diff --git a/services/keycloak/realm-settings-job.yaml b/services/keycloak/realm-settings-job.yaml index ae9b8d1..cb05a6d 100644 --- a/services/keycloak/realm-settings-job.yaml +++ b/services/keycloak/realm-settings-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-realm-settings-10 + name: keycloak-realm-settings-11 namespace: sso spec: backoffLimit: 0 @@ -137,6 +137,33 @@ spec: if status not in (200, 204): raise SystemExit(f"Unexpected realm update response: {status}") + # Ensure MFA is on by default for newly-created users. + status, required_actions = http_json( + "GET", + f"{base_url}/admin/realms/{realm}/authentication/required-actions", + access_token, + ) + if status == 200 and isinstance(required_actions, list): + for action in required_actions: + if not isinstance(action, dict): + continue + if action.get("alias") != "CONFIGURE_TOTP": + continue + if action.get("enabled") is True and action.get("defaultAction") is True: + break + action["enabled"] = True + action["defaultAction"] = True + status, _ = http_json( + "PUT", + f"{base_url}/admin/realms/{realm}/authentication/required-actions/CONFIGURE_TOTP", + access_token, + action, + ) + if status not in (200, 204): + raise SystemExit( + f"Unexpected required-action update response for CONFIGURE_TOTP: {status}" + ) + # Disable Identity Provider Redirector in the browser flow for this realm. status, executions = http_json( "GET",