Zum Inhalt springen

Setting Up Keycloak for Passwordless Authentication

Passwordless authentication is becoming a must-have for modern applications, no more forgotten passwords, just seamless access via magic links, biometrics, or security keys. Keycloak, the popular open-source identity and access management solution, makes implementing passwordless auth surprisingly straightforward.

In this guide, we’ll walk through configuring Keycloak to support email-based magic links (a common passwordless approach). Let’s dive in!

Prerequisites

  • A running Keycloak instance (v20+)
  • SMTP server access (for sending magic links)
  • Basic familiarity with Keycloak admin console

Step 1: Enable Email Verification

Since passwordless auth relies on email links, we first need to ensure Keycloak can send emails.

  1. Configure SMTP settings
    • Go to Realm Settings → Email
    • Fill in your SMTP server details (e.g., Gmail, SendGrid, Postmark) 
   Host: smtp.example.com  
   Port: 587  
   From: no-reply@yourdomain.com  
   Enable SSL/TLS: Yes  
   Authentication: Enabled (provide credentials)
  1. Test email delivery
    • Click Test connection to verify everything works.

Step 2: Set Up Passwordless Authentication Flow

Keycloak uses authentication flows to define login steps. We’ll customize the default flow.

  1. Create a new authentication flow

    • Navigate to Authentication → Flows
    • Click New flow, name it (e.g., „Passwordless Email“)

  2. Add required steps

    • Under your new flow, add these executions:
      • Username Form (for email input)
      • Send Email Verification Link (replaces password check)
      • Conditional User Role (optional, for additional security)

  3. Disable password requirement

    • Go to Realm Settings → Login
    • Disable „Password“ as a required credential

Step 3: Customize the Magic Link Email

Keycloak sends a verification email, let’s make it user-friendly.

  1. Edit the email template
    • Go to Realm Settings → Email → Templates
    • Modify „Verify Email“ to include a clear call-to-action: 
   <p>Click below to log in:</p>  
   <a href="${url}" style="background: #2563eb; color: white; padding: 10px 20px; text-decoration: none; border-radius: 5px;">Sign In Instantly</a>
  1. Set link expiration
    • Under Realm Settings → Tokens, adjust „Email Verification Link Lifespan“ (e.g., 15 minutes).

Step 4: Test the Flow

  1. Try logging in as a test user.
  2. Instead of a password field, you’ll see an email input.
  3. After submitting, check your inbox for the magic link.
  4. Clicking it should log you in directly!

Bonus: Adding WebAuthn (Biometric Auth)

For a more advanced passwordless experience, enable WebAuthn (for security keys/biometrics):

  1. Go to Authentication → Flows
  2. Add „WebAuthn Authenticator“ as an alternative.

Final Thoughts

Keycloak makes passwordless auth surprisingly simple. With just a few tweaks, you can replace clunky passwords with secure, user-friendly magic links or biometric logins.

Need help? Check out the official Keycloak docs or drop a question below!

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert