1.0.10

What's Changed

Feature: Support for Keycloak 26 and Duo Universal Java SDK 1.2.0

• Update dependencies by @Ansa89 in #33
• The Authenticator now uses the 1.2.0 version of the Duo Universal Java SDK which has several improvements.
  https://github.com/duosecurity/duo_universal_java/releases/tag/1.2.0

Feature: Update Configuration Field Descriptions

The description of the authenticator fields now includes the new terminology used by Duo in the Admin Panel.

Full Changelog: 1.0.9...1.0.10

1.0.9

What's Changed

Feature: Support for Keycloak 24

• Update to Keycloak 24.0.1 and some refactor by @Ansa89 in #28

Full Changelog: 1.0.8...1.0.9

1.0.8

What's Changed

Feature: Support for Keycloak 23

• Update to keycloak 23.0.0 by @Ansa89 in #20

Security Fix: Changed HTTP redirect to Duo from HTTP 307 (Temporary Redirect) to HTTP 303 (See Other)

• Resolves an issue where user credentials were transmitted to Duo during the redirect due to the use of an incorrect redirect status code. Using HTTP 307 caused browsers to resend POST data (containing user credentials) to a Duo controlled endpoint outside of the Keycloak server, this was resolved by changing the redirect status code to HTTP 303 which causes browsers to change the request method to GET and not include the POST data when redirecting.
• This issue impacted all versions of the authenticator before 1.0.8 Final
• Security report credit to Benjamin Taylor of Cisco ASIG
• Fixes CVE-2023-49594 / Cisco TALOS-2023-1907

Bug Fix: Broken WebAuthn in Keycloak when using authenticator

• Fix #21 by @Ansa89 in #22

Full Changelog: 1.0.7...1.0.8

1.0.7

What's Changed

• Add configuration option (default off) to send impersonator username instead of user username to Duo when an impersonated session reaches the authenticator

Full Changelog: 1.0.6...1.0.7

1.0.6

What's Changed

• Updated dependencies and small refactor by @Ansa89 in #14
• Update Keycloak version to 22.0.0 by @Ansa89 in #15

Full Changelog: 1.0.5...1.0.6

1.0.5

What's Changed

• Simple fixes by @alfonsoalongi in #8
• Allow Duo to be only applied to specific groups by @treydock in #9
• Ensure groups logic works with Keycloak 20+ by @treydock in #11

Full Changelog: 1.0.4...1.0.5

1.0.4

• Updated reference build to build against Keycloak 18.0 Quarkus
• Better handling logic for invalid configuration and Duo unavailable situations
• Removed leftover development logging on callback generation

Full Changelog: 1.0.3...1.0.4

1.0.3

• Fix exception on Duo authentication related to getUriInfo method usage.

1.0.2-SNAPSHOT Prerelease

• Fixed flow restarts after Duo authentication when Duo is an alternative with other methods in the same flow block.

1.0.1-SNAPSHOT

Fix NullPointerException if no overrides are defined