Merge remote-tracking branch 'upstream/master'

README.md

@@ -9,7 +9,7 @@ It can be used for social applications as well as enterprise applications.  It i
 Here's some of the features:
 
 * SSO and Single Log Out for browser applications
-* Social Broker.  Enable Google, Facebook, Yahoo, Twitter social login with no code required.
+* Social Broker.  Enable Google, Facebook, Yahoo, Twitter, GitHub, LinkedIn social login with no code required.
 * Optional LDAP/Active Directory integration
 * Optional User Registration
 * Password and TOTP support (via Google Authenticator or FreeOTP).  Client cert auth coming soon.

connections/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java

@@ -87,10 +87,13 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
 
         boolean clustered = config.getBoolean("clustered", false);
         boolean async = config.getBoolean("async", true);
+        boolean allowDuplicateJMXDomains = config.getBoolean("allowDuplicateJMXDomains", true);
 
         if (clustered) {
             gcb.transport().defaultTransport();
         }
+        gcb.globalJmxStatistics().allowDuplicateDomains(allowDuplicateJMXDomains);
+
         cacheManager = new DefaultCacheManager(gcb.build());
         containerManaged = false;
 

connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.2.0.Beta1.xml

@@ -1,6 +1,11 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
     <changeSet author="psilva@redhat.com" id="1.2.0.Beta1">
+        <delete tableName="CLIENT_SESSION_ROLE"/>
+        <delete tableName="CLIENT_SESSION_NOTE"/>
+        <delete tableName="CLIENT_SESSION"/>
+        <delete tableName="USER_SESSION"/>
+
         <createTable tableName="PROTOCOL_MAPPER">
             <column name="ID" type="VARCHAR(36)">
                 <constraints nullable="false"/>
@@ -14,8 +19,12 @@
             <column name="PROTOCOL_MAPPER_NAME" type="VARCHAR(255)">
                 <constraints nullable="false"/>
             </column>
-            <column name="APPLIED_BY_DEFAULT" type="BOOLEAN" defaultValueBoolean="false"/>
-            <column name="CONSENT_REQUIRED" type="BOOLEAN" defaultValueBoolean="false"/>
+            <column name="APPLIED_BY_DEFAULT" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
+            <column name="CONSENT_REQUIRED" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
             <column name="CONSENT_TEXT" type="VARCHAR(255)"/>
             <column name="CLIENT_ID" type="VARCHAR(36)">
                 <constraints nullable="false"/>
@@ -46,12 +55,20 @@
             <column name="INTERNAL_ID" type="VARCHAR(36)">
                 <constraints nullable="false"/>
             </column>
-            <column name="ENABLED" type="BOOLEAN" defaultValueBoolean="false"/>
+            <column name="ENABLED" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
             <column name="PROVIDER_ALIAS" type="VARCHAR(255)"/>
             <column name="PROVIDER_ID" type="VARCHAR(255)"/>
-            <column name="UPDATE_PROFILE_FIRST_LOGIN" type="BOOLEAN" defaultValueBoolean="false"/>
-            <column name="STORE_TOKEN" type="BOOLEAN" defaultValueBoolean="false"/>
-            <column name="AUTHENTICATE_BY_DEFAULT" type="BOOLEAN" defaultValueBoolean="false"/>
+            <column name="UPDATE_PROFILE_FIRST_LOGIN" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
+            <column name="STORE_TOKEN" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
+            <column name="AUTHENTICATE_BY_DEFAULT" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
             <column name="REALM_ID" type="VARCHAR(36)"/>
         </createTable>
         <createTable tableName="IDENTITY_PROVIDER_CONFIG">
@@ -63,14 +80,16 @@
                 <constraints nullable="false"/>
             </column>
         </createTable>
-        <createTable tableName="CLIENT_IDENTITY_PROVIDER_MAPPING">
+        <createTable tableName="CLIENT_IDENTITY_PROV_MAPPING">
             <column name="CLIENT_ID" type="VARCHAR(36)">
                 <constraints nullable="false"/>
             </column>
             <column name="IDENTITY_PROVIDER_ID" type="VARCHAR(36)">
                 <constraints nullable="false"/>
             </column>
-            <column name="RETRIEVE_TOKEN" type="BOOLEAN" defaultValueBoolean="false"/>
+            <column name="RETRIEVE_TOKEN" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
         </createTable>
         <createTable tableName="REALM_SUPPORTED_LOCALES">
             <column name="REALM_ID" type="VARCHAR(36)">
@@ -78,30 +97,61 @@
             </column>
             <column name="VALUE" type="VARCHAR(255)"/>
         </createTable>
+        <createTable tableName="USER_SESSION_NOTE">
+            <column name="USER_SESSION" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="NAME" type="VARCHAR(255)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="VALUE" type="VARCHAR(2048)"/>
+        </createTable>
         <addColumn tableName="CLIENT">
-            <column name="FRONTCHANNEL_LOGOUT" type="BOOLEAN" defaultValueBoolean="false"/>
+            <column name="FRONTCHANNEL_LOGOUT" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
+        </addColumn>
+        <addColumn tableName="USER_SESSION">
+            <column name="USER_SESSION_STATE" type="INT" />
         </addColumn>
         <addPrimaryKey columnNames="ID" constraintName="CONSTRAINT_PCM" tableName="PROTOCOL_MAPPER"/>
         <addPrimaryKey columnNames="INTERNAL_ID" constraintName="CONSTRAINT_2B" tableName="IDENTITY_PROVIDER"/>
         <addPrimaryKey columnNames="IDENTITY_PROVIDER, USER_ID" constraintName="CONSTRAINT_40" tableName="FEDERATED_IDENTITY"/>
         <addPrimaryKey columnNames="IDENTITY_PROVIDER_ID, NAME" constraintName="CONSTRAINT_D" tableName="IDENTITY_PROVIDER_CONFIG"/>
         <addPrimaryKey columnNames="PROTOCOL_MAPPER_ID, NAME" constraintName="CONSTRAINT_PMConfig" tableName="PROTOCOL_MAPPER_CONFIG"/>
-        <addForeignKeyConstraint baseColumnNames="REALM_ID" baseTableName="IDENTITY_PROVIDER" constraintName="FK2B4EBC52AE5C3B34" deferrable="false" initiallyDeferred="false" onDelete="RESTRICT" onUpdate="RESTRICT" referencedColumnNames="ID" referencedTableName="REALM"/>
-        <addForeignKeyConstraint baseColumnNames="CLIENT_ID" baseTableName="PROTOCOL_MAPPER" constraintName="FK_PCM_REALM" deferrable="false" initiallyDeferred="false" onDelete="RESTRICT" onUpdate="RESTRICT" referencedColumnNames="ID" referencedTableName="CLIENT"/>
-        <addForeignKeyConstraint baseColumnNames="USER_ID" baseTableName="FEDERATED_IDENTITY" constraintName="FK404288B92EF007A6" deferrable="false" initiallyDeferred="false" onDelete="RESTRICT" onUpdate="RESTRICT" referencedColumnNames="ID" referencedTableName="USER_ENTITY"/>
-        <addForeignKeyConstraint baseColumnNames="IDENTITY_PROVIDER_ID" baseTableName="IDENTITY_PROVIDER_CONFIG" constraintName="FKDC4897CF864C4E43" deferrable="false" initiallyDeferred="false" onDelete="RESTRICT" onUpdate="RESTRICT" referencedColumnNames="INTERNAL_ID" referencedTableName="IDENTITY_PROVIDER"/>
-        <addForeignKeyConstraint baseColumnNames="PROTOCOL_MAPPER_ID" baseTableName="PROTOCOL_MAPPER_CONFIG" constraintName="FK_PMConfig" deferrable="false" initiallyDeferred="false" onDelete="RESTRICT" onUpdate="RESTRICT" referencedColumnNames="ID" referencedTableName="PROTOCOL_MAPPER"/>
-        <addForeignKeyConstraint baseColumnNames="IDENTITY_PROVIDER_ID" baseTableName="CLIENT_IDENTITY_PROVIDER_MAPPING" constraintName="FK_7CELWNIBJI49AVXSRTUF6XJ12" referencedColumnNames="INTERNAL_ID" referencedTableName="IDENTITY_PROVIDER"/>
-        <addForeignKeyConstraint baseColumnNames="CLIENT_ID" baseTableName="CLIENT_IDENTITY_PROVIDER_MAPPING" constraintName="FK_56ELWNIBJI49AVXSRTUF6XJ23" referencedColumnNames="ID" referencedTableName="CLIENT"/>
+        <addPrimaryKey columnNames="USER_SESSION, NAME" constraintName="CONSTRAINT_USN_PK" tableName="USER_SESSION_NOTE"/>
+        <addForeignKeyConstraint baseColumnNames="REALM_ID" baseTableName="IDENTITY_PROVIDER" constraintName="FK2B4EBC52AE5C3B34" referencedColumnNames="ID" referencedTableName="REALM"/>
+        <addForeignKeyConstraint baseColumnNames="CLIENT_ID" baseTableName="PROTOCOL_MAPPER" constraintName="FK_PCM_REALM" referencedColumnNames="ID" referencedTableName="CLIENT"/>
+        <addForeignKeyConstraint baseColumnNames="USER_ID" baseTableName="FEDERATED_IDENTITY" constraintName="FK404288B92EF007A6" referencedColumnNames="ID" referencedTableName="USER_ENTITY"/>
+        <addForeignKeyConstraint baseColumnNames="IDENTITY_PROVIDER_ID" baseTableName="IDENTITY_PROVIDER_CONFIG" constraintName="FKDC4897CF864C4E43" referencedColumnNames="INTERNAL_ID" referencedTableName="IDENTITY_PROVIDER"/>
+        <addForeignKeyConstraint baseColumnNames="PROTOCOL_MAPPER_ID" baseTableName="PROTOCOL_MAPPER_CONFIG" constraintName="FK_PMConfig" referencedColumnNames="ID" referencedTableName="PROTOCOL_MAPPER"/>
+        <addForeignKeyConstraint baseColumnNames="IDENTITY_PROVIDER_ID" baseTableName="CLIENT_IDENTITY_PROV_MAPPING" constraintName="FK_7CELWNIBJI49AVXSRTUF6XJ12" referencedColumnNames="INTERNAL_ID" referencedTableName="IDENTITY_PROVIDER"/>
+        <addForeignKeyConstraint baseColumnNames="CLIENT_ID" baseTableName="CLIENT_IDENTITY_PROV_MAPPING" constraintName="FK_56ELWNIBJI49AVXSRTUF6XJ23" referencedColumnNames="ID" referencedTableName="CLIENT"/>
         <addForeignKeyConstraint baseColumnNames="REALM_ID" baseTableName="REALM_SUPPORTED_LOCALES" constraintName="FK_SUPPORTED_LOCALES_REALM" referencedColumnNames="ID" referencedTableName="REALM"/>
+        <addForeignKeyConstraint baseColumnNames="USER_SESSION" baseTableName="USER_SESSION_NOTE" constraintName="FK5EDFB00FF51D3472" referencedColumnNames="ID" referencedTableName="USER_SESSION"/>
         <addUniqueConstraint columnNames="PROVIDER_ALIAS, REALM_ID" constraintName="UK_2DAELWNIBJI49AVXSRTUF6XJ33" tableName="IDENTITY_PROVIDER"/>
-        <addUniqueConstraint columnNames="IDENTITY_PROVIDER_ID,CLIENT_ID" constraintName="UK_7CAELWNIBJI49AVXSRTUF6XJ12" tableName="CLIENT_IDENTITY_PROVIDER_MAPPING"/>
-
+        <addUniqueConstraint columnNames="IDENTITY_PROVIDER_ID,CLIENT_ID" constraintName="UK_7CAELWNIBJI49AVXSRTUF6XJ12" tableName="CLIENT_IDENTITY_PROV_MAPPING"/>
         <addColumn tableName="REALM">
             <column name="LOGIN_LIFESPAN" type="INT"/>
-            <column name="INTERNATIONALIZATION_ENABLED" type="BOOLEAN" defaultValueBoolean="false"/>
+            <column name="INTERNATIONALIZATION_ENABLED" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
             <column name="DEFAULT_LOCALE" type="VARCHAR(255)" />
-            <column name="REGISTRATION_EMAIL_AS_USERNAME" type="BOOLEAN" defaultValueBoolean="false"/>
+            <column name="REG_EMAIL_AS_USERNAME" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
         </addColumn>
+
+        <!-- KEYCLOAK-1106 APPLICATION_ID and REALM_ID switched in REALM_APPLICATION table -->
+        <dropForeignKeyConstraint baseTableName="REALM_APPLICATION" constraintName="FK_71S3P0DIUXAWWQQSA528UBY2Q" />
+        <dropForeignKeyConstraint baseTableName="REALM_APPLICATION" constraintName="FK_L5QGA3RFME47335JY8JXYXH3I" />
+        <dropUniqueConstraint tableName="REALM_APPLICATION" constraintName="UK_L5QGA3RFME47335JY8JXYXH3I" />
+        <renameColumn tableName="REALM_APPLICATION" oldColumnName="APPLICATION_ID" newColumnName="APPLICATION_ID_TMP" columnDataType="VARCHAR(36)"/>
+        <renameColumn tableName="REALM_APPLICATION" oldColumnName="REALM_ID" newColumnName="APPLICATION_ID" columnDataType="VARCHAR(36)"/>
+        <renameColumn tableName="REALM_APPLICATION" oldColumnName="APPLICATION_ID_TMP" newColumnName="REALM_ID" columnDataType="VARCHAR(36)"/>
+        <addUniqueConstraint columnNames="APPLICATION_ID" constraintName="UK_M6QGA3RFME47335JY8JXYXH3I" tableName="REALM_APPLICATION"/>
+        <addForeignKeyConstraint baseColumnNames="APPLICATION_ID" baseTableName="REALM_APPLICATION" constraintName="FK_82S3P0DIUXAWWQQSA528UBY2Q" referencedColumnNames="ID" referencedTableName="CLIENT"/>
+        <addForeignKeyConstraint baseColumnNames="REALM_ID" baseTableName="REALM_APPLICATION" constraintName="FK_M6QGA3RFME47335JY8JXYXH3I" referencedColumnNames="ID" referencedTableName="REALM"/>
+
     </changeSet>
 </databaseChangeLog>

connections/mongo-update/src/main/java/org/keycloak/connections/mongo/updater/impl/updates/Update1_2_0_Beta1.java

@@ -33,6 +33,9 @@ public class Update1_2_0_Beta1 extends Update {
 
     @Override
     public void update(KeycloakSession session) {
+        deleteEntries("clientSessions");
+        deleteEntries("sessions");
+
         convertSocialToIdFedRealms();
         convertSocialToIdFedUsers();
         addAccessCodeLoginTimeout();

dependencies/server-all/pom.xml

@@ -122,6 +122,11 @@
             <artifactId>keycloak-social-facebook</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-social-linkedin</artifactId>
+            <version>${project.version}</version>
+        </dependency>
 
         <!-- ldap federation api -->
         <dependency>

distribution/modules/build.xml

@@ -235,6 +235,10 @@
         <module-def name="org.keycloak.keycloak-social-facebook">
             <maven-resource group="org.keycloak" artifact="keycloak-social-facebook"/>
         </module-def>
+    	
+    	  <module-def name="org.keycloak.keycloak-social-linkedin">
+    	      <maven-resource group="org.keycloak" artifact="keycloak-social-linkedin"/>
+    	  </module-def>
 
         <module-def name="org.keycloak.keycloak-kerberos-federation">
             <maven-resource group="org.keycloak" artifact="keycloak-kerberos-federation"/>

distribution/modules/src/main/resources/modules/org/keycloak/keycloak-server/main/module.xml

@@ -57,6 +57,7 @@
         <module name="org.keycloak.keycloak-social-github" services="import"/>
         <module name="org.keycloak.keycloak-social-google" services="import"/>
         <module name="org.keycloak.keycloak-social-twitter" services="import"/>
+        <module name="org.keycloak.keycloak-social-linkedin" services="import"/>
         <module name="org.keycloak.keycloak-subsystem" services="import"/>
         <module name="org.keycloak.keycloak-timer-api" services="import"/>
         <module name="org.keycloak.keycloak-timer-basic" services="import"/>

distribution/modules/src/main/resources/modules/org/keycloak/keycloak-services/main/module.xml

@@ -60,6 +60,7 @@
         <module name="org.keycloak.keycloak-social-github" services="import"/>
         <module name="org.keycloak.keycloak-social-google" services="import"/>
         <module name="org.keycloak.keycloak-social-twitter" services="import"/>
+        <module name="org.keycloak.keycloak-social-linkedin" services="import"/>
         <module name="org.keycloak.keycloak-timer-api" services="import"/>
         <module name="org.keycloak.keycloak-timer-basic" services="import"/>
 

distribution/modules/src/main/resources/modules/org/keycloak/keycloak-social-linkedin/main/module.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+
+
+<module xmlns="urn:jboss:module:1.1" name="org.keycloak.keycloak-social-linkedin">
+    <resources>
+        <!-- Insert resources here -->
+    </resources>
+    <dependencies>
+        <module name="org.keycloak.keycloak-core"/>
+        <module name="org.keycloak.keycloak-social-core"/>
+        <module name="org.keycloak.keycloak-broker-core"/>
+        <module name="org.keycloak.keycloak-broker-oidc"/>
+        <module name="org.keycloak.keycloak-model-api"/>
+        <module name="org.jboss.logging"/>
+        <module name="javax.api"/>
+        <module name="org.codehaus.jackson.jackson-core-asl"/>
+        <module name="org.codehaus.jackson.jackson-mapper-asl"/>
+        <module name="org.codehaus.jackson.jackson-xc"/>
+    </dependencies>
+
+</module>

distribution/subsystem-war/src/main/webapp/WEB-INF/jboss-deployment-structure.xml

@@ -50,6 +50,7 @@
             <module name="org.keycloak.keycloak-social-github" services="import"/>
             <module name="org.keycloak.keycloak-social-google" services="import"/>
             <module name="org.keycloak.keycloak-social-twitter" services="import"/>
+            <module name="org.keycloak.keycloak-social-linkedin" services="import"/>
             <module name="org.keycloak.keycloak-timer-api" services="import"/>
             <module name="org.keycloak.keycloak-timer-basic" services="import"/>
             <module name="org.hibernate" services="import"/>

docbook/reference/en/en-US/modules/identity-broker.xml

@@ -715,6 +715,99 @@
                 </tgroup>
             </table>
         </section>
+        <section>
+            <title>LinkedIn</title>
+            <para>
+                To enable login with LinkedIn you first have to create an application in
+                <ulink url="https://www.linkedin.com/secure/developer">LinkedIn Developer Network</ulink>. Then you need to copy
+                the client id and secret into the Keycloak Admin Console.
+            </para>
+            <para>
+                Let's see first how to create an application with LinkedIn.
+            </para>
+            <orderedlist>
+                <listitem>
+                    <para>
+                        Log in to <ulink url="https://www.linkedin.com/secure/developer">LinkedIn Developer Network</ulink>. Click the
+                        <literal>Add New Application</literal> link. Use any value for <literal>Application Name</literal>,
+                        <literal>Website URL</literal>, <literal>Description</literal>, <literal>Developer Contact Email</literal> and <literal>Phone</literal> you want.
+                        Select <literal>r_basicprofile</literal> and <literal>r_emailaddress</literal> in the <literal>Default Scope</literal> section. 
+                        Click the <literal>Add Application</literal> button.
+                    </para>
+                </listitem>
+                <listitem>
+                    <para>
+                        Copy <literal>Consumer Key / API Key</literal> and <literal>Consumer Secret / Secret Key</literal> from the shown page.
+                    </para>
+                </listitem>
+            </orderedlist>
+            <para>
+                Now that you have the client id and secret, you can proceed with the creation of a LinkedIn Identity Provider in Keycloak. As follows:
+            </para>
+            <orderedlist>
+                <listitem>
+                    <para>
+                        Select the <literal>LinkedIn</literal> identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. You should be presented with a specific page to configure the selected provided.
+                    </para>
+                </listitem>
+                <listitem>
+                    <para>
+                        Copy the client id and secret to their corresponding fields in the Keycloak Admin Console. Click <literal>Save</literal>.
+                    </para>
+                </listitem>
+            </orderedlist>
+            <para>
+                Once you create the identity provider in Keycloak, you must update your LinkedIn application with the redirect url that was
+                generated to your identity provider.
+            </para>
+            <orderedlist>
+                <listitem>
+                    <para>
+                        Open the LinkedIn Developer Network and select your application. In <literal>OAuth 2.0 Redirect URLs</literal>
+                        insert the redirect uri created by Keycloak. The redirect uri
+                        usually have the following format: <literal>http://{host}:{port}/auth/realms/{realm}/broker/{provider_alias}/endpoint</literal>.
+                    </para>
+                </listitem>
+            </orderedlist>
+            <note>
+                <para>
+                    You can always get the redirect url for a specific identity provider from the table presented when you
+                    click on the 'Identity Provider' tab in <emphasis>Realm > Settings</emphasis>.
+                </para>
+            </note>
+            <para>
+                That is it! This pretty much what you need to do in order to setup this identity provider.
+            </para>
+            <para>
+                The table below lists some additional configuration options you may use when configuring this provider.
+            </para>
+            <table>
+                <title>Configuration Options</title>
+                <tgroup align="left" cols="2">
+                    <thead>
+                        <row>
+                            <entry>
+                                Configuration
+                            </entry>
+                            <entry>
+                                Description
+                            </entry>
+                        </row>
+                    </thead>
+                    <tbody valign="top">
+                        <row>
+                            <entry>
+                                <literal>Default Scopes</literal>
+                            </entry>
+                            <entry>
+                                Allows you to manually specify the scopes that users must authorize when authenticating with this provider. 
+                                For a complete list of scopes, please take a look at application configuration in <ulink url="https://www.linkedin.com/secure/developer">LinkedIn Developer Network</ulink>. By default, Keycloak uses the following scopes: <literal>r_basicprofile r_emailaddress</literal>
+                            </entry>
+                        </row>
+                    </tbody>
+                </tgroup>
+            </table>
+        </section>        
     </section>
 
     <section>

docbook/reference/en/en-US/modules/themes.xml

@@ -2,18 +2,18 @@
     <title>Themes</title>
 
     <para>
-        Keycloak provides theme support for login forms and account management. This allows customizing the look
-        and feel of end-user facing pages so they can be integrated with your brand and applications.
+        Keycloak provides theme support for web pages and emails. This allows customizing the look
+        and feel of end-user facing pages so they can be integrated with your applications.
     </para>
 
     <section>
         <title>Theme types</title>
         <para>
-            There are several types of themes in Keycloak:
+            A theme can support several types to customize different aspects of Keycloak. The types currently available
+            are:
             <itemizedlist>
                 <listitem>Account - Account management</listitem>
                 <listitem>Admin - Admin console</listitem>
-                <listitem>Common - Shared resources for themes</listitem>
                 <listitem>Email - Emails</listitem>
                 <listitem>Login - Login forms</listitem>
                 <listitem>Welcome - Welcome pages</listitem>
@@ -28,6 +28,11 @@
             the theme used for a realm open the <literal>Keycloak Admin Console</literal>, select your realm
             from the drop-down box in the top left corner. Under <literal>Settings</literal> click on <literal>Theme</literal>.
         </para>
+        <para>
+            To set the theme for the <literal>master</literal> Keycloak admin console set the admin console theme for
+            the <literal>master</literal> realm. To set the theme for per realm admin access control set the admin console
+            theme for the corresponding realm.
+        </para>
         <para>
             To change the welcome theme you need to edit <literal>standalone/configuration/keycloak-server.json</literal>
             and add <literal>welcomeTheme</literal> to the theme element, for example:
@@ -43,9 +48,8 @@
     <section>
         <title>Default themes</title>
         <para>
-            Keycloak comes bundled with default themes in <literal>standalone/configuration/themes</literal>. It is
-            not recommended to edit these themes directly. Instead you should create a new theme to extend a default
-            theme. A good reference is to copy the keycloak themes as these extend the base theme to add styling.
+            Keycloak comes bundled with default themes in <literal>standalone/configuration/themes</literal>. You should
+            not edit the bundled themes directly. Instead create a new theme that extends a bundled theme.
         </para>
     </section>
 
@@ -65,24 +69,63 @@
         <para>
             A theme can extend another theme. When extending a theme you can override individual files (templates, stylesheets, etc.).
             The recommended way to create a theme is to extend the base theme. The base theme provides templates
-            and a default message bundle. It should be possible to achieve the customization required by styling these
-            templates.
+            and a default message bundle. If you decide to override templates bear in mind that you may need to update
+            your templates when upgrading to a new release to include any changes made to the original template.
         </para>
         <para>
-            To create a new theme, create a folder in <literal>.../standalone/configuration/themes/&lt;theme type&gt;</literal>.
-            The name of the folder is the name of the theme. Then create a file <literal>theme.properties</literal> inside the theme folder.
-            The contents of the file should be:
+            Before creating a theme it's a good idea to disable caching as this makes it possible to edit theme resources
+            without restarting the server. To do this open <literal>../standalone/configuration/keycloak-server.json</literal>
+            for <literal>theme</literal> set <literal>staticMaxAge</literal> to <literal>-1</literal> and
+            <literal>cacheTemplates</literal> and <literal>cacheThemes</literal> to <literal>false</literal>. For example:
+<programlisting>[<![CDATA[
+"theme": {
+    "default": "keycloak",
+    "staticMaxAge": 01,
+    "cacheTemplates": false,
+    "cacheThemes": false,
+    "folder": {
+      "dir": "${jboss.server.config.dir}/themes"
+    }
+},
+]]></programlisting>
+            Remember to re-enable caching in production as it will significantly impact performance.
         </para>
-        <programlisting>parent=base</programlisting>
         <para>
-            You have now created your theme. Check that it works by configuring it for a realm. It should look the same
-            as the base theme as you've not added anything to it yet. The next sections will describe how to modify
-            the theme.</para>
+            To create a new theme create a directory for the theme in <literal>.../standalone/configuration/themes</literal>.
+            The name of the directory should be the name of the theme. For example to create a theme called <literal>example-theme</literal>
+            create the directory <literal>.../standalone/configuration/themes/example-theme</literal>. Inside the theme
+            directory you then need to create a directory for each of the types your theme is going to provide. For example
+            to add the login type to the <literal>example-theme</literal> theme create the directory
+            <literal>.../standalone/configuration/themes/example-theme/login</literal>.
+        </para>
+        <para>
+            For each type create a file <literal>theme.properties</literal> which allows setting some configuration for
+            the theme, for example what theme it overrides and if it should import any themes. For the above example we
+            want to override the base theme and import common resources from the Keycloak theme. To do this create the
+            file <literal>.../standalone/configuration/themes/example-theme/login/theme.properties</literal> with the
+            following contents:
+<programlisting>[<![CDATA[
+parent=base
+import=common/keycloak
+]]></programlisting>
+        </para>
+        <para>
+            You have now created a theme with support for the login type. To check that it works open the admin console.
+            Select your realm and click on <literal>Themes</literal>. For <literal>Login Theme</literal> select
+            <literal>example-theme</literal> and click <literal>Save</literal>. Then open the login page for the realm.
+            You can do this either by login through your application or by opening <literal>http://localhost:8080/realms/&lt;realm name&gt;/account</literal>.
+        </para>
+        <para>
+            To see the effect of changing the parent theme, set <literal>parent=keycloak</literal> in <literal>theme.properties</literal>
+            and refresh the login page. To follow the rest of the documentation set it back to <literal>parent=base</literal>
+            before continuing.
+        </para>
         <section>
             <title>Stylesheets</title>
             <para>
-                A theme can have one or more stylesheets, to add a stylesheet create a file inside <literal>resources/css</literal> (for example <literal>resources/css/styles.css</literal>)
-                inside your theme folder. Then registering it in <literal>theme.properties</literal> by adding:
+                A theme can have one or more stylesheets, to add a stylesheet create a file inside <literal>resources/css</literal>
+                (for example <literal>resources/css/styles.css</literal>) inside your theme folder. Then registering it
+                in <literal>theme.properties</literal> by adding:
             </para>
             <programlisting>styles=css/styles.css</programlisting>
             <para>
@@ -90,6 +133,17 @@
                 as you want. For example:
             </para>
             <programlisting>styles=css/styles.css css/more-styles.css</programlisting>
+            For the example-theme above add <literal>example-theme/login/resources/css/styles.css</literal> with the
+            following content:
+<programlisting>[<![CDATA[
+#kc-form {
+    background-color: #000;
+    color: #fff;
+    padding: 20px;
+}]]></programlisting>
+            Then edit <literal>example-theme/login/theme.properties</literal> and add <programlisting>styles=css/styles.css</programlisting>.
+            Refresh the login page to see your changes. It's not pretty, but you can see how easily you can modify the
+            styles for your theme.
         </section>
         <section>
             <title>Scripts</title>
@@ -121,9 +175,8 @@
         <section>
             <title>Messages</title>
             <para>
-                Text in the templates are loaded from message bundles. Currently internationalization isn't supported,
-                but that will be added in a later release. A theme that extends another theme will inherit all messages
-                from the parents message bundle, but can override individual messages. For example to replace
+                Text in the templates are loaded from message bundles. A theme that extends another theme will inherit
+                all messages from the parents message bundle, but can override individual messages. For example to replace
                 <literal>Username</literal> on the login form with <literal>Your Username</literal> create the file
                 <literal>messages/messages.properties</literal> inside your theme folder and add the following content:
             </para>
@@ -134,30 +187,79 @@
             <para>
                 Keycloak uses <ulink url="http://freemarker.org">Freemarker Templates</ulink> in order to generate HTML.
                 These templates are defined in <literal>.ftl</literal> files and can be overriden from the base theme.
-                Check out the Freemarker website on how to form a template file.
+                Check out the Freemarker website on how to form a template file. To override the login template for the
+                <literal>example-theme</literal> copy <literal>../standalone/configuration/themes/base/login/login.ftl</literal>
+                to <literal>../standalone/configuration/themes/example-theme/login</literal> and open it in an editor. After
+                the first line (&lt;#import ...&gt;) add <literal>&lt;h1&gt;HELLO WORLD!&lt;/h1&gt;</literal> then refresh
+                the page.
             </para>
         </section>
     </section>
 
+    <section>
+        <title>Deploying themes</title>
+        <para>
+            Themes can be deployed to Keycloak by copying the theme directory to <literal>../standalone/configuration/themes</literal>
+            or it can be deployed as a module. For a single server or during development just copying the theme is fine, but
+            in a cluster or domain it's recommended to deploy as a module.
+        </para>
+        <para>
+            To deploy a theme as a module you need to create an jar (it's basically just a zip with jar extension) with
+            the theme resources and a file <literal>META/keycloak-server.json</literal> that describes the themes contained
+            in the archive. For example <literal>example-theme.jar</literal> with the contents:
+            <itemizedlist>
+                <listitem>META-INF/keycloak-themes.json</listitem>
+                <listitem>theme/example-theme/login/theme.properties</listitem>
+                <listitem>theme/example-theme/login/login.ftl</listitem>
+                <listitem>theme/example-theme/login/resources/css/styles.css</listitem>
+            </itemizedlist>
+            The contents of META-INF/keycloak-server.json in this case would be:
+<programlisting>[<![CDATA[
+{
+    "themes": [{
+        "name" : "example-theme",
+        "types": [ "login" ]
+    }]
+}
+]]></programlisting>
+            As you can see a single jar can contain multiple themes and each theme can support one or more types.
+        </para>
+        <para>
+            The deploy the jar as a module to Keycloak you can either manually create the module or use <literal>jboss-cli</literal>.
+            It's simplest to use <literal>jboss-cli</literal> as it creates the required directories and module descriptor
+            for you. To deploy the above jar <literal>jboss-cli</literal> run:
+<programlisting>[<![CDATA[
+    KEYCLOAK_HOME/bin/jboss-cli.sh --command="module add --name=org.example.exampletheme --resources=example-theme.jar"
+]]></programlisting>
+            If you're on windows run <programlisting>KEYCLOAK_HOME/bin/jboss-cli.bat</programlisting>.
+        </para>
+        <para>
+            This command creates <literal>modules/org/example/exampletheme/main</literal> containing <literal>example-theme.jar</literal>
+            and <literal>module.xml</literal>.
+        </para>
+        <para>
+            Once you've created the module you need to register it with Keycloak do this by editing
+            <literal>../standalone/configuration/keycloak-server.json</literal> and adding the module to <literal>theme/module/modules</literal>. For example:
+<programlisting>[<![CDATA[
+"theme": {
+    ...
+    "module": {
+        "modules": [ "org.example.exampletheme" ]
+    }
+}
+]]></programlisting>
+        </para>
+        <para>
+            If a theme is deployed to <literal>../standalone/configuration/themes</literal> and as a module the first
+            is used.
+        </para>
+    </section>
+
     <section>
         <title>SPIs</title>
         <para>
             For full control of login forms and account management Keycloak provides a number of SPIs.
         </para>
-        <section>
-            <title>Theme SPI</title>
-            <para>
-                The Theme SPI allows creating different mechanisms to load themes for the default FreeMarker based
-                implementations of login forms and account management. To create a theme provider you will need to implement
-                <literal>org.keycloak.freemarker.ThemeProviderFactory</literal> and <literal>org.keycloak.freemarker.ThemeProvider</literal>.
-            </para>
-            <para>
-                Keycloak comes with two theme providers, one that loads themes from the classpath (used by default themes)
-                and another that loads themes from a folder (used by custom themes). Looking at these
-                would be a good place to start to create your own theme provider. You can find them inside
-                <literal>forms/common-themes</literal> on GitHub or the source download.
-            </para>
-        </section>
         <section>
             <title>Account SPI</title>
             <para>

examples/cors/angular-product-app/.gitignore

@@ -0,0 +1 @@
+/.externalToolBuilders/*

examples/themes/README.md

@@ -21,7 +21,7 @@ Then open $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json and regis
         }
     }
 
-Alternatively you can copy `src/main/resources/theme/login` to `standalone/configuration/themes/login/`. 
+Alternatively you can copy `src/main/resources/theme/sunrise` to `standalone/configuration/themes/`. 
 
 Once you've added the theme open the admin console, select your realm, click on `Theme`. In the dropdown for `Login Theme` select `sunrise`. Click `Save` and login to the realm to see the new theme in action.
 
@@ -46,13 +46,7 @@ Then open $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json and regis
         }
     }
 
-Alternatively you can copy:
-
-* `account/logo-example` to `standalone/configuration/themes/account/`
-* `login/logo-example` to `standalone/configuration/themes/login/`
-* `admin/logo-example` to `standalone/configuration/themes/admin/`
-* `welcome/logo-example` to `standalone/configuration/themes/welcome/`
-
+Alternatively you can copy `src/main/resources/theme/logo-example` to `standalone/configuration/themes/`. 
 
 Once you've added the theme open the admin console, select your realm, click on `Theme`. In the dropdowns for `Login Theme`, `Account Theme` and `Admin Console Theme` select `logo-example`. Click `Save` and login to the realm to see the new theme in action.
 

forms/common-freemarker/src/main/java/org/keycloak/freemarker/ExtendingThemeManagerFactory.java

@@ -11,9 +11,7 @@ import java.util.concurrent.ConcurrentHashMap;
  */
 public class ExtendingThemeManagerFactory implements ThemeProviderFactory {
 
-    private ConcurrentHashMap<ThemeKey, Theme> themeCache = new ConcurrentHashMap<ThemeKey, Theme>();
-
-    private ExtendingThemeManager themeManager;
+    private ConcurrentHashMap<ThemeKey, Theme> themeCache;
 
     @Override
     public ThemeProvider create(KeycloakSession session) {
@@ -23,7 +21,7 @@ public class ExtendingThemeManagerFactory implements ThemeProviderFactory {
     @Override
     public void init(Config.Scope config) {
         if(Config.scope("theme").getBoolean("cacheThemes", true)) {
-            themeCache = new ConcurrentHashMap<ThemeKey, Theme>();
+            themeCache = new ConcurrentHashMap<>();
         }
     }
 

forms/common-freemarker/src/main/java/org/keycloak/freemarker/FreeMarkerUtil.java

@@ -20,7 +20,7 @@ public class FreeMarkerUtil {
 
     public FreeMarkerUtil() {
         if (Config.scope("theme").getBoolean("cacheTemplates", true)) {
-            cache = new ConcurrentHashMap<String, Template>();
+            cache = new ConcurrentHashMap<>();
         }
     }
 

forms/common-freemarker/src/main/java/org/keycloak/freemarker/beans/AdvancedMessageFormatterMethod.java

@@ -0,0 +1,36 @@
+package org.keycloak.freemarker.beans;
+
+import freemarker.template.TemplateMethodModelEx;
+import freemarker.template.TemplateModelException;
+
+import java.text.MessageFormat;
+import java.util.List;
+import java.util.Locale;
+import java.util.Properties;
+
+/**
+ * @author <a href="mailto:gerbermichi@me.com">Michael Gerber</a>
+ */
+public class AdvancedMessageFormatterMethod implements TemplateMethodModelEx {
+    private final Properties messages;
+    private final Locale locale;
+
+    public AdvancedMessageFormatterMethod(Locale locale, Properties messages) {
+        this.locale = locale;
+        this.messages = messages;
+    }
+
+    @Override
+    public Object exec(List list) throws TemplateModelException {
+        if (list.size() >= 1) {
+            String key = list.get(0).toString();
+            if (key.startsWith("${") && key.endsWith("}")) {
+                key = key.substring(2, key.length() - 1);
+                return new MessageFormat(messages.getProperty(key, key), locale).format(list.subList(1, list.size()).toArray());
+            } else {
+                return key;
+            }
+        }
+        return null;
+    }
+}

forms/common-freemarker/src/main/java/org/keycloak/freemarker/beans/MessageFormatterMethod.java

@@ -22,8 +22,8 @@ public class MessageFormatterMethod implements TemplateMethodModelEx {
 
     @Override
     public Object exec(List list) throws TemplateModelException {
-        String key = list.get(0).toString();
         if (list.size() >= 1) {
+            String key = list.get(0).toString();
             return new MessageFormat(messages.getProperty(key,key),locale).format(list.subList(1, list.size()).toArray());
         } else {
             return null;

forms/common-themes/src/main/java/org/keycloak/theme/ClassLoaderTheme.java

@@ -2,13 +2,11 @@ package org.keycloak.theme;
 
 import org.keycloak.freemarker.Theme;
 
-import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
 import java.util.Locale;
 import java.util.Properties;
-import java.util.ResourceBundle;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -42,7 +40,7 @@ public class ClassLoaderTheme implements Theme {
         this.type = type;
         this.classLoader = classLoader;
 
-        String themeRoot = "theme/" + type.toString().toLowerCase() + "/" + name + "/";
+        String themeRoot = "theme/" + name + "/" + type.toString().toLowerCase() + "/";
 
         this.templateRoot = themeRoot;
         this.resourceRoot = themeRoot + "resources/";
@@ -60,10 +58,6 @@ public class ClassLoaderTheme implements Theme {
         }
     }
 
-    public ClassLoaderTheme() {
-
-    }
-
     @Override
     public String getName() {
         return name;

forms/common-themes/src/main/java/org/keycloak/theme/FolderTheme.java

@@ -18,11 +18,13 @@ public class FolderTheme implements Theme {
     private String parentName;
     private String importName;
     private File themeDir;
+    private String name;
     private Type type;
     private final Properties properties;
 
-    public FolderTheme(File themeDir, Type type) throws IOException {
+    public FolderTheme(File themeDir, String name, Type type) throws IOException {
         this.themeDir = themeDir;
+        this.name = name;
         this.type = type;
         this.properties = new Properties();
 
@@ -36,7 +38,7 @@ public class FolderTheme implements Theme {
 
     @Override
     public String getName() {
-        return themeDir.getName();
+        return name;
     }
 
     @Override

forms/common-themes/src/main/java/org/keycloak/theme/FolderThemeProvider.java

@@ -15,10 +15,10 @@ import java.util.Set;
  */
 public class FolderThemeProvider implements ThemeProvider {
 
-    private File rootDir;
+    private File themesDir;
 
-    public FolderThemeProvider(File rootDir) {
-        this.rootDir = rootDir;
+    public FolderThemeProvider(File themesDir) {
+        this.themesDir = themesDir;
     }
 
     @Override
@@ -28,51 +28,41 @@ public class FolderThemeProvider implements ThemeProvider {
 
     @Override
     public Theme getTheme(String name, Theme.Type type) throws IOException {
-        if (hasTheme(name, type)) {
-            return new FolderTheme(new File(getTypeDir(type), name), type);
-        }
-        return null;
+        File themeDir = getThemeDir(name, type);
+        return themeDir.isDirectory() ? new FolderTheme(themeDir, name, type) : null;
     }
 
     @Override
     public Set<String> nameSet(Theme.Type type) {
-        File typeDir = getTypeDir(type);
-        if (typeDir != null) {
-            File[] themes = typeDir.listFiles(new FileFilter() {
-                @Override
-                public boolean accept(File pathname) {
-                    return pathname.isDirectory();
-                }
-            });
-
+        final String typeName = type.name().toLowerCase();
+        File[] themeDirs = themesDir.listFiles(new FileFilter() {
+            @Override
+            public boolean accept(File pathname) {
+                return pathname.isDirectory() && new File(pathname, typeName).isDirectory();
+            }
+        });
+        if (themeDirs != null) {
             Set<String> names = new HashSet<String>();
-            for (File t : themes) {
-                names.add(t.getName());
+            for (File themeDir : themeDirs) {
+                names.add(themeDir.getName());
             }
             return names;
+        } else {
+            return Collections.emptySet();
         }
-
-        return Collections.emptySet();
-    }
-
-    private File getTypeDir(Theme.Type type) {
-        if (rootDir != null && rootDir.isDirectory()) {
-            File typeDir = new File(rootDir, type.name().toLowerCase());
-            if (typeDir.isDirectory()) {
-                return typeDir;
-            }
-        }
-        return null;
     }
 
     @Override
     public boolean hasTheme(String name, Theme.Type type) {
-        File typeDir = getTypeDir(type);
-        return typeDir != null && new File(typeDir, name).isDirectory();
+        return getThemeDir(name, type).isDirectory();
     }
 
     @Override
     public void close() {
     }
 
+    private File getThemeDir(String name, Theme.Type type) {
+        return new File(themesDir, name + File.separator + type.name().toLowerCase());
+    }
+
 }

forms/common-themes/src/main/resources/theme/account/base/messages/messages_en.properties

@@ -1,57 +0,0 @@
-authenticatorCode=One-time code
-email=Email
-firstName=First name
-lastName=Last name
-password=Password
-passwordConfirm=Confirmation
-passwordNew=New Password
-username=Username
-street=Street
-locality=City or Locality
-region=State, Province, or Region
-postal_code=Zip or Postal code
-country=Country
-
-missingFirstNameMessage=Please specify first name.
-invalidEmailMessage=Invalid email address.
-missingLastNameMessage=Please specify last name.
-missingEmailMessage=Please specify email.
-missingPasswordMessage=Please specify password.
-notMatchPasswordMessage=Passwords don''t match.
-
-missingTotpMessage=Please specify authenticator code
-invalidPasswordExistingMessage=Invalid existing password
-invalidPasswordConfirmMessage=Password confirmation doesn''t match
-invalidTotpMessage=Invalid authenticator code
-
-readOnlyUserMessage=You can''t update your account as it is read only
-readOnlyPasswordMessage=You can''t update your password as your account is read only
-
-successTotpMessage=Mobile authenticator configured.
-successTotpRemovedMessage=Mobile authenticator removed.
-
-accountUpdatedMessage=Your account has been updated
-accountPasswordUpdatedMessage=Your password has been updated
-
-missingIdentityProviderMessage=Identity provider not specified
-invalidFederatedIdentityActionMessage=Invalid or missing action
-identityProviderNotFoundMessage=Specified identity provider not found
-federatedIdentityLinkNotActiveMessage=This identity is not active anymore
-federatedIdentityRemovingLastProviderMessage=You can''t remove last federated identity as you don''t have password
-identityProviderRedirectErrorMessage=Failed to redirect to identity provider
-identityProviderRemovedMessage=Identity provider removed successfully
-
-accountDisabledMessage=Account is disabled, contact admin
-
-doLogOutAllSessions=Log out all sessions
-
-accountTemporarilyDisabledMessage=Account is temporarily disabled, contact admin or try again later
-invalidPasswordMinLengthMessage=Invalid password: minimum length {0}
-invalidPasswordMinLowerCaseCharsMessage=Invalid password: must contain at least {0} lower case characters
-invalidPasswordMinDigitsMessage=Invalid password: must contain at least {0} numerical digits
-invalidPasswordMinUpperCaseCharsMessage=Invalid password: must contain at least {0} upper case characters
-invalidPasswordMinSpecialCharsMessage=Invalid password: must contain at least {0} special characters
-invalidPasswordNotUsernameMessage=Invalid password\: must not be equal to the username
-
-locale_de=German
-locale_en=English

forms/common-themes/src/main/resources/theme/base/account/account.ftl

@@ -3,10 +3,10 @@
 
     <div class="row">
         <div class="col-md-10">
-            <h2>Edit Account</h2>
+            <h2>${msg("editAccountHtmlTtile")}</h2>
         </div>
         <div class="col-md-2 subtitle">
-            <span class="subtitle"><span class="required">*</span> Required fields</span>
+            <span class="subtitle"><span class="required">*</span> ${msg("requiredFields")}</span>
         </div>
     </div>
 
@@ -104,9 +104,9 @@
         <div class="form-group">
             <div id="kc-form-buttons" class="col-md-offset-2 col-md-10 submit">
                 <div class="">
-                    <#if url.referrerURI??><a href="${url.referrerURI}">Back to application</a></#if>
-                    <button type="submit" class="btn btn-primary btn-lg" name="submitAction" value="Save">Save</button>
-                    <button type="submit" class="btn btn-default btn-lg" name="submitAction" value="Cancel">Cancel</button>
+                    <#if url.referrerURI??><a href="${url.referrerURI}">${msg("backToApplication")}/a></#if>
+                    <button type="submit" class="btn btn-primary btn-lg" name="submitAction" value="Save">${msg("doSave")}</button>
+                    <button type="submit" class="btn btn-default btn-lg" name="submitAction" value="Cancel">${msg("doCancel")}</button>
                 </div>
             </div>
         </div>

forms/common-themes/src/main/resources/theme/base/account/federatedIdentity.ftl

@@ -3,7 +3,7 @@
 
     <div class="row">
         <div class="col-md-10">
-            <h2>Federated Identities</h2>
+            <h2>${msg("federatedIdentitiesHtmlTitle")}</h2>
         </div>
     </div>
 
@@ -19,10 +19,10 @@
                 <div class="col-sm-5 col-md-5">
                     <#if identity.connected>
                         <#if federatedIdentity.removeLinkPossible>
-                            <a href="${identity.actionUrl}" type="submit" id="remove-${identity.providerId!}" class="btn btn-primary btn-lg">Remove ${identity.providerName!}</a>
+                            <a href="${identity.actionUrl}" type="submit" id="remove-${identity.providerId!}" class="btn btn-primary btn-lg">${msg("doRemove")}</a>
                         </#if>
                     <#else>
-                        <a href="${identity.actionUrl}" type="submit" id="add-${identity.providerId!}" class="btn btn-primary btn-lg">Add ${identity.providerName!}</a>
+                        <a href="${identity.actionUrl}" type="submit" id="add-${identity.providerId!}" class="btn btn-primary btn-lg">${msg("doAdd")}</a>
                     </#if>
                 </div>
             </div>

forms/common-themes/src/main/resources/theme/base/account/log.ftl

@@ -3,18 +3,18 @@
 
     <div class="row">
         <div class="col-md-10">
-            <h2>Account Log</h2>
+            <h2>${msg("accountLogHtmlTitle")}</h2>
         </div>
     </div>
 
     <table class="table table-striped table-bordered">
         <thead>
         <tr>
-            <td>Date</td>
-            <td>Event</td>
-            <td>IP</td>
-            <td>Client</td>
-            <td>Details</td>
+            <td>${msg("date")}</td>
+            <td>${msg("event")}</td>
+            <td>${msg("ip")}</td>
+            <td>${msg("client")}</td>
+            <td>${msg("details")}</td>
         </tr>
         </thead>
 

forms/common-themes/src/main/resources/theme/base/account/messages/messages_de.properties

@@ -1,9 +1,24 @@
+doLogOutAllSessions=Alle Sessionen abmelden
+doSave=Speichern
+doCancel=Abbrechen
+doRemove=Entfernen
+doAdd=Hinzufügen
+doSignOut=Abmelden
+
+editAccountHtmlTtile=Benutzerkonto Bearbeiten
+federatedIdentitiesHtmlTitle=Federated Identities
+accountLogHtmlTitle=Benutzerkonto Log
+changePasswordHtmlTitle=Passwort Ändern
+sessionsHtmlTitle=Sessions
+accountManagementTitle=Keycloak Benutzerkontoverwaltung
+authenticatorTitle=Authenticator
+
 authenticatorCode=One-time code
 email=E-Mail
 firstName=Vorname
 lastName=Nachname
 password=Passwort
-passwordConfirm=Passwort bestätigung
+passwordConfirm=Passwortbestätigung
 passwordNew=Neues Passwort
 username=Benutzernamen
 street=Strasse
@@ -12,6 +27,36 @@ postal_code=PLZ
 locality=Stadt oder Ortschaft
 country=Land
 
+requiredFields=Erforderliche Felder
+allFieldsRequired=Alle Felder sind Erforderlich
+
+backToApplication=« Zurück zur Applikation
+backTo=Zurück zu {0}
+
+date=Datum
+event=Ereignis
+ip=IP
+client=Client
+clients=Clients
+details=Details
+started=Startdatum
+lastAccess=Letzter Zugriff
+expires=Ablaufdatum
+applications=
+
+account=Benutzerkonto
+federatedIdentity=Federated Identity
+authenticator=Authenticator
+sessions=Sessions
+log=Log
+
+configureAuthenticators=Authenticators konfigurieren
+mobile=Mobile
+totpStep1=Installieren Sie <a href="https://fedorahosted.org/freeotp/" target="_blank">FreeOTP</a> oder <a href="http://code.google.com/p/google-authenticator/" target="_blank">Google Authenticator</a> auf Ihrem Smartphone.
+totpStep2=Öffnen Sie die Applikation und scannen Sie den Barcode oder geben sie den Code ein.
+totpStep3=Geben Sie den One-time Code welcher die Applikation generiert hat ein und klicken Sie auf Speichern.
+
+
 missingFirstNameMessage=Bitte geben Sie einen Vornamen ein.
 missingEmailMessage=Bitte geben Sie eine E-Mail Adresse ein.
 missingLastNameMessage=Bitte geben Sie einen Nachnamen ein.
@@ -20,7 +65,7 @@ notMatchPasswordMessage=Passw
 
 missingTotpMessage=Bitte geben Sie den One-time Code ein.
 invalidPasswordExistingMessage=Das aktuelle Passwort is ungültig.
-invalidPasswordConfirmMessage=Die Passwort bestätigung ist nicht identisch.
+invalidPasswordConfirmMessage=Die Passwortbestätigung ist nicht identisch.
 invalidTotpMessage=Ungültiger One-time Code.
 invalidEmailMessage=Ungültige E-Mail Adresse.
 
@@ -37,15 +82,13 @@ missingIdentityProviderMessage=Identity Provider nicht angegeben.
 invalidFederatedIdentityActionMessage=Ungültige oder fehlende Aktion.
 identityProviderNotFoundMessage=Angegebener Identity Provider nicht gefunden.
 federatedIdentityLinkNotActiveMessage=Diese Identität ist nicht mehr aktiv.
-federatedIdentityRemovingLastProviderMessage=Sie können den letzen Eintrag nicht enfernen, da Sie kein Passwort haben.
-identityProviderRedirectErrorMessage=Fehler bei der Weiterleitung zum Identity Proivder.
+federatedIdentityRemovingLastProviderMessage=Sie können den letzen Eintrag nicht entfernen, da Sie kein Passwort haben.
+identityProviderRedirectErrorMessage=Fehler bei der Weiterleitung zum Identity Provider.
 identityProviderRemovedMessage=Identity Provider erfolgreich entfernt.
 
 accountDisabledMessage=Benutzerkonto ist gesperrt, bitte kontaktieren Sie den Admin.
 
-doLogOutAllSessions=Alle Sessionen abmelden
-
-accountTemporarilyDisabledMessage=Benutzerkonto ist temporär gespert, bitte kontaktieren Sie den Admin oder versuchen Sie es später nocheinmal.
+accountTemporarilyDisabledMessage=Benutzerkonto ist temporär gesperrt, bitte kontaktieren Sie den Admin oder versuchen Sie es später noch einmal.
 invalidPasswordMinLengthMessage=Ungültiges Passwort: minimum länge {0}.
 invalidPasswordMinDigitsMessage=Ungültiges Passwort: muss mindestens {0} Zahl(en) beinhalten.
 invalidPasswordMinLowerCaseCharsMessage=Ungültiges Passwort: muss mindestens {0} Kleinbuchstaben beinhalten.

forms/common-themes/src/main/resources/theme/base/account/messages/messages_en.properties

@@ -0,0 +1,99 @@
+doSave=Save
+doCancel=Cancel
+doLogOutAllSessions=Log out all sessions
+doRemove=Remove
+doAdd=Add
+doSignOut=Sign Out
+
+editAccountHtmlTtile=Edit Account
+federatedIdentitiesHtmlTitle=Federated Identities
+accountLogHtmlTitle=Account Log
+changePasswordHtmlTitle=Change Password
+sessionsHtmlTitle=Sessions
+accountManagementTitle=Keycloak Account Management
+authenticatorTitle=Authenticator
+
+authenticatorCode=One-time code
+email=Email
+firstName=First name
+lastName=Last name
+password=Password
+passwordConfirm=Confirmation
+passwordNew=New Password
+username=Username
+street=Street
+locality=City or Locality
+region=State, Province, or Region
+postal_code=Zip or Postal code
+country=Country
+
+requiredFields=Required fields
+allFieldsRequired=All fields required
+
+backToApplication=« Back to application
+backTo=Back to {0}
+
+date=Date
+event=Event
+ip=IP
+client=Client
+clients=Clients
+details=Details
+started=Started
+lastAccess=Last Access
+expires=Expires
+applications=Applications
+
+account=Account
+federatedIdentity=Federated Identity
+authenticator=Authenticator
+sessions=Sessions
+log=Log
+
+configureAuthenticators=Configured Authenticators
+mobile=Mobile
+totpStep1=Install <a href="https://fedorahosted.org/freeotp/" target="_blank">FreeOTP</a> or <a href="http://code.google.com/p/google-authenticator/" target="_blank">Google Authenticator</a> on your mobile.
+totpStep2=Open the application and scan the barcode or enter the key.
+totpStep3=Enter the one-time code provided by the application and click Save to finish the setup.
+
+missingFirstNameMessage=Please specify first name.
+invalidEmailMessage=Invalid email address.
+missingLastNameMessage=Please specify last name.
+missingEmailMessage=Please specify email.
+missingPasswordMessage=Please specify password.
+notMatchPasswordMessage=Passwords don''t match.
+
+missingTotpMessage=Please specify authenticator code.
+invalidPasswordExistingMessage=Invalid existing password.
+invalidPasswordConfirmMessage=Password confirmation doesn''t match.
+invalidTotpMessage=Invalid authenticator code.
+
+readOnlyUserMessage=You can''t update your account as it is read only.
+readOnlyPasswordMessage=You can''t update your password as your account is read only.
+
+successTotpMessage=Mobile authenticator configured.
+successTotpRemovedMessage=Mobile authenticator removed.
+
+accountUpdatedMessage=Your account has been updated.
+accountPasswordUpdatedMessage=Your password has been updated.
+
+missingIdentityProviderMessage=Identity provider not specified.
+invalidFederatedIdentityActionMessage=Invalid or missing action.
+identityProviderNotFoundMessage=Specified identity provider not found.
+federatedIdentityLinkNotActiveMessage=This identity is not active anymore.
+federatedIdentityRemovingLastProviderMessage=You can''t remove last federated identity as you don''t have password.
+identityProviderRedirectErrorMessage=Failed to redirect to identity provider.
+identityProviderRemovedMessage=Identity provider removed successfully.
+
+accountDisabledMessage=Account is disabled, contact admin.
+
+accountTemporarilyDisabledMessage=Account is temporarily disabled, contact admin or try again later.
+invalidPasswordMinLengthMessage=Invalid password: minimum length {0}.
+invalidPasswordMinLowerCaseCharsMessage=Invalid password: must contain at least {0} lower case characters.
+invalidPasswordMinDigitsMessage=Invalid password: must contain at least {0} numerical digits.
+invalidPasswordMinUpperCaseCharsMessage=Invalid password: must contain at least {0} upper case characters.
+invalidPasswordMinSpecialCharsMessage=Invalid password: must contain at least {0} special characters.
+invalidPasswordNotUsernameMessage=Invalid password\: must not be equal to the username.
+
+locale_de=German
+locale_en=English

forms/common-themes/src/main/resources/theme/base/account/password.ftl

@@ -3,10 +3,10 @@
 
     <div class="row">
         <div class="col-md-10">
-            <h2>Change Password</h2>
+            <h2>${msg("changePasswordHtmlTitle")}</h2>
         </div>
         <div class="col-md-2 subtitle">
-            <span class="subtitle">All fields required</span>
+            <span class="subtitle">${msg("allFieldsRequired")}</span>
         </div>
     </div>
 
@@ -48,8 +48,8 @@
         <div class="form-group">
             <div id="kc-form-buttons" class="col-md-offset-2 col-md-10 submit">
                 <div class="">
-                    <button type="submit" class="btn btn-primary btn-lg" name="submitAction" value="Save">Save</button>
-                    <button type="submit" class="btn btn-default btn-lg" name="submitAction" value="Cancel">Cancel</button>
+                    <button type="submit" class="btn btn-primary btn-lg" name="submitAction" value="Save">${msg("doSave")}</button>
+                    <button type="submit" class="btn btn-default btn-lg" name="submitAction" value="Cancel">${msg("doCancel")}</button>
                 </div>
             </div>
         </div>

forms/common-themes/src/main/resources/theme/base/account/sessions.ftl

@@ -3,19 +3,19 @@
 
     <div class="row">
         <div class="col-md-10">
-            <h2>Sessions</h2>
+            <h2>${msg("sessionsHtmlTitle")}</h2>
         </div>
     </div>
 
     <table class="table table-striped table-bordered">
         <thead>
         <tr>
-            <td>IP</td>
-            <td>Started</td>
-            <td>Last Access</td>
-            <td>Expires</td>
-            <td>Applications</td>
-            <td>Clients</td>
+            <td>${msg("ip")}</td>
+            <td>${msg("started")}</td>
+            <td>${msg("lastAccess")}</td>
+            <td>${msg("expires")}</td>
+            <td>${msg("applications")}</td>
+            <td>${msg("clients")}</td>
         </tr>
         </thead>
 

forms/common-themes/src/main/resources/theme/base/account/template.ftl

@@ -3,7 +3,7 @@
 <html>
 <head>
     <meta charset="utf-8">
-    <title>Keycloak Account Management</title>
+    <title>${msg("accountManagementTitle")}</title>
     <link rel="icon" href="${url.resourcesPath}/img/favicon.ico">
     <#if properties.styles?has_content>
         <#list properties.styles?split(' ') as style>
@@ -40,8 +40,8 @@
                                 </div>
                             <li>
                         </#if>
-                        <#if referrer?has_content && referrer.url?has_content><li><a href="${referrer.url}" id="referrer">Back to ${referrer.name}</a></li></#if>
-                        <li><a href="${url.logoutUrl}">Sign Out</a></li>
+                        <#if referrer?has_content && referrer.url?has_content><li><a href="${referrer.url}" id="referrer">${msg("backTo",referrer.name)}</a></li></#if>
+                        <li><a href="${url.logoutUrl}">${msg("doSignOut")}</a></li>
                     </ul>
                 </div>
             </div>
@@ -51,12 +51,12 @@
     <div class="container">
         <div class="bs-sidebar col-sm-3  ng-scope">
             <ul>
-                <li class="<#if active=='account'>active</#if>"><a href="${url.accountUrl}">Account</a></li>
-                <#if features.passwordUpdateSupported><li class="<#if active=='password'>active</#if>"><a href="${url.passwordUrl}">Password</a></li></#if>
-                <li class="<#if active=='totp'>active</#if>"><a href="${url.totpUrl}">Authenticator</a></li>
-                <#if features.identityFederation><li class="<#if active=='social'>active</#if>"><a href="${url.socialUrl}">Federated Identity</a></li></#if>
-                <li class="<#if active=='sessions'>active</#if>"><a href="${url.sessionsUrl}">Sessions</a></li>
-                <#if features.log><li class="<#if active=='log'>active</#if>"><a href="${url.logUrl}">Log</a></li></#if>
+                <li class="<#if active=='account'>active</#if>"><a href="${url.accountUrl}">${msg("account")}</a></li>
+                <#if features.passwordUpdateSupported><li class="<#if active=='password'>active</#if>"><a href="${url.passwordUrl}">${msg("password")}</a></li></#if>
+                <li class="<#if active=='totp'>active</#if>"><a href="${url.totpUrl}">${msg("authenticator")}</a></li>
+                <#if features.identityFederation><li class="<#if active=='social'>active</#if>"><a href="${url.socialUrl}">${msg("federatedIdentity")}</a></li></#if>
+                <li class="<#if active=='sessions'>active</#if>"><a href="${url.sessionsUrl}">${msg("sessions")}</a></li>
+                <#if features.log><li class="<#if active=='log'>active</#if>"><a href="${url.logUrl}">${msg("log")}</a></li></#if>
             </ul>
         </div>
 

forms/common-themes/src/main/resources/theme/base/account/totp.ftl

@@ -2,17 +2,17 @@
 <@layout.mainLayout active='totp' bodyClass='totp'; section>
 
     <#if totp.enabled>
-        <h2>Authenticators</h2>
+        <h2>${msg("authenticatorTitle")}</h2>
 
         <table class="table table-bordered table-striped">
             <thead
                 <tr>
-                   <th colspan="2">Configured Authenticators</th>
+                   <th colspan="2">${msg("configureAuthenticators")}/th>
                 </tr>
             </thead>
             <tbody>
             <tr>
-                <td class="provider">Mobile</td>
+                <td class="provider">${msg("mobile")}</td>
                 <td class="action">
                     <a id="remove-mobile" href="${url.totpRemoveUrl}"><i class="pficon pficon-delete"></i></a>
                 </td>
@@ -20,23 +20,21 @@
             </tbody>
         </table>
     <#else>
-        <h2>Authenticator</h2>
+        <h2>${msg("authenticatorTitle")}</h2>
 
         <hr/>
 
         <ol>
             <li>
-                Install <a href="https://fedorahosted.org/freeotp/" target="_blank">FreeOTP</a> or
-                <a href="http://code.google.com/p/google-authenticator/" target="_blank">Google Authenticator</a>
-                on your mobile
+                <p>${msg("totpStep1")}</p>
             </li>
             <li>
-                Open the application and scan the barcode or enter the key<br/>
+                <p>${msg("totpStep2")}</p>
                 <img src="${totp.totpSecretQrCodeUrl}" alt="Figure: Barcode"><br/>
                 <span class="code">${totp.totpSecretEncoded}</span>
             </li>
             <li>
-                Enter the one-time code provided by the application and click Submit to finish the setup.
+                <p>${msg("totpStep3")}</p>
             </li>
         </ol>
 
@@ -58,8 +56,8 @@
             <div class="form-group">
                 <div id="kc-form-buttons" class="col-md-offset-2 col-md-10 submit">
                     <div class="">
-                        <button type="submit" class="btn btn-primary btn-lg" name="submitAction" value="Save">Save</button>
-                        <button type="submit" class="btn btn-default btn-lg" name="submitAction" value="Cancel">Cancel</button>
+                        <button type="submit" class="btn btn-primary btn-lg" name="submitAction" value="Save">${msg("doSave")}</button>
+                        <button type="submit" class="btn btn-default btn-lg" name="submitAction" value="Cancel">${msg("doCancel")}</button>
                     </div>
                 </div>
             </div>