Mit einem Custom Authenticator kann man sowas machen.

Have a look at my github.com/dasniko/keycloak-extensions-demo repository, perhaps this will help you as a starter. It's a multi-module-maven project, but it's not necessarily needed to have a multi-module project.

Docker swarm deployment uses some different network mode than compose or K8s. You'll have to figure out the public hostname or ip address first. It's long ago I did this once, don't remember all the details. Nearly nobody uses swarm anymore...

@@dasniko Thanks! Yeah, I came to the same conclusion but since the new docker image don't have any way to get the ip address I can't get that IP inside the sh file. I was trying to get a simple deployment with out k8s

If you'll implement it that way, then it'll work. But you'll have to implement more than only the magic-link authenticator...

OIDC is all about browser flows, not API.

You need to implement a custom conditional authenticator according to your requirements how you can detect „type A“ and „type B“ users. Then, build the authentication flow properly with your custom condition and the other authenticators.

if you don't want to use Keycloak, then simply don't use it and don't look for insecure workarounds

@@dasniko i have to use keycloak , i just want an Api , does keycloak exposes any Passwordless WebAuth API during register , i want to integrate this webAuthn passwordless with springboot how can i , is it possible??

@@AbhilashaVar Well, if you have to use Keycloak, then use it properly, as it is meant to be used, not as you want it to use. Keycloak is an OIDC Identity Probider, not an API server. In doubt, learn the OIDC specs.

C'mon... that's not that hard. Giving this example as a startet, you just have to show the link with an QR code, instead of sending it via email...

@Niko Köbler (@dasniko) - Keycloak Expert When the user scans the qr code and gets the link, how can we log him in ? Is there a REST API to send the link to it, and then the Qr code page is loaded and the user is logged in ?

Ja, das habe ich ja erwähnt. Es gibt auch andere Ansätze, dann mit einem Custom-LoginActionToken. Hierbei ist dann die Security wieder eher ein Trade-off.

Like in my example repo, packaged with the jar-file

As mentioned in the video, you are shifting the security from the users knowledge to the users mailbox. Depending on the security of the mailbox, it might(!) be more secure, as a login link is (should be) only valid one time and a short period of time, so for every login you will have a new one-time-password. Additionally, also mentioned in the video, it depends if the link is only valid in the same browser where auth has started, or if it‘s valid independently. It‘s always a trade-off and depends on the circumstances.