Releases: instipod/DuoUniversalKeycloakAuthenticator
Releases · instipod/DuoUniversalKeycloakAuthenticator
1.0.9
1.0.8
What's Changed
Feature: Support for Keycloak 23
Security Fix: Changed HTTP redirect to Duo from HTTP 307 (Temporary Redirect) to HTTP 303 (See Other)
- Resolves an issue where user credentials were transmitted to Duo during the redirect due to the use of an incorrect redirect status code. Using HTTP 307 caused browsers to resend POST data (containing user credentials) to a Duo controlled endpoint outside of the Keycloak server, this was resolved by changing the redirect status code to HTTP 303 which causes browsers to change the request method to GET and not include the POST data when redirecting.
- This issue impacted all versions of the authenticator before 1.0.8 Final
- Security report credit to Benjamin Taylor of Cisco ASIG
- Fixes CVE-2023-49594 / Cisco TALOS-2023-1907
Bug Fix: Broken WebAuthn in Keycloak when using authenticator
Full Changelog: 1.0.7...1.0.8
Contributors
Ansa89
Assets 3
1.0.7
What's Changed
- Add configuration option (default off) to send impersonator username instead of user username to Duo when an impersonated session reaches the authenticator
Full Changelog: 1.0.6...1.0.7
1.0.6
1.0.5
What's Changed
- Simple fixes by @alfonsoalongi in #8
- Allow Duo to be only applied to specific groups by @treydock in #9
- Ensure groups logic works with Keycloak 20+ by @treydock in #11
Full Changelog: 1.0.4...1.0.5
Contributors
treydock and alfonsoalongi
Assets 3
1.0.4
- Updated reference build to build against Keycloak 18.0 Quarkus
- Better handling logic for invalid configuration and Duo unavailable situations
- Removed leftover development logging on callback generation
Full Changelog: 1.0.3...1.0.4
1.0.3
1.0.2-SNAPSHOT Prerelease
- Fixed flow restarts after Duo authentication when Duo is an alternative with other methods in the same flow block.
1.0.1-SNAPSHOT
Fix NullPointerException if no overrides are defined