device:
Which I can do successfully.
The problem here is that I need the passwordless login to be offered directly, not the password form. Passwordless is actually configured as the first alternative option so why isn't it working as expected?
Looking at the code of AuthenticationSelectionResolver this seems to be intended behaviour. Try to change the order/position of credentials for your user from within the admin console.
The order of credentials should affect the order in which alternative authenticators will be executed.