services/src/main/resources/WebAuthnMetadataReadme.md
The file keycloak-webauthn-metadata.json maps passkey authenticator AAGUIDs to
display names and icon filenames. It is generated from the community-maintained
passkey-authenticator-aaguids registry.
Download the latest source data:
curl -LO https://raw.githubusercontent.com/passkeydeveloper/passkey-authenticator-aaguids/refs/heads/main/combined_aaguid.json
Run the parser script, passing the downloaded file as an argument:
python .github/scripts/parse-webauthn-metadata.py combined_aaguid.json
The script produces:
services/src/main/resources/keycloak-webauthn-metadata.json (overwritten in place)js/apps/account-ui/public/passkeys/ (account console)themes/src/main/resources/theme/base/login/resources/img/passkeys/ (login theme)Review the changes before committing. In particular, inspect SVG icon files
for malicious content (e.g. <script> tags, event handler attributes) since
they are served by Keycloak and rendered in the browser.