From c051d7c1f94ebf4bad2c59d5e91e15a41178eda5 Mon Sep 17 00:00:00 2001
From: UnicornChance <chance@defenseunicorns.com>
Date: Thu, 13 Mar 2025 09:52:26 -0600
Subject: [PATCH 1/2] feat: new webauth and mfa flows

---
 src/keycloak/chart/templates/secret-kc-realm.yaml | 7 ++++++-
 src/keycloak/chart/values.yaml                    | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml
index a8e5a20b3c..4b27ab0091 100644
--- a/src/keycloak/chart/templates/secret-kc-realm.yaml
+++ b/src/keycloak/chart/templates/secret-kc-realm.yaml
@@ -25,4 +25,9 @@ data:
   DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
   RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
   REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED) | b64enc }}
-  OTP_ENABLED: {{ (and .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | toString | b64enc }}
+  OTP_ENABLED: {{ .Values.realmAuthFlows.OTP_ENABLED | toString | b64enc }}
+  OTP_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.OTP_ENABLED) | b64enc}}
+  WEBAUTHN_ENABLED: {{ .Values.realmAuthFlows.WEBAUTHN_ENABLED | toString | b64enc }}
+  WEBAUTHN_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }}
+  X509_MFA_ENABLED: {{ .Values.realmAuthFlows.X509_MFA_ENABLED | toString | b64enc }}
+  MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }}
diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
index ea4d6d057b..6e2b9f0a1a 100644
--- a/src/keycloak/chart/values.yaml
+++ b/src/keycloak/chart/values.yaml
@@ -51,6 +51,8 @@ realmAuthFlows:
   X509_AUTH_ENABLED: true
   SOCIAL_AUTH_ENABLED: true
   OTP_ENABLED: true
+  WEBAUTHN_ENABLED: false
+  X509_MFA_ENABLED: false
 
 # Generates an initial password for first admin user - only use if install is headless
 # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login

From 19532bbade4896eb970ea3ed847559bb2b90697a Mon Sep 17 00:00:00 2001
From: UnicornChance <chance@defenseunicorns.com>
Date: Thu, 20 Mar 2025 07:48:13 -0600
Subject: [PATCH 2/2] fix: add x509 flow toggle

---
 src/keycloak/chart/templates/secret-kc-realm.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml
index 4b27ab0091..b52e6a018e 100644
--- a/src/keycloak/chart/templates/secret-kc-realm.yaml
+++ b/src/keycloak/chart/templates/secret-kc-realm.yaml
@@ -30,4 +30,5 @@ data:
   WEBAUTHN_ENABLED: {{ .Values.realmAuthFlows.WEBAUTHN_ENABLED | toString | b64enc }}
   WEBAUTHN_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }}
   X509_MFA_ENABLED: {{ .Values.realmAuthFlows.X509_MFA_ENABLED | toString | b64enc }}
+  X509_MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.X509_MFA_ENABLED) | b64enc }}
   MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }}