What's Changed
Features
- Use realm email template for OTP HTML — custom email themes apply without local override (#120)
- Skip lib attempt counter when Keycloak brute force protection is active (#119)
- Auto-create credential if SKIP_SETUP is enabled (#118)
- Dynamic OTP code length in form template and localized messages (#116)
Security
- Store OTP as SHA-256 hash, encapsulate crypto in OtpHashUtils
- Replace String.equals() with constant-time comparison for OTP validation
Bug Fixes
- Check stored credential in isConfiguredFor instead of email presence
- Delegate hash() to digestBytes() to avoid duplication
CI / Infrastructure
- Publish releases to Maven Central automatically on each GitHub Release
- Bump Keycloak to 26.6.1, AWS SDK to 2.42.36
Installation
Download the JAR and place it in your Keycloak providers/ directory, or add as a Maven dependency:
<dependency>
<groupId>com.mesutpiskin.keycloak</groupId>
<artifactId>keycloak-2fa-email-authenticator</artifactId>
<version>26.3.0-KC26.x.x</version>
</dependency>Compatibility
- Keycloak 26.x
- Java 21+