Authenticator for Keycloak that uses Duo's Java Universal Prompt SDK to challenge the user for Duo MFA as part of a Keycloak login flow.
This has been tested against Keycloak 24.0.2 (Quarkus) and Java 18+. It may work against other versions of Keycloak and Java as well but is untested.
/opt/keycloak/providers
. In the legacy Docker image using WildFly, the path is /opt/jboss/keycloak/standalone/deployments
.(Optional) If you want to use different Duo Applications for different Keycloak clients, you can specify them in the Client Overrides option.
For each different client, add a new config line next to Client Overrides in the format of {Keycloak Client ID},{Duo Client ID},{Duo Client Secret},{Duo API Hostname}
.
You can retrieve the Keycloak Client ID by looking at the end of the admin URL when editing a client. For example: http://localhost:8080/auth/admin/master/console/#/realms/master/clients/f181f907-ce3f-49fd-97c5-eb3eafe275a7
is client ID f181f907-ce3f-49fd-97c5-eb3eafe275a7
.
You should be able to build and package this project using Maven. The maven package command will compile the source code and build the JAR files for you. You will need to use the output JAR that includes dependencies as otherwise Keycloak won't be able to find the embedded libraries.
mvn clean package
You should be able to build and package this project using Docker. The docker run command will compile the source code and build the JAR files for you. You will need to use the output JAR that includes dependencies as otherwise Keycloak won't be able to find the embedded libraries.
docker run --rm -it -v $(pwd):/project_src -w /project_src maven:3-eclipse-temurin-18 mvn clean package