Commit graph

4852 commits

Author SHA1 Message Date
rmartinc
b52256facc Set client in context for dynamic scopes calculation
Closes #33684

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-28 17:32:06 -03:00
Erik Jan de Wit
4d25128018
add brute force enabled so we can render switch (#34282)
fixes: #34065

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-10-25 09:25:03 -04:00
Andy
f994cc54d5
Remove robots.txt entirely
* remove robots.txt entirely, as blocking page-
crawling prevents the `X-Robots-Tag` headers
(and similar meta tags) from working as intended.

Closes #17433

Signed-off-by: Andy <andy@slice.is>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-10-25 12:09:50 +00:00
rmartinc
e41553bcfb Create a new logout session when initiating it for another client
Closes #34207

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-25 10:02:23 +02:00
Steven Hawkins
964f6b9aac
fix: refines the provider caching logic (#34220)
closes: #34219

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-23 15:00:00 -04:00
rmartinc
f548517f5b Catch model exception when creating the admin user
Closes #32356

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-23 13:32:58 +02:00
Steven Hawkins
bd499755a2
fix: providing a separate session for each file (#34210)
closes: #34095

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-23 13:11:42 +02:00
Laurids Møller Jepsen
21da25e146 Support RAR (Rich Authorization Request) for ClientCredentialsGrantType via protocol mapper until RAR is fully implemented.
Set authorization_details in a client note in ClientCredentialsGrantType so it can be accessed from a protocol mapper.

Closes #32488

Signed-off-by: Laurids Møller Jepsen <laurids.jepsen@cryptomathic.com>
2024-10-23 09:26:49 +02:00
Ryan Emerson
902abfdae4
JDBC_PING as default discovery protocol
Closes #29399

- Add ProviderFactory#dependsOn to allow dependencies between
  ProviderFactories to be explicitly defined
- Disable Infinispan default shutdownhook disabled to ensure lifecycle
  is managed exclusively by Keycloak
- Remove Infinispan shutdown hook in KeycloakRecorder and manage
  EmbeddedCacheManager lifecycle only in DefaultInfinispanConnectionProviderFactory#close

Signed-off-by: Ryan Emerson <remerson@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-10-22 20:19:19 +00:00
Martin Kanis
77f83d7f65 Grant type urn:ietf:params:oauth:grant-type:uma-ticket token service endpoint returns NullPointerException
Closes #34176

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-10-22 15:28:26 -03:00
Steven Hawkins
af1a5ea2a8
fix: refining https file type detection (#33703)
also making common trustore logic align

closes: #33649

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-22 13:05:56 -04:00
Steven Hawkins
307041c021
fix: encapsulating where static import/export state is set/used (#33690)
closes: #33596

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-22 16:03:39 +02:00
Gilvan Filho
c4005d29f0 add linear strategy to brute force
closes #25917

Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>
2024-10-22 10:33:22 -03:00
rmartinc
6d52520730 Load client keys using SubjectPublicKeyInfo and upload jwks type into the jwks attributes for OIDC ones
Closes #33820

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-22 14:24:15 +02:00
Ricardo Martin
a84a2c2ac2
Change order of absolute path and normalize in the theme folder (#34153)
Closes #34028

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-22 09:53:30 +02:00
Stefan Guilhen
b03ce0047c Add explicit getter method for organizations in RealmAdminResource
- makes OrganizationsResource reachable to OpenAPI generator

Closes #30832

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-21 15:55:06 -03:00
rmartinc
2004467749 Check alias is unique for authenticator config when it is created
Closes #31727

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-21 15:25:32 +02:00
Simon Levermann
dcf1d83199
Enable enforcement of a minimum ACR at the client level (#16884) (#33205)
closes #16884 

Signed-off-by: Simon Levermann <github@simon.slevermann.de>
2024-10-21 13:54:02 +02:00
Pedro Igor
3a9bab35b6 Fixing action token lifespan information in the invitation email
Closes #34049

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:10:14 +02:00
Pedro Igor
d1dba15964 Do not show domain match message in the identity-first login when no login hint is provided
Closes #34069

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:05:27 +02:00
Pedro Igor
ee38d551ce Respect the locale set to a user when redering verify email pages
Closes #34063

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:04:38 +02:00
Stefan Guilhen
7d8ff710c2 Invalidate user session when associated IdP is missing (previously removed)
Closes #31724

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-17 16:30:51 -03:00
Krzysztof Szafrański
731274f39e Fix errors when code, clientId, or tabId are null
Calling parseSessionCode inside the try-catch would result in
ErrorPageException thrown by redirectToErrorPage being caught and
re-reported, resulting in one log entry with `invalidRequestMessage`
and another one with `unexpectedErrorHandlingRequestMessage`.

Additionally, one of ErrorPageException constructors didn't pass the
status to super(), resulting in the logger error message being
"HTTP 500 Internal Server Error" even though the status was actually
something else, like 400. I noticed that ErrorPageException can be
simplified by just passing the response to super(), which is one way of
fixing the problem.

Closes #33232

Signed-off-by: Krzysztof Szafrański <k.p.szafranski@gmail.com>
2024-10-17 14:37:40 -03:00
Pascal Knüppel
41ee68611f
Allow to create EC certificates if new EC-key-provider is created (#31843)
Closes #31842

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
2024-10-17 16:05:59 +02:00
Thomas Darimont
f99c5f6df3 Ensure referrer and referrer_uri params are carried over to account-console
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
40bdc902f0 Use account-console client for server-side auth check
Also generate PKCE verifier and use challenge parameters

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
729417b20a Use account-console client for server-side auth check
- Also generate PKCE verifier and use challenge parameters

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
c400eff9b0 Account console backend should redirect to login on missing auth (#31469)
Adapted the login redirect logic from the old account console.

Fixes #31469

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
rmartinc
13655007a6 Remove online session for offline access in direct access grants and client credentials
Closes #32650

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-17 10:49:05 +02:00
Martin Kanis
8fb5ecaa6c Auth not possible for auth session where user was enabled in the meantime
Closes #33883

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-10-15 14:28:36 -03:00
Oliver
936cf68050
Fix NPE on whoami with unknown Realm (#33912)
Closes #33907

Signed-off-by: Oliver Cremerius <antikalk@users.noreply.github.com>
2024-10-15 08:22:59 +02:00
mposolda
43c55e0211 Improving documentation for AuthenticationManagementResource.addExecutionFlow
closes #32610

Signed-off-by: mposolda <mposolda@gmail.com>
2024-10-14 15:46:44 +02:00
Jon Koops
008faf44cf Check if deviceRepresentation is set
Closes #33814

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-10-11 16:02:20 +02:00
rmartinc
7e5734fd48 Fix incorrect filter in docker protocol
Closes #33776

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-11 08:58:18 +02:00
Pedro Igor
9a3d81c23e Only process organization selection when the user is identified
Closes #33699

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-10 16:24:25 +02:00
rmartinc
a74e60f4d7 Check email with ignorecase when setting basic attributes in IdP
Closes #31848

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-10 09:55:58 +02:00
Jon Koops
3930356c21
Treat unencrypted local origins as an insecure context in Safari (#33700)
Closes #33557

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-10-09 23:38:03 +02:00
Thomas Darimont
1ef845b31d Only show organization section in account UI of enabled
We now only show organization section in account ui if org support is enabled for realm.

Fixes #33735

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-09 18:15:32 +02:00
Matt Eaton
9f0a348e4c Allow certificate with duplicate principals in truststore.
The previous implementation uses principal as a key for a hashmap storing one certificate per entry. To preserve lookups, the value is now a List of certificates.

Additional logic was added to build certification validation chains using signature verification rather than just principal.

Closes #33125

Signed-off-by: Matt Eaton <git@divinehawk.com>
2024-10-08 12:03:03 +02:00
mposolda
07cf71e818 Better logging when error happens during transaction commit
closes #33275

Signed-off-by: mposolda <mposolda@gmail.com>
2024-10-08 11:14:10 +02:00
Dominik Schlosser
2c9e279213
Make createWebAuthnRegistrationManager protected to allow cutomizations in subclasses (#33639)
closes #33678

Signed-off-by: Dominik Schlosser <dominik.schlosser@gmail.com>
2024-10-08 10:35:27 +02:00
Ricardo Martin
611e6d102e
Create session for the requester client in Token Exchange (#31290)
Closes #31180


Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2024-10-08 10:24:10 +02:00
Gilles Etchepareborde
593afbb4e0 This PR intends to always set the event type in order to prevent error when firing an error event.
Closes #30453

Signed-off-by: Gilles Etchepareborde <etchepar@yahoo.fr>
2024-10-08 10:15:53 +02:00
rmartinc
44b1290917 Return next action if the current action is not supported in AIA
Closes #33513

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-08 09:54:53 +02:00
Pedro Aguiar
14f14152de
update/fix-typo-to-a-to-a
- Corrected "Map a custom user attribute to a to a SAML attribute." by removing the repeated "to a".

Closes: #33603

Signed-off-by: Pedro Aguiar <contact@codespearhead.com>
2024-10-04 19:44:43 +00:00
Steven Hawkins
cb3954fc7b
fix: ensuring placeholders can be used with --import-realm (#33589)
closes: #33578

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-04 16:59:55 +00:00
mposolda
c8ca0462a4 Prevent multiple logout confirmation actions
closes #32435

Signed-off-by: mposolda <mposolda@gmail.com>
2024-10-03 15:31:55 +02:00
Maksim Zvankovich
35eba8be8c Add option to include the organization id in the organization claims
Closes #32746

Signed-off-by: Maksim Zvankovich <m.zvankovich@nexovagroup.eu>
Co-authored-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-03 08:11:36 -03:00
Jon Koops
aacdf80664
Add shim for Web Crypto API to admin and account console (#33480)
Closes #33330

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-10-03 10:51:23 +00:00
Erik Jan de Wit
e8d8de8936
Use feature versions for admin3, account3, and login2 (#33458)
Closes #33405

Signed-off-by: stianst <stianst@gmail.com>
2024-10-03 12:09:36 +02:00