feat(journey-client): conditional mediation autofill passkey support for webauthn

Author: vatsalparikh

.changeset/ready-snakes-sell.md

@@ -0,0 +1,10 @@
+---
+'@forgerock/journey-client': minor
+---
+
+Add WebAuthn conditional mediation (passkey autofill) support.
+
+- `WebAuthn.authenticate(step, mediation?, signal?)` forwards `mediation` and `signal` to `navigator.credentials.get`.
+- When `mediation` is `'conditional'`, an `AbortSignal` is required.
+- If conditional mediation is requested but not supported, `authenticate()` throws `NotSupportedError` (and the existing error handling sets the hidden outcome to `unsupported`).
+- Adds `WebAuthn.isConditionalMediationSupported()` helper, docs, and unit tests.

e2e/journey-app/components/text-input.ts

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2025 Ping Identity Corporation. All rights reserved.
+ * Copyright (c) 2025-2026 Ping Identity Corporation. All rights reserved.
  *
  * This software may be modified and distributed under the terms
  * of the MIT license. See the LICENSE file for details.
@@ -21,6 +21,10 @@ export default function textComponent(
   input.id = collectorKey;
   input.name = collectorKey;
 
+  if (callback.getType() === 'NameCallback') {
+    input.setAttribute('autocomplete', 'webauthn');
+  }
+
   journeyEl?.appendChild(label);
   journeyEl?.appendChild(input);
 

e2e/journey-app/components/validated-username.ts

@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2025 Ping Identity Corporation. All rights reserved.
+ * Copyright (c) 2025-2026 Ping Identity Corporation. All rights reserved.
  *
  * This software may be modified and distributed under the terms
  * of the MIT license. See the LICENSE file for details.
@@ -20,6 +20,7 @@ export default function validatedUsernameComponent(
   input.type = 'text';
   input.id = collectorKey;
   input.name = collectorKey;
+  input.setAttribute('autocomplete', 'webauthn');
 
   journeyEl?.appendChild(label);
   journeyEl?.appendChild(input);

e2e/journey-app/components/webauthn-step.ts

@@ -5,9 +5,16 @@
  * of the MIT license. See the LICENSE file for details.
  */
 
-import { JourneyStep } from '@forgerock/journey-client/types';
+import type { BaseCallback, JourneyStep } from '@forgerock/journey-client/types';
 import { WebAuthn, WebAuthnStepType } from '@forgerock/journey-client/webauthn';
 
+import { renderCallbacks } from '../callback-map.js';
+
+type WebAuthnStepHandlerResult = {
+  callbacksRendered: boolean;
+  didSubmit: boolean;
+};
+
 export function webauthnComponent(journeyEl: HTMLDivElement, step: JourneyStep, idx: number) {
   const container = document.createElement('div');
   container.id = `webauthn-container-${idx}`;
@@ -39,3 +46,59 @@ export function webauthnComponent(journeyEl: HTMLDivElement, step: JourneyStep,
 
   return handleWebAuthn();
 }
+
+export async function handleWebAuthnStep(
+  journeyEl: HTMLDivElement,
+  step: JourneyStep,
+  callbacks: BaseCallback[],
+  submitForm: () => void,
+  setError: (message: string) => void,
+): Promise<WebAuthnStepHandlerResult> {
+  const webAuthnStep = WebAuthn.getWebAuthnStepType(step);
+
+  if (webAuthnStep === WebAuthnStepType.Authentication) {
+    // For conditional mediation, we need an input with `autocomplete="webauthn"` to exist.
+    renderCallbacks(journeyEl, callbacks, submitForm);
+
+    const conditionalInput = journeyEl.querySelector(
+      'input[autocomplete="webauthn"]',
+    ) as HTMLInputElement | null;
+    conditionalInput?.focus();
+
+    const isConditionalSupported = await WebAuthn.isConditionalMediationSupported();
+    if (isConditionalSupported && conditionalInput) {
+      const controller = new AbortController();
+      void WebAuthn.authenticate(step, 'conditional', controller.signal)
+        .then(() => submitForm())
+        .catch(() => {
+          setError('WebAuthn failed or was cancelled. Please try again or use a different method.');
+        });
+
+      return { callbacksRendered: true, didSubmit: false };
+    }
+
+    // Fallback to the traditional (prompted) WebAuthn flow.
+    const webAuthnSuccess = await webauthnComponent(journeyEl, step, 0);
+    if (webAuthnSuccess) {
+      submitForm();
+      return { callbacksRendered: true, didSubmit: true };
+    }
+
+    setError('WebAuthn failed or was cancelled. Please try again or use a different method.');
+    return { callbacksRendered: true, didSubmit: false };
+  }
+
+  if (webAuthnStep === WebAuthnStepType.Registration) {
+    // For registration, we keep the traditional (prompted) WebAuthn flow.
+    const webAuthnSuccess = await webauthnComponent(journeyEl, step, 0);
+    if (webAuthnSuccess) {
+      submitForm();
+      return { callbacksRendered: false, didSubmit: true };
+    }
+
+    setError('WebAuthn failed or was cancelled. Please try again or use a different method.');
+    return { callbacksRendered: false, didSubmit: false };
+  }
+
+  return { callbacksRendered: false, didSubmit: false };
+}

e2e/journey-app/main.ts

@@ -7,7 +7,6 @@
 import './style.css';
 
 import { journey } from '@forgerock/journey-client';
-import { WebAuthn, WebAuthnStepType } from '@forgerock/journey-client/webauthn';
 
 import type { JourneyClient, RequestMiddleware } from '@forgerock/journey-client/types';
 
@@ -16,7 +15,7 @@ import { renderDeleteDevicesSection } from './components/delete-device.js';
 import { renderQRCodeStep } from './components/qr-code.js';
 import { renderRecoveryCodesStep } from './components/recovery-codes.js';
 import { deleteWebAuthnDevice } from './services/delete-webauthn-device.js';
-import { webauthnComponent } from './components/webauthn-step.js';
+import { handleWebAuthnStep } from './components/webauthn-step.js';
 import { serverConfigs } from './server-configs.js';
 
 const qs = window.location.search;
@@ -107,27 +106,24 @@ if (searchParams.get('middleware') === 'true') {
 
     const submitForm = () => formEl.requestSubmit();
 
-    // Handle WebAuthn steps first so we can hide the Submit button while processing,
-    // auto-submit on success, and show an error on failure.
-    const webAuthnStep = WebAuthn.getWebAuthnStepType(step);
-    if (
-      webAuthnStep === WebAuthnStepType.Authentication ||
-      webAuthnStep === WebAuthnStepType.Registration
-    ) {
-      const webAuthnSuccess = await webauthnComponent(journeyEl, step, 0);
-      if (webAuthnSuccess) {
-        submitForm();
-        return;
-      } else {
-        errorEl.textContent =
-          'WebAuthn failed or was cancelled. Please try again or use a different method.';
-      }
+    const { callbacksRendered, didSubmit } = await handleWebAuthnStep(
+      journeyEl,
+      step,
+      step.callbacks,
+      submitForm,
+      (message) => {
+        errorEl.textContent = message;
+      },
+    );
+
+    if (didSubmit) {
+      return;
     }
 
     const stepRendered =
       renderQRCodeStep(journeyEl, step) || renderRecoveryCodesStep(journeyEl, step);
 
-    if (!stepRendered) {
+    if (!stepRendered && !callbacksRendered) {
       const callbacks = step.callbacks;
       renderCallbacks(journeyEl, callbacks, submitForm);
     }

packages/journey-client/api-report/journey-client.webauthn.api.md

@@ -92,10 +92,10 @@ export enum UserVerificationType {
 
 // @public
 export abstract class WebAuthn {
-    static authenticate(step: JourneyStep): Promise<JourneyStep>;
+    static authenticate(step: JourneyStep, mediation?: CredentialMediationRequirement, signal?: AbortSignal): Promise<JourneyStep>;
     static createAuthenticationPublicKey(metadata: WebAuthnAuthenticationMetadata): PublicKeyCredentialRequestOptions;
     static createRegistrationPublicKey(metadata: WebAuthnRegistrationMetadata): PublicKeyCredentialCreationOptions;
-    static getAuthenticationCredential(options: PublicKeyCredentialRequestOptions): Promise<PublicKeyCredential | null>;
+    static getAuthenticationCredential(options: PublicKeyCredentialRequestOptions, mediation?: CredentialMediationRequirement, signal?: AbortSignal): Promise<PublicKeyCredential | null>;
     static getAuthenticationOutcome(credential: PublicKeyCredential | null): OutcomeWithName<string, AttestationType, PublicKeyCredential> | OutcomeWithName<string, AttestationType, PublicKeyCredential, string>;
     static getCallbacks(step: JourneyStep): WebAuthnCallbacks;
     static getMetadataCallback(step: JourneyStep): MetadataCallback | undefined;
@@ -104,6 +104,7 @@ export abstract class WebAuthn {
     static getRegistrationOutcome(credential: PublicKeyCredential | null): OutcomeWithName<string, AttestationType, PublicKeyCredential>;
     static getTextOutputCallback(step: JourneyStep): TextOutputCallback | undefined;
     static getWebAuthnStepType(step: JourneyStep): WebAuthnStepType;
+    static isConditionalMediationSupported(): Promise<boolean>;
     static register<T extends string = ''>(step: JourneyStep, deviceName?: T): Promise<JourneyStep>;
 }
 

packages/journey-client/src/lib/webauthn/webauthn.test.ts

@@ -3,7 +3,7 @@
  *
  * fr-webauthn.test.ts
  *
- * Copyright (c) 2020 - 2025 Ping Identity Corporation. All rights reserved.
+ * Copyright (c) 2020 - 2026 Ping Identity Corporation. All rights reserved.
  * This software may be modified and distributed under the terms
  * of the MIT license. See the LICENSE file for details.
  */
@@ -23,6 +23,7 @@ import {
   webAuthnAuthMetaCallback70StoredUsername,
 } from './webauthn.mock.data.js';
 import { createJourneyStep } from '../step.utils.js';
+import { vi, afterEach, beforeEach, expect } from 'vitest';
 
 describe('Test FRWebAuthn class with 6.5.3 "Passwordless"', () => {
   it('should return Registration type with register text-output callbacks', () => {
@@ -98,3 +99,104 @@ describe('Test FRWebAuthn class with 7.0 "Usernameless"', () => {
     expect(stepType).toBe(WebAuthnStepType.Authentication);
   });
 });
+
+describe('WebAuthn conditional mediation', () => {
+  const originalNavigatorCredentials = navigator.credentials;
+  const originalPublicKeyCredential = globalThis.PublicKeyCredential;
+
+  beforeEach(() => {
+    Object.defineProperty(globalThis, 'PublicKeyCredential', {
+      configurable: true,
+      writable: true,
+      value: class PublicKeyCredential {
+        static async isConditionalMediationAvailable(): Promise<boolean> {
+          return true;
+        }
+      },
+    });
+
+    Object.defineProperty(navigator, 'credentials', {
+      configurable: true,
+      value: {
+        get: vi.fn(),
+      },
+    });
+  });
+
+  afterEach(() => {
+    Object.defineProperty(navigator, 'credentials', {
+      configurable: true,
+      value: originalNavigatorCredentials,
+    });
+
+    Object.defineProperty(globalThis, 'PublicKeyCredential', {
+      configurable: true,
+      writable: true,
+      value: originalPublicKeyCredential,
+    });
+
+    vi.restoreAllMocks();
+  });
+
+  it('requires an AbortSignal when mediation is conditional', async () => {
+    // eslint-disable-next-line
+    const step = createJourneyStep(webAuthnAuthMetaCallback70 as any);
+    const hiddenCallback = WebAuthn.getOutcomeCallback(step);
+    if (!hiddenCallback) throw new Error('Missing hidden callback for test');
+
+    await expect(WebAuthn.authenticate(step, 'conditional')).rejects.toThrow(
+      'AbortSignal is required for conditional mediation WebAuthn requests',
+    );
+
+    expect(hiddenCallback.getInputValue()).toContain(
+      'AbortSignal is required for conditional mediation WebAuthn requests',
+    );
+  });
+
+  it('throws NotSupportedError when conditional mediation is not supported by the browser', async () => {
+    // eslint-disable-next-line
+    const step = createJourneyStep(webAuthnAuthMetaCallback70 as any);
+    const hiddenCallback = WebAuthn.getOutcomeCallback(step);
+    if (!hiddenCallback) throw new Error('Missing hidden callback for test');
+
+    const conditionalSupportSpy = vi
+      .spyOn(WebAuthn, 'isConditionalMediationSupported')
+      .mockResolvedValue(false);
+
+    await expect(
+      WebAuthn.authenticate(step, 'conditional', new AbortController().signal),
+    ).rejects.toMatchObject({ name: 'NotSupportedError' });
+
+    expect(conditionalSupportSpy).toHaveBeenCalledTimes(1);
+    expect(hiddenCallback.getInputValue()).toBe('unsupported');
+    expect(navigator.credentials.get as unknown as ReturnType<typeof vi.fn>).not.toHaveBeenCalled();
+  });
+
+  it('passes mediation + signal through to navigator.credentials.get when supported', async () => {
+    // eslint-disable-next-line
+    const step = createJourneyStep(webAuthnAuthMetaCallback70 as any);
+    const hiddenCallback = WebAuthn.getOutcomeCallback(step);
+    if (!hiddenCallback) throw new Error('Missing hidden callback for test');
+
+    const abortController = new AbortController();
+    const credentialsGet = vi
+      .spyOn(navigator.credentials, 'get')
+      .mockResolvedValue({} as unknown as Credential);
+
+    const outcomeSpy = vi
+      .spyOn(WebAuthn, 'getAuthenticationOutcome')
+      .mockReturnValue('ok' as unknown as ReturnType<typeof WebAuthn.getAuthenticationOutcome>);
+
+    await WebAuthn.authenticate(step, 'conditional', abortController.signal);
+
+    expect(outcomeSpy).toHaveBeenCalledTimes(1);
+    expect(credentialsGet).toHaveBeenCalledWith(
+      expect.objectContaining({
+        mediation: 'conditional',
+        signal: abortController.signal,
+        publicKey: expect.any(Object),
+      }),
+    );
+    expect(hiddenCallback.getInputValue()).toBe('ok');
+  });
+});