To set up Duo Push for a specific subdomain like vscode.britbuzz.uk, you need to perform a three-step process: configure Duo, update Authelia's backend, and set the specific access rule.

1. Get your Duo API Credentials

  1. Log in to your Duo Admin Panel.
  2. Go to Applications > Protect an Application.
  3. Search for Auth API and click Protect.
  4. Copy the following:
    • Integration Key (ikey)
    • Secret Key (skey)
    • API Hostname (e.g., api-XXXX.duosecurity.com)

---

2. Configure Duo in Authelia

Add the duo_api section to your configuration.yml. This allows Authelia to communicate with Duo's servers.

YAML

# configuration.yml
totp:
disable: false # You can keep TOTP as a backup

duo_api:
disable: false
hostname: 'api-XXXX.duosecurity.com' # Your API Hostname
integration_key: 'INTEGRATION_KEY'
secret_key: 'SECRET_KEY'

---

3. Set the 2FA Policy for VSCode

Now, you need to tell Authelia that while other apps might only need 1FA, vscode.britbuzz.uk specifically requires the second factor.
Update your access_control section:

YAML

# configuration.yml
access_control:
default_policy: 'one_factor' # Standard apps use password only
rules:
- domain: 'vscode.britbuzz.uk'
policy: 'two_factor' # This triggers the Duo/TOTP prompt

---

4. Important Username Mapping

For the "Push" to work, the username in your users_database.yml must match the username in your Duo Admin Panel.

  • If your Authelia user is john, Duo must have a user named john with a phone attached.
  • When you log in to VSCode, Authelia will verify your password (1FA), see the two_factor rule, and automatically trigger a Duo Push to john's phone.

---

Summary of the User Experience

  1. Navigate to https://vscode.britbuzz.uk.
  2. Traefik redirects you to https://auth.britbuzz.uk.
  3. Enter your Username and Password.
  4. Authelia recognizes the domain requires 2FA and sends a Duo Push to your mobile.
  5. Approve the push on your phone; Authelia redirects you back to VSCode.

---

Troubleshooting Note

If the push doesn't arrive, check your Authelia logs:
docker logs authelia
Look for level=error msg="Duo API error". This usually means the system clock on your server is out of sync (Duo requires very precise time) or the credentials are copied incorrectly.
Would you like me to show you how to enable "Passkeys" as an alternative backup in case you don't have your phone for Duo?