enforce-mfa compatibility with RedHat SSO 7.6 (Keycloak 18.0.0)

[nhatpv1307]

I downloaded and modified some syntax to fit Java 1.8 and Keycloak 18.0.0 (redhat 7.6) Everything in the test environment works fine, but when switching to the prod environment. The number of users logging in via Google IDP is large, some users encounter a loop situation with MFA enfoce, each login requires 1 setup of 2FA. I tried to check the log and emulator but failed. Because not all users are affected. Have you encountered the same situation and do you have any code compatible with java 1.8 redhat SSO 7.6 GA(keycloak 18.0.0)? Look forward to the help.

[svenseeberg]

*edit: Sorry, the removed answer below was probably missing some crucial information: you're talking about the dedicated enforce MFA plugin and not the enforce 2FA option of the SMS plugin?

We currently only provide releases for current Keycloak versions and have not yet backported the plugin for older versions. Major KC releases usually require adjustments of the plugin code.

Having said that: it would be cool to support older KC versions. However, we're currently not in a position to provide this. If someone opens a pull request to provide compatibility with older releases, we can definitely merge it.

We do not really provide compatibility with older Keycloak versions. You can try to use version 1.0 from https://github.com/netzbegruenung/keycloak-mfa-plugins/tree/90e25ca560aaee6405f58a445a687894d7853e55 which worked for KC 19. It could probably also work for KC 18. We did not provide prebuild jar files back then so you need to follow the build instructions: https://github.com/netzbegruenung/keycloak-mfa-plugins/tree/90e25ca560aaee6405f58a445a687894d7853e55?tab=readme-ov-file#building

We added some functionality later, but the most relevant core mechanics already exist in 1.0.

[nhatpv1307]

Thank you for your feedback. I have checked the logic again. The problem is me. In Identity there will be 2 Flow streams. 1 is First, 2 is Post. I set it up in post. If in the client's flow I do not set up dual alternatives, but only set up required OTP form, then the user logging in via IDP will have 2 options in the post flow idp section. But after entering OTP, the user will have their TOTP reset because my flow client has the Required OTP form. I have reset the correct Flow between client and Post flow IDP, this has worked fine. ?

I also tried adding the following code to check if the user has TOTP or not in the following way. Keycloak 18. boolean hasOTP = session.userCredentialManager().isConfiguredFor(realm, user, OTPCredentialModel.TYPE);

Keycloak > 19. final boolean hasOTP = user.credentialManager().isConfiguredFor(OTPCredentialModel.TYPE);

Combine with your code. It worked great. Thank you very much.