v1.7.0

v1.7.0 - 2026-03-26

• Support for push_code_to_phone (privacyIDEA 3.13).
• Support for openid requests to use the username from the preferred_username attribute, including resolving the
  keycloak user via a deviating attribute that can be specified in the configuration.

v1.6.0

Includes the features for privacyIDEA 3.12

• Feature: Passkey only. It is now possible to limit login only to passkey tokens. Passkey login will be triggered automatically and processed without the need to provide the usernames or passwords (#222 ).
• Feature: Enrollment via multichallenge can be optional. It is now possible to cancel the enrollment via multichallenge and log in (#225).
• Feature: Smartphone container enrollment via multichallenge (#223).
• Bugfix: Fixed a bug that prevented the client IP couldn't being forwarded to the privacyIDEA server (#224).
• Bugfix: Enrollment via multichallenge wasn't working correctly in the usernameless scenario.

v1.5.1

• Added a setting to disable the "login with passkey" button.
• Fixed a bug that would cause the authentication to successfully end preemptively when using the triggerchallenge setting with some versions of the privacyIDEA server.
• Fixed a bug that would cause triggerchallenge to not work when disable password check was enabled.
• Fixed a bug that would cause the OTP button to be shown when an OTP input was already visible.
• Fixed a bug that would cause challenges to be lost after an OTP had been entered wrong.

v1.5.0

NOTE: USE v1.5.1

• Added support for passkey token, including enroll_via_multichallenge.
• Added the capability to request and check username and password, to be able to use passkey in the first step. This means
  it is no longer necessary to have username and or password requested before using this plugin in the authentication, but still possible.
• Password Check can also be disabled to allow for more flexibility when creating authentication flows.
• Removed poll interval setting.
• Removed default OTP text setting, texts can be edited in the theme-resources/messages directory.
• Added a configuration to allow setting custom headers.
• Added a configuration to set custom http timeouts.
• Removed the deprecated token enrollment function from this plugin in favor of enroll_via_multichallenge in the privacyIDEA server.

Tested to work with Keycloak 22 and higher.

v1.4.0

READ THE FILE NAMES CAREFULLY TO PICK THE RIGHT FILE FOR YOUR KEYCLOAK VERSION

• Send Static Password feature
• Auto Submit feature

KC22 version works for version 22 and higher, including 26

v1.3.0

READ THE FILE NAMES CAREFULLY TO PICK THE CORRECT JAR FOR YOUR KEYCLOAK VERSION

• Added poll in browser setting. This moves the polling for successful push authentication to the browser of the user so that the site does not have to reload. (#133)

• Default OTP text is now customizable. (#137)

• Added compatibility for keycloak 22

• Removed listing as theme from keycloak settings

v1.2.0

Works for Keycloak up until v20. For Keycloak v21, there is a separate jar in this release.

New Features:

• Token enrollment via challenge (#125 )

• Preferred client mode (#121 )

v1.1.0

Works for Keycloak v17 and higher.

• Included groups setting to specify groups of keycloak users for which 2FA should be activated (#54). Check the configuration documenation.

• It is now possible to configure the names of header that should be forwarded to privacyIDEA (#94)

• If a user has multiple WebAuthn token, all of them can be used to log in (#84)

• Fixed a bug where the provider would crash if privacyIDEA sent a response with missing fields (#105)

v1.0.1

Updated keycloak dependencies

• Updated keycloak-services dependency for CVE-2021-4133 from 13.0.1 to 15.1.1
• Updated other keycloak dependencies from 13.0.1 to 15.1.1 aswell

v1.0.0

• U2F
• Support for different configurations in different keycloak realms