resource "keycloak_authentication_flow" "webauthn_browser" {
  realm_id = keycloak_realm.dev.id
  alias    = "webauthn_browser"
  description = "browser based authentication"
}

resource "keycloak_authentication_execution" "auth_cookie" {
  realm_id          = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_flow.webauthn_browser.alias
  authenticator     = "auth-cookie"
  requirement       = "ALTERNATIVE"
}

resource "keycloak_authentication_subflow" "webauthn_flow" {
  realm_id          = keycloak_realm.dev.id
  alias             = "webauthn browser forms"
  description       = "Username, password, otp and other auth forms."
  parent_flow_alias = keycloak_authentication_flow.webauthn_browser.alias
  provider_id       = "basic-flow"
  requirement       = "ALTERNATIVE"
  depends_on = [ keycloak_authentication_execution.auth_cookie ]
}

resource "keycloak_authentication_execution" "user_pass" {
  realm_id = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_subflow.webauthn_flow.alias
  authenticator = "auth-username-password-form"
  requirement = "REQUIRED"
}

resource "keycloak_authentication_execution" "webauthn" {
  realm_id = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_subflow.webauthn_flow.alias
  authenticator = "webauthn-authenticator"
  requirement = "REQUIRED"
}