PHPackages lmr/duo\_auth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. lmr/duo\_auth ActiveRoundcube-plugin[Authentication & Authorization](/categories/authentication) lmr/duo\_auth ============= Duo Security Universal Prompt two-factor authentication for Roundcube. Supports multiple authentication methods including push notifications, SMS, phone calls, and hardware tokens. v2.0.5(3mo ago)4384↓50%5GPL-3.0-or-laterPHPPHP >=7.4 || ^8.0CI failing Since Aug 30Pushed 3mo ago1 watchersCompare [ Source](https://github.com/leonardomarino/duo_auth)[ Packagist](https://packagist.org/packages/lmr/duo_auth)[ Docs](https://github.com/leonardomarino/duo_auth)[ RSS](/packages/lmr-duo-auth/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)Dependencies (7)Versions (16)Used By (0) Roundcube lmr/duo\_auth ======================= [](#roundcube-lmrduo_auth) [![Version](https://camo.githubusercontent.com/f7da22c3bdc7e5426f30afeb90356ef737e73bdbe80a6f3f1171f67c8311060d/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f76657273696f6e2d322e302e352d626c75652e737667)](https://github.com/leonardomarino/duo_auth)[![License](https://camo.githubusercontent.com/95854b05d45d92521773aa880e165d949465b770c4432c322d59cc33e9e75e66/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d47504c2d2d332e302d2d6f722d2d6c617465722d677265656e2e737667)](LICENSE)[![PHP](https://camo.githubusercontent.com/ef20c361b806bd74f6ad1cf16e9d2d16423862716d258aef75d7d785b10f0f26/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068702d253345253344372e342d707572706c652e737667)](https://php.net) This is a Roundcube webmail plugin that enables [Duo Security](https://duo.com) Two Factor Authentication using the modern Universal Prompt. [![image](https://camo.githubusercontent.com/3baaace5c8c6d0ef0b58effe090e2e84dbb68214e17a2276a6b8b2147dfdbe4b/68747470733a2f2f64756f2e636f6d2f6173736574732f696d672f646f63756d656e746174696f6e2f64756f7765622f77656273646b5f6e6574776f726b5f6469616772616d2e706e67)](https://camo.githubusercontent.com/3baaace5c8c6d0ef0b58effe090e2e84dbb68214e17a2276a6b8b2147dfdbe4b/68747470733a2f2f64756f2e636f6d2f6173736574732f696d672f646f63756d656e746174696f6e2f64756f7765622f77656273646b5f6e6574776f726b5f6469616772616d2e706e67) It redirects to Duo's secure authentication page after successful username/password authentication, requiring a 2nd Factor of Authentication using Duo Security (push, SMS, call, hardware token code). 🚀 What's New in v2.0.5 ---------------------- [](#-whats-new-in-v205) - **Duo Universal Prompt** - Modern, accessible authentication experience - **Enhanced Security** - OIDC/OAuth 2.0 based authentication flow - **Flexible Bypass System** - Three-tier bypass logic (global user, global IP, conditional) - **IPv4/IPv6 Support** - Full CIDR notation support for IP whitelisting - **Proxy Detection** - Configurable proxy header trust - **Failmode Options** - Choose between secure (block) or open (allow) on Duo service failure - **Comprehensive Logging** - Configurable log levels for debugging - **PHP 8.2 Ready** - Full compatibility with modern PHP versions - **Security Fix: Back-Button Bypass** - A critical authentication bypass allowed users to skip Duo two-factor authentication by pressing the browser back button after being redirected to Duo. INSTALLATION ------------ [](#installation) ============ ### Prerequisites [](#prerequisites) - PHP 7.4 or higher (PHP 8.x supported) - Roundcube 1.4.0 or higher - Composer - Duo Security account with Admin API access ### Install via Composer [](#install-via-composer) From the root directory of your Roundcube installation: ``` # Update Composer composer update # 1. Allow the plugin installer composer config allow-plugins.roundcube/plugin-installer true # 2. Install the plugin composer require "lmr/duo_auth:^2.0" # Or for manual installation cd plugins/ git clone https://github.com/leonardomarino/duo_auth.git cd duo_auth composer install ``` CONFIGURATION ------------- [](#configuration) ============= ### 1. Configure Duo Settings [](#1-configure-duo-settings) Copy and edit the configuration file: ``` cp config.inc.php.dist config.inc.php nano config.inc.php ``` Update with your Duo credentials from the [Duo Admin Panel](https://admin.duosecurity.com): ``` // Required settings $config['duo_client_id'] = 'YOUR_CLIENT_ID'; $config['duo_client_secret'] = 'YOUR_CLIENT_SECRET'; $config['duo_api_hostname'] = 'api-xxxxxxxx.duosecurity.com'; $config['duo_redirect_uri'] = 'https://your-domain.com/roundcube/?_task=login&_action=plugin.duo_callback'; // Optional: Bypass settings $config['duo_bypass_users'] = ['service_account']; // Users who always skip Duo $config['duo_bypass_ips'] = ['192.168.1.0/24']; // IPs where everyone skips Duo $config['duo_bypass_rules'] = [ // Conditional bypasses 'admin' => ['127.0.0.1', '::1'], ]; ``` ### 2. Configure PHP Session [](#2-configure-php-session) Ensure your `php.ini` has: ``` session.save_handler = files session.save_path = "/var/lib/php/sessions" ``` MIGRATION FROM v1.x ------------------- [](#migration-from-v1x) ================== If upgrading from the legacy iframe-based version: 1. **Update Duo Application** in Duo Admin Panel for Universal Prompt 2. **Update Configuration Format**: - Old: `duo_auth.conf` → New: `config.inc.php` - `ikey` → `duo_client_id` - `skey` → `duo_client_secret` - `host` → `duo_api_hostname` 3. **Test with** `duo_failmode = 'open'` first 4. **Switch to** `duo_failmode = 'secure'` after verification FEATURES -------- [](#features) ======== ### Three-Tier Bypass System [](#three-tier-bypass-system) 1. **Global User Bypass** - Specific users skip Duo from any location 2. **Global IP Bypass** - All users skip Duo from trusted networks 3. **Conditional Bypass** - Specific users from specific IPs only ### Advanced Options [](#advanced-options) - **Failmode** - Choose behavior when Duo service is unavailable - **Session Timeout** - Configurable Duo session duration - **Proxy Support** - Trust headers from reverse proxies - **Debug Logging** - Detailed logs for troubleshooting TROUBLESHOOTING --------------- [](#troubleshooting) =============== ### Check Logs [](#check-logs) ``` tail -f plugins/duo_auth/logs/duo_auth.log ``` ### Test Configuration [](#test-configuration) ``` cd plugins/duo_auth/ php -l duo_auth.php composer validate ``` ### Common Issues [](#common-issues) ProblemSolution500 ErrorCheck PHP error logs, ensure Composer dependencies installed"Client ID not found"Verify credentials in `config.inc.php`Bypass not workingCheck IP detection, enable debug loggingSession timeoutAdjust `duo_session_timeout` in configCREDITS ------- [](#credits) ======= **Author:** Alexios Polychronopoulos - Original duo\_auth for Roundcube **Author:** Leonardo Mariño-Ramírez - Updated for Roundcube 1.3.0+ compatibility, v2.0.0 Universal Prompt migration **Author:** Johnson Chow - Added IPv4 CIDR matching and user-specific 2FA override **Author:** Pavlo Lyha - Rewrote plugin for Duo Web v4 SDK compatibility LICENSE ------- [](#license) ======= This project is licensed under the GPL-3.0-or-later License - see the [LICENSE](LICENSE) file for details. SUPPORT ------- [](#support) ======= - **Issues:** [GitHub Issues](https://github.com/leonardomarino/duo_auth/issues) - **Wiki:** [Documentation](https://github.com/leonardomarino/duo_auth/wiki) - **Duo Docs:** [Duo Universal Prompt Guide](https://duo.com/docs/universal-prompt-update-guide) CHANGELOG --------- [](#changelog) ========= ### v2.0.4 (2025) [](#v204-2025) - Complete rewrite for Duo Universal Prompt (Web SDK v4) - Added three-tier bypass system - IPv4/IPv6 with CIDR support - Proxy detection and failmode - Configuration moved to config.inc.php - PHP 8.2 compatibility ### v1.0.9 (2023) [](#v109-2023) - Initial Duo Web v4 SDK support by Pavlo Lyha ### v1.0.8 (2023) [](#v108-2023) - IPv4 CIDR matching by Johnson Chow - User-specific 2FA override ### v1.0.3 (2020) [](#v103-2020) - Roundcube 1.3.0 compatibility by Leonardo Mariño-Ramírez ### v1.0.0 (2019) [](#v100-2019) - Initial release by Alexios Polychronopoulos --- **⚠️ Important:** The traditional Duo Prompt (iframe-based) reached end of support on March 30, 2024. All installations must use Universal Prompt (SDK v4). ### Health Score 51 — FairBetter than 96% of packages Maintenance79 Regular maintenance activity Popularity21 Limited adoption so far Community14 Small or concentrated contributor base Maturity76 Established project with proven stability Bus Factor1 Top contributor holds 91.3% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~219 days Recently: every ~18 days Total 15 Last Release 109d ago Major Versions v1.0.11 → v2.0.02023-11-04 PHP version history (4 changes)1.0.3PHP >=5.3.0 v1.0.8PHP >=5.6 v1.0.9PHP >=7.4 v2.0.1PHP >=7.4 || ^8.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/af15a849a8300d1920071e97eac849cce7b5db8d6708afa9fdf4ab17c1a5683d?d=identicon)[leonardomarino](/maintainers/leonardomarino) --- Top Contributors [![leonardomarino](https://avatars.githubusercontent.com/u/7528337?v=4)](https://github.com/leonardomarino "leonardomarino (137 commits)")[![tweakier](https://avatars.githubusercontent.com/u/9076057?v=4)](https://github.com/tweakier "tweakier (8 commits)")[![Pavlo-Lyha](https://avatars.githubusercontent.com/u/135230440?v=4)](https://github.com/Pavlo-Lyha "Pavlo-Lyha (4 commits)")[![rstefko](https://avatars.githubusercontent.com/u/4289079?v=4)](https://github.com/rstefko "rstefko (1 commits)") --- Tags securityAuthenticationroundcube2faoauth2two-factorMFAoidcMulti Factor AuthenticationDuoroundcube-pluginduo-securityduo-universal-prompt ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/lmr-duo-auth/health.svg) ``` [![Health](https://phpackages.com/badges/lmr-duo-auth/health.svg)](https://phpackages.com/packages/lmr-duo-auth) ``` ### Alternatives [paragonie/multi-factor Vendor-agnostic two-factor authentication library 142195.5k2](/packages/paragonie-multi-factor)[ellaisys/aws-cognito AWS Cognito package that allows Auth and other related features using the AWS SDK for PHP 120220.7k1](/packages/ellaisys-aws-cognito)[markshust/magento2-module-disabletwofactorauth The DisableTwoFactorAuth module provides the ability to disable two-factor authentication. 2282.7M6](/packages/markshust-magento2-module-disabletwofactorauth)[remotemerge/totp-php Lightweight, fast, and secure TOTP (2FA) authentication library for PHP — battle tested, dependency free, and ready for enterprise integration. 2010.2k](/packages/remotemerge-totp-php)[scheb/2fa-backup-code Extends scheb/2fa-bundle with backup codes support 183.6M20](/packages/scheb-2fa-backup-code)[sicaboy/laravel-mfa A Laravel package of Multi-factor Authentication (MFA/2FA) with a middleware. 101.2k](/packages/sicaboy-laravel-mfa) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)