Achim Rolle
83065b85a2
Fix credential_type in update/remove credential email template
...
Closes #34687
Signed-off-by: Achim Rolle <achim.rolle@aoe.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-11-07 10:13:53 +00:00
vramik
b1ff9511d1
Fine grained admin permissions feature V2
...
Closes #34563
Signed-off-by: vramik <vramik@redhat.com>
2024-11-07 10:55:42 +01:00
Ricardo Martin
226daa41c7
Add service account mappers via client scope instead of dedicated scope ( #34664 )
...
Closes #10417
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Signed-off-by: Ricardo Martin <rmartinc@redhat.com>
2024-11-07 08:45:11 +01:00
Thomas Darimont
fec661cf10
Allow OIDCIdentityProvider implementations to override isTokenTypeSupported
...
Fixes #34695
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-11-06 16:28:44 +01:00
Ricardo Martin
ce454bda47
Remove online session when offline access is requested as the first request ( #34346 )
...
Closes #34001
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Signed-off-by: Marek Posolda <mposolda@gmail.com>
---------
Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-11-06 08:33:12 +01:00
Jonas Suter
35b425736a
Strip Double Quotes from Request Content in Organization API
...
Closes #34401
Signed-off-by: Jonas Suter <jonas_suter@gmx.ch>
2024-11-05 11:24:08 -03:00
Giuseppe Graziano
612e2caae1
Refresh the login page when root auth session changes
...
Closes #32658
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-11-04 18:31:42 +01:00
Thomas Darimont
3315ea718a
Add ability to enable OID4VCI Verifiable Credentials per realm ( #34524 )
...
- Added new realm property verifiableCredentialsEnabled
- Updated RealmRepresentation
- Guarded route to Oid4VCI page
- Add boolean switch to Realm settings page to control Verifiable Credentials enablement
- We now only show the Verifiable Credentials page in the nave if the "Verifiable Credentials" realm setting is enabled.
Fixes #34524
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-11-04 14:58:30 +01:00
Douglas Palmer
f229790ba5
Allow custom message for brute force temporary lockout
...
Closes #17014
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-11-04 14:49:32 +01:00
kqq
822d3fde32
Microsoft login - add prompt param configure
...
Closes #34583
Signed-off-by: kqq <971340511@qq.com>
Co-authored-by: kqq <971340511@qq.com>
2024-11-04 13:17:05 +01:00
Bernd Bohmann
7681687e0a
Provide missing user event metrics from aerogear/keycloak-metrics-spi to a keycloak micrometer event listener
...
inspired by
https://github.com/aerogear/keycloak-metrics-spi
https://github.com/please-openit/keycloak-native-metrics
Closes #33043
Signed-off-by: Bernd Bohmann <bommel@apache.org>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-11-04 08:56:24 +01:00
Stefan Guilhen
2e51775acc
Remove Provider annotation along with default constructors from org resources
...
Closes #34335
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-11-01 15:37:52 -03:00
vramik
d853dcab7d
Use specific error message from required actions for SamlProtocol if available
...
Closes #34514
Signed-off-by: vramik <vramik@redhat.com>
2024-10-31 15:45:19 -03:00
Thomas Darimont
36b01cbea0
Revise PAR request object parameter handlig ( #34352 )
...
We now store the original parameter value as-is, in case only a single parameter value is provided. In case multiple parameter values are provided
for the same parameter, we only retain the first parameter.
This ensures that the original value is retained. Previously the value list from the
`decodedFormParameters` `MultivaluedMap` was converted to a String while replacing '[' and ']'
with an empty string, which corrupted the original parameter values stored.
Fixes #34352
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-31 16:26:31 +01:00
rmartinc
78aa08941a
Fix NPE in ConditionalOtpFormAuthenticator if no configuration
...
Closes #34298
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-31 07:48:07 -03:00
Erik Jan de Wit
19ef0a608b
Add switch to toggle dark mode ( #33822 )
...
Closes #33821
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-10-31 10:19:03 +00:00
Pedro Igor
f9f9a313b3
make sure error dialog is shown at the account console when declining terms
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-30 12:26:03 -03:00
vramik
7368104e43
Keep error
and error_description
query params in login url.
...
Signed-off-by: vramik <vramik@redhat.com>
2024-10-30 12:26:03 -03:00
vramik
3d91df42d8
Declining terms and conditions in account-console results in error
...
Closes #28328
Signed-off-by: vramik <vramik@redhat.com>
2024-10-30 12:26:03 -03:00
Erik Jan de Wit
eb5afeeabb
added description to denied consent and show on ErrorPage
...
fixes : #28328
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-10-30 12:26:03 -03:00
BrunoSampaioDTx
de973de800
Use the response_permissions_limit value, if provided, to set the maximum number of results when retrieving resources by URI
...
Signed-off-by: BrunoSampaioDTx <bruno.sampaio@dtx-colab.pt>
2024-10-29 16:40:44 -03:00
rmartinc
b52256facc
Set client in context for dynamic scopes calculation
...
Closes #33684
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-28 17:32:06 -03:00
Erik Jan de Wit
4d25128018
add brute force enabled so we can render switch ( #34282 )
...
fixes : #34065
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-10-25 09:25:03 -04:00
Andy
f994cc54d5
Remove robots.txt entirely
...
* remove robots.txt entirely, as blocking page-
crawling prevents the `X-Robots-Tag` headers
(and similar meta tags) from working as intended.
Closes #17433
Signed-off-by: Andy <andy@slice.is>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-10-25 12:09:50 +00:00
rmartinc
e41553bcfb
Create a new logout session when initiating it for another client
...
Closes #34207
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-25 10:02:23 +02:00
Steven Hawkins
964f6b9aac
fix: refines the provider caching logic ( #34220 )
...
closes : #34219
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-23 15:00:00 -04:00
rmartinc
f548517f5b
Catch model exception when creating the admin user
...
Closes #32356
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-23 13:32:58 +02:00
Steven Hawkins
bd499755a2
fix: providing a separate session for each file ( #34210 )
...
closes : #34095
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-23 13:11:42 +02:00
Laurids Møller Jepsen
21da25e146
Support RAR (Rich Authorization Request) for ClientCredentialsGrantType via protocol mapper until RAR is fully implemented.
...
Set authorization_details in a client note in ClientCredentialsGrantType so it can be accessed from a protocol mapper.
Closes #32488
Signed-off-by: Laurids Møller Jepsen <laurids.jepsen@cryptomathic.com>
2024-10-23 09:26:49 +02:00
Ryan Emerson
902abfdae4
JDBC_PING as default discovery protocol
...
Closes #29399
- Add ProviderFactory#dependsOn to allow dependencies between
ProviderFactories to be explicitly defined
- Disable Infinispan default shutdownhook disabled to ensure lifecycle
is managed exclusively by Keycloak
- Remove Infinispan shutdown hook in KeycloakRecorder and manage
EmbeddedCacheManager lifecycle only in DefaultInfinispanConnectionProviderFactory#close
Signed-off-by: Ryan Emerson <remerson@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-10-22 20:19:19 +00:00
Martin Kanis
77f83d7f65
Grant type urn:ietf:params:oauth:grant-type:uma-ticket token service endpoint returns NullPointerException
...
Closes #34176
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-10-22 15:28:26 -03:00
Steven Hawkins
af1a5ea2a8
fix: refining https file type detection ( #33703 )
...
also making common trustore logic align
closes : #33649
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-22 13:05:56 -04:00
Steven Hawkins
307041c021
fix: encapsulating where static import/export state is set/used ( #33690 )
...
closes : #33596
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-22 16:03:39 +02:00
Gilvan Filho
c4005d29f0
add linear strategy to brute force
...
closes #25917
Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>
2024-10-22 10:33:22 -03:00
rmartinc
6d52520730
Load client keys using SubjectPublicKeyInfo and upload jwks type into the jwks attributes for OIDC ones
...
Closes #33820
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-22 14:24:15 +02:00
Ricardo Martin
a84a2c2ac2
Change order of absolute path and normalize in the theme folder ( #34153 )
...
Closes #34028
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-22 09:53:30 +02:00
Stefan Guilhen
b03ce0047c
Add explicit getter method for organizations in RealmAdminResource
...
- makes OrganizationsResource reachable to OpenAPI generator
Closes #30832
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-21 15:55:06 -03:00
rmartinc
2004467749
Check alias is unique for authenticator config when it is created
...
Closes #31727
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-21 15:25:32 +02:00
Simon Levermann
dcf1d83199
Enable enforcement of a minimum ACR at the client level ( #16884 ) ( #33205 )
...
closes #16884
Signed-off-by: Simon Levermann <github@simon.slevermann.de>
2024-10-21 13:54:02 +02:00
Pedro Igor
3a9bab35b6
Fixing action token lifespan information in the invitation email
...
Closes #34049
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:10:14 +02:00
Pedro Igor
d1dba15964
Do not show domain match message in the identity-first login when no login hint is provided
...
Closes #34069
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:05:27 +02:00
Pedro Igor
ee38d551ce
Respect the locale set to a user when redering verify email pages
...
Closes #34063
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:04:38 +02:00
Stefan Guilhen
7d8ff710c2
Invalidate user session when associated IdP is missing (previously removed)
...
Closes #31724
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-17 16:30:51 -03:00
Krzysztof Szafrański
731274f39e
Fix errors when code, clientId, or tabId are null
...
Calling parseSessionCode inside the try-catch would result in
ErrorPageException thrown by redirectToErrorPage being caught and
re-reported, resulting in one log entry with `invalidRequestMessage`
and another one with `unexpectedErrorHandlingRequestMessage`.
Additionally, one of ErrorPageException constructors didn't pass the
status to super(), resulting in the logger error message being
"HTTP 500 Internal Server Error" even though the status was actually
something else, like 400. I noticed that ErrorPageException can be
simplified by just passing the response to super(), which is one way of
fixing the problem.
Closes #33232
Signed-off-by: Krzysztof Szafrański <k.p.szafranski@gmail.com>
2024-10-17 14:37:40 -03:00
Pascal Knüppel
41ee68611f
Allow to create EC certificates if new EC-key-provider is created ( #31843 )
...
Closes #31842
Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
2024-10-17 16:05:59 +02:00
Thomas Darimont
f99c5f6df3
Ensure referrer and referrer_uri params are carried over to account-console
...
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
40bdc902f0
Use account-console client for server-side auth check
...
Also generate PKCE verifier and use challenge parameters
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
729417b20a
Use account-console client for server-side auth check
...
- Also generate PKCE verifier and use challenge parameters
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
c400eff9b0
Account console backend should redirect to login on missing auth ( #31469 )
...
Adapted the login redirect logic from the old account console.
Fixes #31469
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
rmartinc
13655007a6
Remove online session for offline access in direct access grants and client credentials
...
Closes #32650
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-17 10:49:05 +02:00