Passwordless Login with EUDI Wallets

Overview

By enabling the OpenID Connect extension in the iGrant.io Organisation Wallet and configuring Keycloak as a relying party (RP), organisations can allow users to log in without a password using their digital wallet credentials.

This guide consists of three parts:

1. Enable the OpenID Connect extension in your iGrant.io Organisation Wallet.
2. Configure Keycloak to use iGrant.io as an OpenID provider.
3. Implement a "Sign in with EUDI wallet" button in your application.

Pre-requisites

Before implementing the passwordless login flow with EUDI Wallets, ensure you have:

• An iGrant.io Organisation Wallet with administrator access
• EUDI Wallet available for testing the authentication flow
• A Presentation Definition ID (create one here)
• A running Keycloak instance (version 15.0 or higher recommended)

Configure OpenID Connect extension

Step 1: Get the API Key (Organisation Admin)

To obtain your API key, please contact support@igrant.io. Once you have received your API key, enter it in the field below and click the Set API Key button to save it for future use.

Step 2: Enable the OpenID Connect Extension

To enable the OpenID Connect extension, run the code block below using the Run button. This will enable the extension and provide you with the OpenID Connect metadata discovery URL (/.well-known/openid-configuration), copy it for Keycloak configuration (Step 4).

Request

Response

Alternatively you can do this step manually by copying the code block and using it in the body of the API request available here (select https://demo-api.igrant.io from the Base URL dropdown). Copy the OpenID Connect metadata discovery URL (/.well-known/openid-configuration) for Keycloak configuration (Step 4).

Step 3: Create an OpenID Client

You will need the Presentation Definition ID you created in the pre-requisites, as well as the following from your IAM:

• Redirect URI
• Allowed origin (based on the redirect URI's domain)

Run the code block below using the Run button to create an OpenID Connect client. This will provide you with the Client ID and Client Secret, copy them for Keycloak configuration (Step 4).

Note: If you don't already have the Redirect URI it can be updated later and left blank for now, see step 4 for instructions on where to find it in Keycloak.

Request

Response

Configure Keycloak to Use iGrant.io as an OpenID Provider

Step 4: Add an Identity Provider (IdP)

1. Log in to your Keycloak admin console.
2. Navigate to Identity providers > Add provider > OpenID Connect v1.0.

Figure 01: Add Identity Provider

3. Enter the following details:
   • Alias: e.g., igrant
   • Client ID: (from step 3)
   • Client Secret: (from step 3)
   • Discovery endpoint: Paste the metadata discovery URL from step 2
   • Client Authentication: Set to Client Secret sent as basic auth.

Figure 02: Add OpenID Connect Provider

If the discovery endpoint cannot be used directly, retrieve individual endpoints (authorisation, token, userinfo, and JWKS) from the metadata URL (Step 2) in the browser and configure them manually.

Note: You can find the Redirect URI in the settings, update the client here if not already done.

Step 5: Add Mappers

1. Navigate to the Mappers tab in the newly created Identity Provider.
2. Add a new mapper (or several).

Figure 03: Mappers tab

3. Select Attribute Import as the Mapper type.
4. Enter the following details according to your Presentation Definition (e.g. mapping the local username to an email claim):
   • Name: "Username" (or any name you prefer)
   • Sync mode override: Inherit
   • Claim: presentation.email (or any other verified claim defined in the Presentation Definition)
   • User Attribute Name: username (local attribute)

Figure 04: Add a mapper

Step 6: Create a Custom Authentication Flow in Keycloak

1. Go to Authentication > Flows.

Figure 05: Authentication

2. Create a new basic flow, e.g., "Login with EUDI Wallet".

Figure 06: Add Authentication Flow

3. Add execution steps required for OpenID Connect-based login.

Figure 07: Add Execution Steps

4. Mark each step as required to enforce proper validation.
5. Save the flow.

Alternatively, add these steps to your current login flow.

Explanation:

• Detect existing broker user: On login from an external IdP, the authenticator checks for a local Keycloak account that matches the external identity (in our case we matched the local username and the email claim). Only users who already exist can continue.
• Automatically set existing user: If a matching local user is found, the authenticator “injects” the user into the authentication context and completes the login (no further confirmation, e.g. password re-entry or email-link is requested).

Step 7: Update the Authentication Flow and Sync Mode in Keycloak

1. Navigate to your Identity Provider settings in Keycloak.
2. Set the newly created (or updated) authentication flow for the identity provider (e.g. "Login with EUDI Wallet").
3. Configure the sync mode ("force" is recommended as it will re-apply the mappers on every login).

Figure 08: Update the Authentication Flow and Sync Mode in Keycloak

Sample Implementation with React

A GitHub repository is available that demonstrates how to implement a custom "Sign in with EUDI Wallet" button in a React application integrated with Keycloak IAM (skipping this step results in a button on the default login page):

• Repository: https://github.com/L3-iGrant/passwordless-login-playground
• Features:
  • Complete React frontend with EUDI Wallet login button
  • Integration with Keycloak as the identity provider
  • Step-by-step setup instructions

This repository serves as a practical reference implementation that can be used as a starting point for your own applications.

Try It Yourself

A demonstration video will be available soon showing the complete passwordless login flow with EUDI Wallets.