From 0b95b936ecc8d920485ccb8f5095086e48ba0129 Mon Sep 17 00:00:00 2001
From: AB <ab@hexor.cy>
Date: Tue, 19 May 2026 01:54:42 +0300
Subject: [PATCH] Added WebAuth

---
 terraform/keycloak/main.tf | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/terraform/keycloak/main.tf b/terraform/keycloak/main.tf
index adfafa2..3cf5e5c 100644
--- a/terraform/keycloak/main.tf
+++ b/terraform/keycloak/main.tf
@@ -19,6 +19,26 @@ resource "keycloak_realm" "hexor" {
   duplicate_emails_allowed = false
 
   ssl_required = "external"
+
+  web_authn_passwordless_policy {
+    relying_party_entity_name       = "Hexor"
+    relying_party_id                = "hexor.cy"
+    signature_algorithms            = ["ES256", "RS256"]
+    user_verification_requirement   = "required"
+    attestation_conveyance_preference = "none"
+  }
+}
+
+# =============================================================================
+# Passkey (WebAuthn Passwordless) — required action
+# =============================================================================
+
+resource "keycloak_required_action" "webauthn_register_passwordless" {
+  realm_id       = keycloak_realm.hexor.id
+  alias          = "webauthn-register-passwordless"
+  name           = "Webauthn Register Passwordless"
+  enabled        = true
+  default_action = false
 }
 
 # =============================================================================