Commit graph

6902 commits

Author SHA1 Message Date
Steven Hawkins
4970a9b729
fix: deprecate KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD
closes: #30658

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-07-11 18:07:57 +02:00
rmartinc
096e335a92 Support for vault and AES and HMAC algorithms to JavaKeystoreKeyProvider
Closes #30880
Closes #29755

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-07-11 12:40:45 +02:00
Pedro Igor
da6c9ab7c1 Bruteforce protector does not work when using organizations
Closes #31204

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-11 00:26:47 +02:00
Jon Koops
a0c99a7ae0
Show full error details in admin and account consoles
Closes #30705

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-07-10 16:20:26 +02:00
Martin Kanis
922eaa9fc8
Disable username prohibited chars validator when email as username is… (#31140)
* Disable username prohibited chars validator when email as the username is set

Closes #25339

Signed-off-by: Martin Kanis <mkanis@redhat.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-10 09:46:24 -03:00
Pedro Igor
d475833361 Do not expose kc.org attribute in user representations
Closes #31143

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-10 13:43:23 +02:00
Alexander Schwartz
d70f78072e
Make persistent sessions co-exist with remote cache feature (#30859)
Closes #30855

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-07-09 09:03:36 +02:00
rmartinc
f78a46485d TE should create a transient session when there is no initial session in client-to-client exchange
Closes #30614

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-07-08 15:44:38 -03:00
Pedro Igor
ead1b4a851
Testing ldap connection should not process or bind the credentials (#31081)
Closes #30821

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-08 13:58:02 +02:00
Pedro Igor
cbf7f208fb
Avoid iterating and updating all group policies when removing groups (#31057)
Closes #31056

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-08 13:57:20 +02:00
wojnarfilip
3c429b7506 Update social login tests login flows
Signed-off-by: wojnarfilip <fwojnar@redhat.com>
2024-07-08 08:48:31 +02:00
Pedro Igor
f010f7df9b Reverting removal of test assertions and keeping existing logic where only brokers the user is linked to is shown after identity-first login page
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-03 11:55:04 -03:00
Martin Kanis
e1b735fc41 Identity-first login flow should be followed by asking for the user credentials
Closes #30339

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-07-03 11:55:04 -03:00
Giuseppe Graziano
02d64d959c Using _system client when account client is disabled for email actions
Closes #17857

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-07-03 08:43:36 +02:00
cgeorgilakis-grnet
20cedb84eb Check refresh token flow response for offline based on refresh token request parameter
Closes #30857

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-07-02 18:13:30 -03:00
Steven Hawkins
d534860e2b
fix: admin cli client should set the content when performing a merge (#30539)
closes: #29878

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-06-28 15:56:07 +02:00
Pedro Igor
cc2ccc87b0 Filtering organization groups when managing or processing groups
Closes #30589

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-28 10:27:18 -03:00
Steven Hawkins
aae1fa1417
fix: addresses cli erroneously wants a secret when env password is set (#30892)
closes: #30866

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-06-28 11:48:42 +02:00
Thomas Darimont
690c6051bb Fix scope policy evaluation for client to client token exchange (#26435)
Previously the scope from the token was not set available in the ClientModelIdentity attributes.
This caused the NPE in `org.keycloak.authorization.policy.provider.clientscope.ClientScopePolicyProvider.hasClientScope`(..)
when calling `identity.getAttributes().getValue("scope")`.

We now pass the provided decoded AccessToken down to the ClientModelIdentity creation
to allow to populate the required scope attribute.

We also ensure backwards compatibility for ClientPermissionManagement API.

Fixes #26435

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-06-28 10:33:20 +02:00
mposolda
f1b8a983d2 Cleanup mod_auth_mellon from the testsuite
closes #30869

Signed-off-by: mposolda <mposolda@gmail.com>
2024-06-28 08:33:36 +02:00
Douglas Palmer
7a8c7502d2 Cleanup of adapter-spi module?
Closes#30871

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-06-27 19:41:30 +02:00
Douglas Palmer
220f32aa85 Cleanup of adapter pages
Closes #30870

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-06-27 18:57:22 +02:00
mposolda
7279f2092e Cleanup of test-apps and related adapter code
closes #30867

Signed-off-by: mposolda <mposolda@gmail.com>
2024-06-27 15:10:31 +02:00
mposolda
e5a4c94f75 Added suffix to keycloak-admin-client artifacts in keycloak repository
Signed-off-by: mposolda <mposolda@gmail.com>
2024-06-27 11:00:30 +02:00
Romain LABAT
6615691c63
Support for service accounts when fetch roles is enabled (#30687)
Support for service accounts when fetch roles is enabled

Signed-off-by: Romain LABAT <contact@romainlabat.fr>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-25 18:00:26 -03:00
rmartinc
e9c9efc3f4 Upgrade bc-fips to 1.0.2.5
Closes #26568
Closes #27884

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-25 11:07:27 +02:00
Andre F de M
0f061a75e2 Issue: 26568 - bcfips version bump and fixes
* bump BCFIPS to 1.0.2.5
               * fix bc-fips related test error
               * remove unused imports

               Closes: #26568

Signed-off-by: Andre F de M <trixpan@users.noreply.github.com>
2024-06-25 11:07:27 +02:00
fwojnar
015fefad02
Remove Edge from supported web drivers (#30423)
Closes #29921

Signed-off-by: wojnarfilip <fwojnar@redhat.com>
Co-authored-by: wojnarfilip <fwojnar@redhat.com>
2024-06-24 17:24:55 +02:00
fwojnar
e30e6cba8e
Remove Safari from supported web drivers (#30424)
Related to #29921

Signed-off-by: wojnarfilip <fwojnar@redhat.com>
Co-authored-by: wojnarfilip <fwojnar@redhat.com>
2024-06-24 13:27:12 +02:00
fwojnar
640db99c27
Remove Appium from supported web drivers (#30483)
Related to #29921

Signed-off-by: wojnarfilip <fwojnar@redhat.com>
Co-authored-by: wojnarfilip <fwojnar@redhat.com>
2024-06-24 13:26:33 +02:00
Takashi Norimatsu
b0aac487a3 VC issuance in Authz Code flow with considering scope parameter
closes #29725

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-06-24 10:53:19 +02:00
Jon Koops
df18629ffe
Use a default Java version from root POM (#29927)
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-06-21 14:19:31 +02:00
mposolda
6a9e60bba0 Flow steps back when changing locale or refreshing page on 'Try another way page'
closes #30520

Signed-off-by: mposolda <mposolda@gmail.com>
2024-06-21 11:22:15 +02:00
rmartinc
592c2250fc Add briefRepresentation query parameter to getUsersInRole endpoint
Closes #29480

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-21 11:21:02 +02:00
Takashi Norimatsu
6b135ff6e7 client-jwt authentication fails on Token Introspection Endpoint
closes #30599

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-06-21 10:47:25 +02:00
Pedro Igor
a0ad680346 Adding an alias to organization and exposing them to templates
Closes #30312
Closes #30313

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-20 14:36:14 -03:00
rmartinc
f690947cea Remove the SAML undertow adapter
Closes #30554

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-20 09:47:14 +02:00
Giuseppe Graziano
6b07b67667 Removed saml filter adapter tests
Closes #30553

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-06-20 09:42:59 +02:00
Pedro Ruivo
5fc12480fd External Infinispan as cache - Part 4 (#30072)
UserSessionProvider implementation to make use of Infinispan remote
cache.

Closes #28755

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-06-19 14:47:57 +02:00
Pedro Ruivo
9006218559 External Infinispan as cache - Part 3
Implementation of UserLoginFailureProvider using remote caches only.

Closes #28754

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-06-19 14:47:57 +02:00
Pedro Ruivo
833aad661e External Infinispan as cache - Part 2
Includes a new implementation for the providers:

* StickySessionEncoderProviderFactory
* LoadBalancerCheckProviderFactory
* SingleUseObjectProviderFactory

Closes #28648

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-06-19 14:47:57 +02:00
Pedro Ruivo
d2ae27a1e2 External Infinispan as cache - Part 1
Part 1 includes

* New experimental feature to enable the new code
* New providers using RemoteCache only
* New test profile to run the tests with the experimental feature

New providers' implementation for:
* InfinispanConnectionProvider
* AuthenticationSessionProvider
* ClusterProvider

Closes #28140

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-06-19 14:47:57 +02:00
Martin Kanis
dc109381e1 Refactor organization tests
Closes #30338

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-06-19 09:34:24 -03:00
Martin Kanis
89f83e9788 Importing organizations failing if there is no broker and members in the representation
Closes #30305

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-06-19 08:46:04 -03:00
Pedro Igor
57139cbefc Internal read-only attributes have precedence over unmanaged attribute policy
Closes #30240

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-19 12:05:01 +02:00
Alexander Schwartz
9ce47fc117 Trying to switch the database
Closes #28311

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-06-19 10:30:36 +02:00
Giuseppe Graziano
24aa6e143d
REALM_CLIENT attribute to recognize realm clients (#30433)
Closes #29413

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-06-19 10:22:13 +02:00
Stefan Guilhen
db846a792d Set a time of 23:59:59:999 in JpaEventQuery.toDate so that events from that date are properly returned in searches
Closes #30414

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-06-18 13:14:28 -03:00
Francis Pouatcha
d4797e04a2
Enhance SupportedCredentialConfiguration to support optional claims object as defined in OpenID for Verifiable Credential Issuance specification (#30420)
closes #30419 

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-06-18 17:07:49 +02:00
rmartinc
fc65c73106 Upgrade adapters test to use wildfly 28 (jakarta only) via maven plugin
Closes #30324

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-18 15:40:59 +02:00
rmartinc
38d8cf2cb3 Add UPDATE event to the client-roles condition
Closes #30284

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-18 15:30:42 +02:00
Martin Bartoš
5ad3abaa96
Enable WebAuthn tests for Firefox (#30374)
Closes #22075

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-06-18 10:36:01 +02:00
Jon Koops
08c3bb83f2
Remove Internet Explorer from supported web drivers (#29918)
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-06-17 15:48:58 +00:00
rmartinc
c51640546d Improvements for ldap test authentication
Closes #30434

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-15 10:01:24 +02:00
Thibault Morin
f6fa869b12
feat(SAML): add Artifact Binding on brokering scenarios when Keycloak is SP (#29619)
* feat: add Artifact Binding on brokering scenarios when Keycloak is SP

Signed-off-by: tmorin <git@morin.io>

* Adding broker test and minor improvements

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

* Fixing IdentityProviderTest

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

* Renaming methods related to idp initiated flows

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

* Fixing partial_import_test.spec.ts

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

---------

Signed-off-by: tmorin <git@morin.io>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-14 08:54:49 -03:00
Pedro Ruivo
18a6c79011
Infinispan Protostream Marshaller (#29474)
Closes #29394

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-06-13 18:02:46 +02:00
Lukas Hanusovsky
ca0833b2e4
[#29412] DB Allocator removal - dependency cleanup. (#30406)
Signed-off-by: Lukas Hanusovsky <lhanusov@redhat.com>
2024-06-13 13:31:52 +00:00
vramik
de2fdbe98f cache count
Signed-off-by: vramik <vramik@redhat.com>
2024-06-13 08:13:36 -03:00
vramik
d355e38424 Provide a cache layer for the organization model
Closes #30087

Signed-off-by: vramik <vramik@redhat.com>
2024-06-13 08:13:36 -03:00
Alfredo Moises Boullosa
a5cd6ed965 Add step to Google Social Login (#30335)
Signed-off-by: Alfredo Moises Boullosa <aboullos@redhat.com>
2024-06-12 17:27:02 +02:00
Stefan Guilhen
c49b5749ef Fix GroupLDAPStorageMapper so it doesn't attempt to update a group fetched in a different tx when synchronizing groups from LDAP
Closes #29784

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-06-12 10:42:21 -03:00
Martin Kanis
ae69b3b260 Introduce packages for organization tests
Closes #30337

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-06-12 10:02:06 -03:00
rmartinc
7d42ab822b Remove adapter app-server-undertow profile which is not used
Closes #30347

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-12 14:40:06 +02:00
Patrick Jennings
75925dcf6c
Client type configuration inheritance (#30056)
closes #30213 

Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-06-10 18:59:08 +02:00
rmartinc
7d05a7a013 Logout from all clients after IdP logout is performed
Closes #25234

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-10 11:58:09 -03:00
Giuseppe Graziano
6067f93984
Improvements to refresh token rotation with multiple tabs (#29966)
Closes #14122

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-06-07 12:02:36 +02:00
Steven Hawkins
c7e9ee2bff
fix: adds handling for all kcadm prompts as env variables (#29430)
closes: #21961

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-06-06 13:08:23 +00:00
Bruno Oliveira da Silva
f34baf3c24
Update license headers (#29942)
Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
2024-06-06 14:06:09 +02:00
Alexander Schwartz
97ab0def2c Adding ForkJoinPool for Quarkus to the surefire initialization for embedded Quarkus
Closes #30206

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-06-06 12:52:11 +02:00
Pedro Igor
94c194f1f4 Prevent users to unlink from their home identity provider when they are a managed member
Closes #30092

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2024-06-05 13:57:01 +02:00
mposolda
0bf613782f Updating client policies in JSON editor is buggy. Attempt to update global client policies should throw the error
closes #30102

Signed-off-by: mposolda <mposolda@gmail.com>
2024-06-05 13:55:02 +02:00
rmartinc
eedfd0ef51 Missing auth checks in some admin endpoints (#166)
Closes keycloak/keycloak-private#156

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-05 12:04:47 +02:00
Giuseppe Graziano
d5e82356f9 Encrypted KC_RESTART cookie and removed sensitive notes
Closes #keycloak/keycloak-private#162

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-06-05 10:33:44 +02:00
Pedro Igor
f8d55ca7cd Export import realm with organizations
Closes #30006

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-05 09:50:03 +02:00
Martin Kanis
33331788a4 Introduce count method to avoid fetching all organization upon checking for existence
Closes #29697

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-06-04 10:45:28 -03:00
Martin Kanis
173f09fa6b Malformed dependency version causing the build failure
Closes #30134

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-06-04 13:44:14 +02:00
Thomas Darimont
35a4a17aa5
Add support for application/jwt media-type in token introspection (#29842)
Fixes #29841

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-06-03 19:06:21 +02:00
rmartinc
536534dd25 Remove the transformed output directory before executing JakartaTransformer
Closes #30086

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-03 19:03:46 +02:00
Alexander Schwartz
792a3457ff
Use Maven wrapper instead of platform dependent Maven version (#29988)
Closes #29987

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-06-03 15:45:39 +02:00
Martin Bartoš
262fc09edc
OpenJDK 21 support (#28518)
* OpenJDK 21 support

Closes #28517

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* x509 SAN UPN other name is not handled in JDK 21 (#904)

closes #29968

Signed-off-by: mposolda <mposolda@gmail.com>

---------

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2024-06-03 14:17:28 +02:00
mposolda
9074696382 Editing built-in client policy profiles are silently reverted
closes #27184

Signed-off-by: mposolda <mposolda@gmail.com>
2024-06-03 14:00:37 +02:00
Pedro Igor
4c39fcc79d Allow to configure if users are automatically redirected when the email domain matches an organization
Closes #30050

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-03 13:34:21 +02:00
raff897
6d6131cade Backchannel logout url with curly brackets
closes #30023

Signed-off-by: raff897 <85362193+raff897@users.noreply.github.com>
2024-06-03 09:51:39 +02:00
Ricardo Martin
0cd0d03c08
Remove all adapter-core code moved to util (#30012)
* Remove all tests that are only executed for undertow app server
* Remove installation steps for OIDC adapter in wildfly/eap app server
* Remove the util adapters package except HttpClientBuilder
* Remove HttpClientBuilder and use plain apache http client
Closes #29912

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-03 09:28:02 +02:00
Alexander Schwartz
f6f3b385c5 Improve the cleanup after a failed test to ensure retries work
Closes #30018

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-06-03 08:59:03 +02:00
Pedro Ruivo
ad32f8bdbc
auth-server-feature does not work for auth-server-quarkus-embedded (#30045)
Fixes #29259

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-06-03 08:47:52 +02:00
Peter Zaoral
cd2451d58b
Remove Oracle JDBC driver out of the box (#29895)
Closes: #29491

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2024-05-31 17:21:19 +00:00
rmartinc
068ce5a61f Modify xpath for account console logout in the webauthn tests
Closes #30024

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-31 15:14:35 +02:00
Stefan Wiedemann
0f6f9543ba
Add oid4vci to the account console (#29174)
closes #25945

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>


Co-authored-by: Erik Jan de Wit <edewit@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-05-31 15:11:32 +02:00
Patrick Jennings
5144f8d85f
Improve Client Type Integration Tests (#29944)
closes #30017

Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-05-31 09:53:22 +02:00
Andrejs Mivreniks
1cf87407fe Allow setting authentication flow execution priority value via Admin API
Closes #20747

Signed-off-by: Andrejs Mivreniks <andrejs@fastmail.com>
2024-05-30 19:17:45 +02:00
Martin Bartoš
3f49036192
Unify approach for WebAuthn tests (#29781)
Closes #29780

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-05-30 14:21:27 +02:00
rmartinc
44ce2fb74d Modify authz tests to not depende on adapter-core code
Closes #29882

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-30 08:02:29 +02:00
Pedro Igor
320f8eb1b4 Improve invitation messages and flow
Closes #29945

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-29 17:51:06 +02:00
Erik Jan de Wit
f088b0009c
initial ui for organizations (#29643)
* initial screen

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* more screens

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added members tab

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added the backend

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added member add / invite models

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* initial version of the identity provider section

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* add link and unlink providers

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* small fix

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* PR comments

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Do not validate broker domain when the domain is an empty string

Closes #29759

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added filter and value

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added test

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added first name last name

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* refresh menu when realm organization is changed

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* changed to record

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* changed to form data

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* fixed lint error

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Changing name of invitation parameters

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Chancing name of parameters on the client

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Enable organization at the realm before running tests

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Domain help message

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Handling model validation errors when creating organizations

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Message key for organizationDetails

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Do not change kc.org attribute on group

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* add realm into the context

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* tests

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Changing button in invitation model to use Send instead of Save

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Better message when validating the organization domain

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Fixing compilation error after rebase

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* fixed test

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* removed wait as it no longer required and skip flacky test

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* skip tests that are flaky

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* stabilize user create test

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

---------

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-29 14:34:02 +02:00
Martin Bartoš
76a6733f0a Replace PhantomJS by HtmlUnit
Closes #9979

Co-authored-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-05-29 11:17:57 +02:00
Martin Bartoš
b1a90972b6 Upgrade Selenium and Arquillian dependencies in testsuite
Closes #29778

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-05-29 11:17:57 +02:00
Pedro Igor
bbb83236f5 Do not lower-case the username from the IdP when creating the federated identity
Closes #28495

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-29 01:58:20 -03:00
Alexander Schwartz
46f0da43da Instead of the test blocking for an unknown reason, specify a timeout
Closes #29528

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-28 21:06:49 +02:00
Stefan Guilhen
694ffaf289 Allow organizations in different realms to have the same domain
Closes #29886

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-28 08:02:30 -03:00
Francis Pouatcha
4317a474d1
JWT VC Issuer Metadata /.well-known/jwt-vc-issuer to comply with SD-JWT VC Specification (#29635)
closes #29634 

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>


Co-authored-by: DYLANE BENGONO <85441363+bengo237@users.noreply.github.com>
2024-05-28 12:51:56 +02:00
Yutaka Obuchi
68d9dcecb5
Supporting OID4VCI AuthZCode flow: (#29685)
closes #29724

Signed-off-by: Yutaka Obuchi <yutaka.obuchi.sd@hitachi.com>


Co-authored-by: Yutaka Obuchi <yutaka.obuchi.sd@hitachi.com>
Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-05-28 12:29:31 +02:00
Martin Bartoš
d396dfed6a
Upgrade old Keycloak version for DB migration tests (#29884)
Closes #29883

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-05-28 11:32:31 +02:00
Jon Koops
66ef3bf2d7
Remove Opera from supported web drivers (#29903)
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-05-28 09:01:40 +00:00
Douglas Palmer
b9c04bb8bc Refactor PolicyEnforcer tests to remove dependency on keycloak-adapter-core and remove keycloak-adapter-core
Closes #29189
Closes #28791

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-05-27 15:00:13 -03:00
Stefan Wiedemann
5a68056f2a
Fix oid4vc mappers
Closes #29805

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-05-27 11:28:46 +02:00
mposolda
ea1cdc10bd MigrateTo25_0_0 does not complete within default transaction timeout
closes #29756

Signed-off-by: mposolda <mposolda@gmail.com>
2024-05-27 10:31:39 +02:00
Pedro Igor
2d4d32764c Show a message when confirming an invitation link
Closes #29794

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-27 08:33:22 +02:00
rmartinc
b258b459d7 Generate RESTART_AUTHENTICATION event on success
Closes #29385

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-23 19:08:22 +02:00
vramik
0508d279f7 Filter empty domains from OrganizationsRepresentation before running validation
Closes #29809

Signed-off-by: vramik <vramik@redhat.com>
2024-05-23 09:53:51 -03:00
Marek Posolda
2efc163b89
Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database
Closes #27941

Signed-off-by: mposolda <mposolda@gmail.com>
2024-05-23 12:00:18 +00:00
Daniel Fesenmeyer
c08621fa63 Always order required actions by priority (regardless of context)
- AuthenticationManager#actionRequired: make sure that the highest prioritized required action is performed first, possibly before the currently requested required action
- AuthenticationManager#nextRequiredAction: make sure that the next action is requested via URL, also based on highest priority (-> requested URL will match actually performed action, unless required actions for the user are changed by a parallel operation)
- add tests to RequiredActionPriorityTest, add helper method for priority setup to ApiUtil (for easier and more robust setup than up-to-now)
- fix test WebAuthnRegisterAndLoginTest - which failed because WebAuthnRegisterFactory (prio 70) is now executed before WebAuthnPasswordlessRegisterFactory (prio 80)

Closes #16873

Signed-off-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.com>
2024-05-23 09:07:56 +02:00
Thomas Darimont
ab376d9101 Make required actions configurable (#28400)
- Add tests for crud operations on configurable required actions
- Add support exposing the required action configuration via RequiredActionContext
- Make configSaveError message reusable in other contexts
- Introduced admin-ui specific endpoint for retrieving required actions with config metadata

Fixes #28400

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-05-23 08:38:36 +02:00
vramik
278341aff9 Add organizations enabled/disabled capability
Closes #28804

Signed-off-by: vramik <vramik@redhat.com>
2024-05-22 07:58:26 -03:00
Alexander Schwartz
80de3a0a71
Allow migration of non-persistent sessions to persistent sessions
Closes #29375

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-22 10:30:46 +02:00
Francis Pouatcha
542fc65923
Issue 29627: Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414 (#29628)
closes #29627 

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>


Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-05-22 10:30:34 +02:00
rmartinc
f7044ba5c2 Use SessionExpirationUtils for validate user and client sessions
Check client session is valid in TokenManager
Closes #24936

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-22 10:12:20 +02:00
Case Walker
f32cd91792 Upgrade owasp-java-html-sanitizer, address all fallout
Signed-off-by: Case Walker <case.b.walker@gmail.com>
2024-05-22 09:15:25 +02:00
Raffaele Lucca
a5a55dc66e
Protocol now is mandatory during client scope creation. (#29544)
closes #29027

Signed-off-by: raff897 <85362193+raff897@users.noreply.github.com>
2024-05-22 09:10:46 +02:00
Patrick Jennings
84acc953dd
Client type OIDC base read only defaults (#29706)
closes #29742
closes #29422

Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-05-22 09:07:19 +02:00
Pedro Igor
b019cf6129 Support unmanaged attributes for service accounts and make sure they are only managed through the admin api
Closes #29362

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-21 16:56:18 -03:00
Martin Kanis
97cd5f3b8d Provide an additional endpoint to allow sending both invitation and registration links depending on the email being associated with an user or not
Closes #29482

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-21 12:29:10 -03:00
rmartinc
3304540855 Allow admin console whoami endpoint to applications that have a special attribute
Closes #29640

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-20 09:51:07 +02:00
Stefan Guilhen
1aab371912 Fix errors when importing realms with the organization feature enabled
Closes #29630

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-17 07:25:31 -03:00
Ricardo Martin
74a80997c7
Fix CRL verification failing due to client cert not being in chain (#29582)
closes #19853

Signed-off-by: Micah Algard <micahalgard@gmail.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>


Co-authored-by: Micah Algard <micahalgard@gmail.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-05-17 11:28:07 +02:00
Dimitri Papadopoulos Orfanos
64a145e960
Fix user-facing typos in error messages (#29326)
Update resource file and tests accordingly

Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
2024-05-16 09:55:41 +02:00
Takashi Norimatsu
b4e7d9b1aa
Passkeys: Supporting WebAuthn Conditional UI (#24305)
closes #24264

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: mposolda <mposolda@gmail.com>
2024-05-16 07:58:43 +02:00
rmartinc
89d7108558 Restrict access to whoami endpoint for the admin console and users with realm access
Closes #25219

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-15 19:06:57 +02:00
Stefan Guilhen
c4760b8188 Ensure that IDP's linked domains are remove when org is deleted or when the domain is removed from the org.
Closes #29481

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-14 15:39:18 -03:00
Martin Kanis
3985157f9f Make sure operations on a organization are based on realm they belong to
Closes #28841

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-14 10:47:39 -03:00
Pedro Igor
b4d231fd40 Fixing realm removal when removing groups and brokers associated with an organization
Closes #29495

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 14:29:27 +02:00
Pedro Igor
b5a854b68e
Minor improvements to invitation email templates (#29498)
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 13:19:02 +02:00
Pedro Igor
1b583a1bab Email validation for managed members should only fail if it does not match the domain set to a broker
Closes #29460

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 10:46:22 +02:00
mposolda
d8a7773947 Adding dummyHash to DirectGrant request in case user does not exists. Fix dummyHash for normal login requests
closes #12298

Signed-off-by: mposolda <mposolda@gmail.com>
2024-05-13 16:33:29 +02:00
kaustubh-rh
8a82b6b587
Added a check in ClientInitialAccessResource (#29353)
closes #29311

Signed-off-by: Kaustubh Bawankar <kbawanka@redhat.com>
2024-05-13 13:00:36 +02:00
rmartinc
2cc051346d Allow empty CSP header in headers provider
Closes #29458

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-13 10:51:31 +02:00
Alexander Schwartz
6cc8d653f3 Make SessionWrapper related fields immutable that are part of the equals method
The cache replace logic depends on it, as values returned by reference from a local cache must never be modified on those critical fields directly.

Closes #28906

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-13 09:59:50 +02:00
Giuseppe Graziano
d735668fcd Fix test failures after @DisableFeature
Closes #29253

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-05-13 08:20:54 +02:00
Pedro Igor
b50d481b10 Make sure organization groups can not be managed but when managing an organization
Closes #29431

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-10 21:28:11 -03:00
Stefan Guilhen
f0620353a4 Ensure master realm can't be removed
Closes #28896

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 16:56:18 -03:00
Stefan Guilhen
ceed7bc120 Add ability to search organizations by attribute
Closes #29411

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 16:45:41 -03:00
Pedro Igor
77b58275ca Improvements to the organization authentication flow
Closes #29416
Closes #29417
Closes #29418

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-09 16:07:52 -03:00
Pedro Igor
a65508ca13 Simplifying the CORS SPI and the default implementation
Closes #27646

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-08 12:27:55 -03:00
Pedro Ruivo
cbce548e71 Infinispan 15.0.3.Final
Closes #29068

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-05-08 17:18:39 +02:00
Stefan Guilhen
dde2746595 Improve tests to ensure managed users disabled upon disabling the org can't be updated
Closes #28891

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-07 18:11:52 -03:00
Pedro Igor
927ba48f7a Adding tests to cover using SAML brokers in an organization
Closes #28732

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-07 20:44:38 +02:00
Douglas Palmer
8d628d740e Can we remove undertow OIDC adapter?
Closes #28788

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-05-07 19:47:46 +02:00
Thore
4b194d00be iso-date validator for the user-profile
Adds a new validator in order to be able to validate user-model fields which should be modified/supplied by a datepicker.

Closes #11757

Signed-off-by: Thore <thore@kruess.xyz>
2024-05-07 11:42:39 -03:00
Martin Kanis
d4b7e1a7d9 Prevent to manage groups associated with organizations from different APIs
Closes #28734

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-07 11:16:40 -03:00
Pedro Igor
f8bc74d64f Adding SAML protocol mapper to map organization membership
Closes #28732

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-07 15:52:35 +02:00