Forum OpenACS Development: Changes to OpenACS WebAuthn login modes

Collapse
14: Changes to OpenACS WebAuthn login modes (response to 1)
Posted by Gustaf Neumann on 01/14/26 01:00 PM

After the initial feedback, the new code moved away from a pure passkey-first login because it is not reliable across all platforms (notably Linux desktops, and sometimes Android browser combinations).

The current design supports three modes:

1) passkey (passkey-first)

  • Browser is asked to discover a credential without any user identifier.
  • Works well on Apple platforms and often on Android.
  • Fails silently on some platforms (notably Linux desktop browsers).

2) identifier (identifier-first)

  • User enters email/username first.
  • Server restricts WebAuthn to passkeys registered for that account (allowCredentials).
  • Works reliably on all platforms.
  • This is now the robust fallback.

3) auto (default)

  • Decides per click, not per browser:

  • If identifier field is non-empty → identifier-first

  • If identifier field is empty → try passkey-first
  • If passkey-first fails (e.g. no discoverable credentials), the UI prompts the user to enter an identifier and retries via identifier-first.
  • No user-agent sniffing is relied upon anymore.

To sum up, “Passkey-first” works on many devices (Apple, often Android), but is not consistently supported everywhere. Rather than guessing based on browser/OS, the login flow now adapts dynamically and always has a reliable fallback.

I have installed the new version on openacs.org just now. Previously registered passkeys continue to work (no need to register passkeys again). The changes for the different authorization modes were mostly in JS, and a few in tcl (additional arguments, mode handling).

all the best -g