resource "keycloak_authentication_flow" "passkey" {
  realm_id = keycloak_realm.dev.id
  alias    = "passkey"
  description = "browser based authentication"
}

resource "keycloak_authentication_execution" "passkey_auth_cookie" {
  realm_id          = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_flow.passkey.alias
  authenticator     = "auth-cookie"
  requirement       = "ALTERNATIVE"
}

resource "keycloak_authentication_subflow" "passkey_forms" {
  realm_id          = keycloak_realm.dev.id
  alias             = "passkey browser forms"
  parent_flow_alias = keycloak_authentication_flow.passkey.alias
  provider_id       = "basic-flow"
  requirement       = "ALTERNATIVE"
  depends_on = [ keycloak_authentication_execution.auth_cookie ]
}

resource "keycloak_authentication_execution" "passkey_username" {
  realm_id = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_subflow.passkey_forms.alias
  authenticator = "auth-username-form"
  requirement = "REQUIRED"
}

resource "keycloak_authentication_subflow" "passkey_passwordless_or_2fa" {
  realm_id          = keycloak_realm.dev.id
  alias             = "passkey passkey or 2fa"
  parent_flow_alias = keycloak_authentication_subflow.passkey_forms.alias
  provider_id       = "basic-flow"
  requirement       = "REQUIRED"
  depends_on = [ keycloak_authentication_execution.passkey_username ]
}

resource "keycloak_authentication_execution" "passkey_webauthn_passwordless" {
  realm_id = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_subflow.passkey_passwordless_or_2fa.alias
  authenticator = "webauthn-authenticator-passwordless"
  requirement = "ALTERNATIVE"
  depends_on = [ keycloak_authentication_execution.passkey_username ]
}

resource "keycloak_authentication_subflow" "passkey_password_and_second_factor" {
  realm_id          = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_subflow.passkey_passwordless_or_2fa.alias
  alias             = "passkey password and 2fa"
  provider_id       = "basic-flow"
  requirement       = "ALTERNATIVE"
}

resource "keycloak_authentication_execution" "passkey_password" {
  realm_id = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_subflow.passkey_password_and_second_factor.alias
  authenticator = "auth-password-form"
  requirement = "REQUIRED"
}

resource "keycloak_authentication_subflow" "passkey_second_factor" {
  realm_id          = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_subflow.passkey_password_and_second_factor.alias
  alias             = "passkey second factor"
  provider_id       = "basic-flow"
  requirement       = "CONDITIONAL"
}

resource "keycloak_authentication_execution" "passkey_user_configured_condition" {
  realm_id = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_subflow.passkey_second_factor.alias
  authenticator = "conditional-user-configured"
  requirement = "REQUIRED"
}

resource "keycloak_authentication_execution" "passkey_webauthn" {
  realm_id = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_subflow.passkey_second_factor.alias
  authenticator = "webauthn-authenticator"
  requirement = "ALTERNATIVE"
}

resource "keycloak_authentication_execution" "passkey_otp" {
  realm_id = keycloak_realm.dev.id
  parent_flow_alias = keycloak_authentication_subflow.passkey_second_factor.alias
  authenticator = "auth-otp-form"
  requirement = "ALTERNATIVE"
}