Patrick Jennings
5e0d323304
Log exception when failure to augment client and re-throw instead of returning the raw client.
...
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
551a3db987
Updating validation logic to match our expectations on what applicable should mean.
...
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
03db2e8b56
Integration tests around client type parameter validation. Throw common ClientTypeException with invalid params requested during client creation/update requests. This gets translated into ErrorResponseException in the Resource handlers.
...
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
9814733dd3
DefaultClientType service will now validate all client type default values and respond with bad request message with the affending parameters that attempt to override readonly in the client type config.
...
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
c0f5dab209
If client cannot be augmented due to error, we shall return the un-augmented client entity.
...
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
42202ae45e
Translate client type exception during client create into bad request response.
...
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Giuseppe Graziano
4672366eb9
Simplified checks in IntrospectionEndpoint ( #28642 )
...
Closes #24466
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2024-04-12 21:19:04 +02:00
Marek Posolda
e6747bfd23
Adjust priority of SubMapper ( #28663 )
...
closes #28661
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-12 14:13:03 +02:00
Pedro Igor
61b1eec504
Prevent members with an email other than the domain set to an organization
...
Closes #28644
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-12 08:33:18 -03:00
rmartinc
6d74e6b289
Escape slashes in full group path representation but disabled by default
...
Closes #23900
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-12 10:53:39 +02:00
Douglas Palmer
69ba92808d
DefaultBruteForceProtector leverages a single thread to write success/failed events
...
Closes #14084
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-12 09:53:40 +02:00
Pedro Igor
8f8094408e
Encapsulate the logic to set attributes into the domain model
...
Closes #28646
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-11 15:32:21 -03:00
Marek Posolda
74faddec8e
Release notes for lightweight access tokens and group together relate… ( #28622 )
...
closes #28460
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-11 20:02:33 +02:00
Giuseppe Graziano
33b747286e
Changed userId value for refresh token events
...
Closes #28567
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-11 07:46:44 +02:00
Stefan Guilhen
9a466f90ab
Add ability to set one or more internet domain to an organization.
...
Closed #28274
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-10 13:18:12 -03:00
devjos
cccddc0810
Fix brute force detection for LDAP read-only users
...
Closes #28579
Signed-off-by: devjos <github_11837948@feido.de>
2024-04-10 16:36:11 +02:00
vramik
00ce3e34bd
Manage a single identity provider for an organization
...
Closes #28272
Signed-off-by: vramik <vramik@redhat.com>
2024-04-10 09:47:51 -03:00
Martin Kanis
51fa054ba7
Manage organization attributes
...
Closes #28253
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-04-10 09:10:49 -03:00
rmartinc
41b706bb6a
Initial security profile SPI to integrate default client policies
...
Closes #27189
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-10 11:19:56 +02:00
Giuseppe Graziano
c76cbc94d8
Add sub via protocol mapper to access token
...
Closes #21185
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-10 10:40:42 +02:00
mposolda
aa619f0170
Redirect error to client right-away when browser tab detects that another browser tab authenticated
...
closes #27880
Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-09 17:59:34 +02:00
Václav Muzikář
e4987f10f5
Hostname SPI v2 ( #26345 )
...
* Hostname SPI v2
Closes : #26084
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Fix HostnameV2DistTest#testServerFailsToStartWithoutHostnameSpecified
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Address review comment
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Partially revert the previous fix
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Do not polish values
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Remove filtering of denied categories
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
---------
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
2024-04-09 11:25:19 +02:00
vibrown
3fffc5182e
Added ClientType implementation from Marek's prototype
...
Signed-off-by: vibrown <vibrown@redhat.com>
More updates
Signed-off-by: vibrown <vibrown@redhat.com>
Added client type logic from Marek's prototype
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
Testing to see if skipRestart was cause of test failures in MR
2024-04-08 20:20:37 +02:00
Pedro Igor
52ba9b4b7f
Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user
...
Closes #28248
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-08 09:05:16 -03:00
rmartinc
2b769e5129
Better management of the CSP header
...
Closes https://github.com/keycloak/keycloak/issues/24568
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-08 08:19:57 +02:00
Giuseppe Graziano
b4f791b632
Remove session_state from tokens
...
Closes #27624
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-08 08:12:51 +02:00
Alexander Schwartz
647bce49c8
Add error details to events to be able to track down root causes
...
Closes #28429
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-04 20:28:45 +02:00
Justin Tay
30cd40e097
Use realm default signature algorithm for id_token_signed_response_alg
...
Closes #9695
Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-04 11:37:28 +02:00
Justin Tay
89a5da1afd
Allow empty key use in JWKS for client authentication
...
Closes #28004
Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-04 10:42:37 +02:00
Marek Posolda
335a10fead
Handle 'You are already logged in' for expired authentication sessions ( #27793 )
...
closes #24112
Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-04 10:41:03 +02:00
Anar Sultanov
6708f1f12d
Update method for sending identity broker link confirmation
...
Signed-off-by: Anar Sultanov <anar.sultanov@assessio.se>
2024-04-03 19:08:51 -03:00
Hynek Mlnarik
8ef3423f4a
Present effective sync mode value
...
When sync mode value is missing in the config of newly created identity
provider, the provider does not store any. When no value is
found, the identity provider behaves as if `LEGACY` was used (#6705 ).
This PR ensures the correct sync mode is returned from the REST endpoint,
regardless of whether it has been stored in the database or not.
Fixes : #26019
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-04-03 15:49:18 +02:00
Pedro Igor
fefeb83588
Changes the contract to make it simpler and rely on the realm available from the current session
...
Closes #28403
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-03 14:45:31 +02:00
Nicola Beghin
a7e5c861cc
fixes SAMLIdentityProvider not honoring SamlAuthenticationPreprocessor ( keycloak/keycloak#27875 )
...
Signed-off-by: Nicola Beghin <nicolabeghin@gmail.com>
2024-04-02 10:58:15 +02:00
Giuseppe Graziano
fe06df67c2
New default client scope for 'basic' claims with 'auth_time' protocol mapper
...
Closes #27623
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-02 08:44:28 +02:00
Pedro Igor
b9a7152a29
Avoid commiting the transaction prematurely when creating users through the User API
...
Closes #28217
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-27 19:16:09 -03:00
Lex Cao
a53cacc0a7
Fire logout event when logout other sessions ( #26658 )
...
Closes #26658
Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-03-27 11:13:48 +01:00
Jon Koops
3382e16954
Remove Account Console version 2 ( #27510 )
...
Closes #19664
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-03-27 10:53:28 +01:00
Steven Hawkins
be32f8b1bf
fix: limit the use of Resteasy to the KeycloakSession ( #28150 )
...
* fix: limit the use of Resteasy to the KeycloakSession
contextualizes other state to the KeycloakSession
close : #28152
2024-03-26 13:43:41 -04:00
vramik
fa1571f231
Map organization metadata when issuing tokens for OIDC clients acting on behalf of an organization member
...
Closes #27993
Signed-off-by: vramik <vramik@redhat.com>
2024-03-26 14:02:09 -03:00
vramik
e7bc796553
When the realm has registrationEmailAsUsername set to false (default) it's not possible to add a member to an org
...
Closes #28216
Signed-off-by: vramik <vramik@redhat.com>
2024-03-26 14:02:09 -03:00
Pedro Igor
a470711dfb
Resolve the user federation link as null when decorating the user profile metadata in the LDAP provider
...
Closes #28100
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-26 10:14:49 -03:00
Stian Thorgersen
8cbd39083e
Default password hashing algorithm should be set to default password hash provider ( #28128 )
...
Closes #28120
Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 12:44:11 +01:00
Stian Thorgersen
3f9cebca39
Ability to set the default provider for an SPI ( #28135 )
...
Closes #28134
Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 07:45:08 +01:00
Reda Bourial
a41d865600
fix for SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY ( #27756 )
...
Signed-off-by: Reda Bourial <reda.bourial@gmail.com>
2024-03-21 17:06:42 +01:00
Steven Hawkins
7eab019748
task: deprecate WILDCARD and STRICT options ( #26833 )
...
closes : #24893
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-21 16:22:41 +01:00
Steven Hawkins
35b9d8aa49
task: remove usage of resteasy-core-spi ( #27387 )
...
closes : #27242
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-21 15:28:34 +01:00
Giuseppe Graziano
939420cea1
Always include offline_access scope when refreshing with offline token
...
Closes #27878
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-03-21 14:32:31 +01:00
Pedro Igor
32541f19a3
Allow managing members for an organization
...
Closes #27934
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-21 10:26:30 -03:00
Martin Kanis
4154d27941
Invalidating offline token is not working from client sessions tab
...
Closes #27275
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-03-21 09:04:58 -03:00
Pedro Igor
f970deac37
Do not grant scopes not granted for resources owned the resource server itself
...
Closes #25057
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-20 18:36:41 +01:00
René Zeidler
83a3500ccf
Attributes without a group should appear first
...
In the login theme, user profile attributes that
are not assigned to an attribute group should
appear before all other attributes. This aligns
the login theme (registration, verify profile,
etc.) with the account and admin console.
Fixes #27981
Signed-off-by: René Zeidler <rene.zeidler@gmx.de>
2024-03-19 18:40:01 +01:00
Peter Skopek
b77e228be4
Fix javadoc generation failure introduced with new dependencies
...
for OID4VCI support (#28038 )
Fixes #28038
Signed-off-by: Peter Skopek <pskopek@redhat.com>
2024-03-19 14:14:53 +01:00
Stefan Wiedemann
67d3e1e467
Issue Verifiable Credentials in the VCDM format #25943 ( #27071 )
...
closes #25943
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-03-18 17:05:53 +01:00
cgeorgilakis-grnet
24f105e8fc
successful SAML IdP Logout Request with BaseID or EncryptedID and SessionIndex
...
Closes #23528
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-03-18 08:19:13 -03:00
Alexander Schwartz
62d24216e3
Remove offline session preloading
...
Closes #27602
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-15 15:19:27 +01:00
Pedro Igor
7fc2269ba5
The bare minimum implementation for organization
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: vramik <vramik@redhat.com>
2024-03-15 11:06:43 -03:00
Peter Keuter
e26a261e4e
Filter subgroups before paginating
...
Closes #27512
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
2024-03-15 10:57:57 +01:00
sebastien-helbert
e33bf39055
Review log message ( #23962 )
...
missing spaces added in log message
2024-03-14 13:44:22 +01:00
Alexander Schwartz
6de5325d1c
Limit the received content when handling the content as a String
...
Closes #27293
Co-authored-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-13 16:43:03 +01:00
Réda Housni Alaoui
1bf90321ad
"Allowed Protocol Mapper Types" prevents clients from self-updating via client registration api ( #27578 )
...
closes #27558
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-03-13 14:00:34 +01:00
rmartinc
43a5779f6e
Do not challenge inside spnego authenticator is FORKED_FLOW
...
Closes #20637
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-12 14:23:03 +01:00
Pedro Igor
1e48cce3ae
Make sure empty configuration resolves to the system default configuration
...
Closes #27611
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-11 09:01:38 -03:00
Stefan Wiedemann
6fc69b6a01
Issue Verifiable Credentials in the SD-JWT-VC format ( #27207 )
...
closes #25942
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-03-11 08:55:28 +01:00
Hynek Mlnarik
26468e11f2
Use correct path to account console
...
Fixes : #27709
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-03-08 14:31:32 +01:00
Ricardo Martin
299118c45a
Change oidcScopeMissing from WARN to DEBUG ( #27439 )
...
Closes #27391
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-08 10:50:21 +00:00
Erik Jan de Wit
7d104dbe9d
no result to parse on success ( #27336 )
...
* no result to parse on success
fixes : #27245
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* translate error message
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-03-08 09:56:23 +01:00
Pedro Igor
40385061f7
Make sure refresh token expiration is based on the current time when the token is issued
...
Closes #27180
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-07 15:23:19 +01:00
rmartinc
ea4155bbcd
Remove recursively when deleting an authentication executor
...
Closes #24795
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 14:43:23 +01:00
graziang
54b40d31b6
Revoked token cache expiration fix
...
Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.
Closes #26113
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-07 13:33:37 +01:00
Alexander Schwartz
595959398b
Instead of an InputStream that doesn't know about its encoding, use a String
...
Closes #20916
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-07 10:24:36 +00:00
rmartinc
dea15e25da
Only add the nonce claim to the ID Token (mapper for backwards compatibility)
...
Closes #26893
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 09:56:57 +01:00
Theresa Henze
653d09f39a
trigger REMOVE_TOTP event on removal of an OTP credential
...
Closes #15403
Signed-off-by: Theresa Henze <theresa.henze@bare.id>
2024-03-06 17:12:50 +01:00
graziang
39299eeb38
Encode role name parameter in the location header uri
...
The role is encoded to avoid template resolution by the URIBuilder. This fix avoids the exception when creating roles with names containing {patterns}.
Closes #27514
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-06 15:59:26 +01:00
rmartinc
82af0b6af6
Initial client policies integration for SAML
...
Closes #26654
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-06 15:18:35 +01:00
graziang
4fa940a31e
Device verification flow always requires consent
...
Force consent for device verification flow when there are no client scopes to approve by adding a default client scope to approve
Closes #26100
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-05 14:14:19 +01:00
Tero Saarni
e06fcbe6ae
Change supported criteria for Google Authenticator
...
List Google Authenticator as supported when
- hash algorithm is SHA256 or SHA512
- number of digits is 8
- OTP type is hotp
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2024-03-05 11:19:06 +01:00
Jon Koops
7afd75ba08
Use browser router for Account Console ( #22192 )
...
Closes #27442
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-03-04 12:38:28 +00:00
Steven Hawkins
be3e2fabc4
fix: remove the reliance on allowed classes ( #27368 )
...
closes : #25038
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-04 12:17:53 +00:00
Lucy Linder
aa6771205a
Update ReCAPTCHA and add support for ReCAPTCHA Enterprise
...
Closes #16138
Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>
2024-03-04 20:28:06 +09:00
vramik
032bb8e9cc
Map Store Removal: Remove obsolete KeycloakModelUtils.isUsernameCaseSensitive
method
...
Closes #27438
Signed-off-by: vramik <vramik@redhat.com>
2024-03-02 04:40:46 +09:00
rmartinc
f970803738
Check email and username for duplicated if isLoginWithEmailAllowed
...
Closes #27297
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-02 00:14:27 +09:00
Andy
137907f5ef
Roles admin REST API: Don't expand composite roles
...
Additionally:
- Import clean-up
- Added requireMapComposite as in RoleResource.addComposites
Closes #26951
Signed-off-by: synth3 <19573241+synth3@users.noreply.github.com>
2024-03-02 00:03:03 +09:00
Takashi Norimatsu
1792af6850
OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor
...
closes #27412
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-03-01 14:49:23 +01:00
graziang
082f9ec15b
Update client scopes in Client Update Request in DCR
...
Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation.
Add updateClientScopes method to set client scopes in Client Update Request in DCR.
Closes #24361
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-01 12:32:45 +01:00
Albrecht Scheidig
cad34cbb04
Restore support for locales with extensions ( #27285 )
...
Closes #27284
Signed-off-by: Albrecht Scheidig <albrecht.scheidig@hype.de>
2024-02-29 17:16:44 +00:00
Marek Posolda
ae0a0ea30b
SecureRedirectUrisEnforcerExecutor fixes ( #27369 )
...
closes #27344
Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-29 17:24:20 +01:00
Steven Hawkins
8d9439913c
fix: removal of resteasy-core ( #27032 )
...
* fix: partial removal of resteasy-core
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* fix: fully removing resteasy-core
closes : #26315
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-29 11:43:13 +00:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm
...
Closes #25823
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-02-28 16:17:51 +01:00
Pedro Igor
788d146bf2
Use the target client when processing scopes for internal exchanges
...
Closes #19183
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-28 15:18:43 +01:00
graziang
16a854c91b
Add option to clients to use lightweight access token
...
Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute.
The attribute value is used to enable or disable the lightweight access token.
Closes #27238
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-28 10:18:26 +01:00
Pedro Igor
0c91fceaad
Allow setting if both 'client_id' and 'id_token_hint' params should be sent in logout requests
...
Closes #27281
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-27 20:37:27 +09:00
Dmitry Telegin
c18c4bbeb8
Remove setContext() + minor cleanup
...
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
87c2df0ea4
Fix UMA
2024-02-27 19:11:32 +09:00
Dmitry Telegin
be3d0b6202
Split OAuth2GrantType and OAuth2GrantTypeFactory
2024-02-27 19:11:32 +09:00
Dmitry Telegin
c73516ba5b
Revert dynamic grant type resolution
2024-02-27 19:11:32 +09:00
Dmitry Telegin
5f04ce310a
simplify OAuth2GrantType.Context creation
2024-02-27 19:11:32 +09:00
Dmitry Telegin
b81bf85a06
rebase
2024-02-27 19:11:32 +09:00
Dmitry Telegin
854ec17fd3
- rework grant type resolution to use supports() in addition to grant type
...
- replace initialize() with setContext()
- use EnvironmentDependentProviderFactory instead of runtime checks
- move OAuth2GrantTypeManager to server-spi-private
- javadocs, imports, minor fixes
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
cc9c8fe78a
Use EnvironmentDependentProviderFactory for DeviceGrantType
2024-02-27 19:11:32 +09:00
Dmitry Telegin
983680ce0e
OAuth 2.0 Grant Type SPI
...
Closes : #26250
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
rmartinc
562decde35
Perform internal introspect for the access token in the account app
...
Closes #27243
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-27 09:19:20 +01:00
kaustubh-rh
03f6cda85a
Prevent user from removing built-in client scopes ( #27134 )
...
Closes #26937
Signed-off-by: Kaustubh B <kbawanka@redhat.com>
2024-02-26 11:16:23 +01:00
Gilvan Filho
83af01c4c0
Add failedLoginNotBefore to AttackDetectionResource
...
Closes #17574
Signed-off-by: Gilvan Filho <gfilho@redhat.com>
2024-02-26 09:35:51 +01:00
graziang
cecce40aa5
Avoid regenerating the totpSecret on every reload of the OTP configuration page
...
Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload
Closes #26052
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-22 19:09:09 +01:00
Pedro Igor
604274fb76
Allow setting an attribute as multivalued
...
Closes #23539
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-02-22 12:56:44 +01:00
Takashi Norimatsu
1e12b15890
Supporting OAuth 2.1 for public clients
...
closes #25316
Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-22 10:57:29 +01:00
Douglas Palmer
b0ef746f39
Permanently lock users out after X temporary lockouts during a brute force attack
...
Closes #26172
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-22 09:34:51 +01:00
Takashi Norimatsu
9ea679ff35
Supporting OAuth 2.1 for confidential clients
...
closes #25314
Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-22 08:34:21 +01:00
Sebastian Schuster
5e34769ee0
27031 ReadOnlyAttributeUnchangedValidator logs validation errors on debug not warning
...
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
2024-02-22 08:24:08 +09:00
Peter Keuter
01d66a662b
Expose display name and locales when user has ANY admin role ( #27160 )
...
* chore: expose display name and locales when user has view-realm
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: supportedlocales are available as stream
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: tests
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: remove unnecessarily added ignore
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
---------
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
2024-02-21 13:30:31 -05:00
graziang
d13dc57a29
Removing duplicate claims in action tokens
...
Using variables instead of otherClaims map for claims in action tokens to avoid duplicate claims in the jwt payload
Closes #24980
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-21 11:30:49 +01:00
Takashi Norimatsu
1bdbaa2ca5
Client policies: executor for validate and match a redirect URI
...
closes #25637
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-20 08:37:33 +01:00
Stefan Wiedemann
aa6b102e3d
Support EC Key-Imports for the JavaKeystoreKeyProvider #26936 ( #27030 )
...
closes #26936
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-02-19 17:41:40 +01:00
Pedro Hos
6b3fa8b7a7
Invalid redirect uri when identity provider alias has spaces ( #22840 )
...
closes #22836
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2024-02-19 14:40:42 +01:00
Takashi Norimatsu
2f35d0e346
Add EdDSA/Ed25519 to WebAuthn Signature algorithms
...
closes #15000
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-19 14:08:04 +01:00
graziang
1f57fc141c
UPDATED_PASSWORD required-action triggered only when login using password
...
`UpdatePassword.evaluateTriggers` adds the required-action to the user by evaluating the expiration password policy. Added a check that skips the evaluation if no password used during auth flow. This check uses the value of an auth note set in the `validatePassword` method of the `AbstractUsernameFormAuthenticator`.
Manually adding UPDATED_PASSWORD required-action to the user continues to trigger the action regardless of the authentication method.
Closes #17155
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-16 18:16:36 +01:00
Marek Posolda
c94f9f5716
Remove random redirect after password reset ( #27076 )
...
closes #20867
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
2024-02-16 18:13:27 +01:00
mposolda
eff6c3af78
During password reset, the baseURL is not shown on the info page after browser restart
...
closes #21127
Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-15 18:48:53 +01:00
Michal Hajas
e55ba5dcdc
Make sure pagination is used even when first is null for getGroups endpoint
...
Closes #25731
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-15 19:46:04 +09:00
rmartinc
4ff4c3f897
Increase internal algorithm security using HS512 and 128 byte hmac keys
...
Closes #13080
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-15 08:16:45 +01:00
Steven Hawkins
df38081fe8
fix: add an info message, and converts info to debug on non-pem files ( #26939 )
...
* fix: add an info message, and converts info to debug on non-pem files
closes : #26929
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Update services/src/main/java/org/keycloak/truststore/TruststoreBuilder.java
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
2024-02-14 19:55:53 +01:00
rmartinc
bc82929e3a
Cors modifications for UserInfo endpoint
...
Closes #26782
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-14 18:24:06 +01:00
vibrown
161d03efd2
Added SPIs for ClientType and ClientTypeManager
...
Grabbed the SPIs for ClientType and ClientTypeManager from Marek's Client Type prototype.
Closes #26431
Signed-off-by: vibrown <vibrown@redhat.com>
Cleaned up TODOs
Signed-off-by: vibrown <vibrown@redhat.com>
Added isSupported methods
Signed-off-by: vibrown <vibrown@redhat.com>
2024-02-13 19:26:19 +01:00
rmartinc
bb12f3fb82
Do not require non-builtin attributes for service accounts
...
Closes #26716
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-13 17:42:59 +01:00
Steven Hawkins
6bbf8358b4
task: addressing build warnings ( #26877 )
...
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-13 17:04:43 +01:00
Steven Hawkins
3a04acab51
fix: adds pfx as a recognized extension ( #26876 )
...
closes #24661
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-13 15:38:12 +01:00
Pedro Igor
e50642ac32
Allow setting a default user profile configuration
...
Closes #26489
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-12 11:16:48 +01:00
Réda Housni Alaoui
67718c653a
UPDATE_EMAIL action token handling should allow the user to resume its navigation to the redirect uri
...
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-02-08 18:32:38 -03:00
Michal Hajas
de598577b1
Fix confusing SAML NameId mapper format tooltip
...
Closes #26051
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
2024-02-08 11:21:11 +01:00
Tero Saarni
ac1780a54f
Added event for temporary lockout for brute force protector ( #26630 )
...
This change adds event for brute force protector when user account is
temporarily disabled.
It also lowers the priority of free-text log for failed login attempts.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-02-07 14:13:33 +00:00
Kamontat Chantrachirathumrong
516bfbe896
Support custom common path ( #22717 )
...
Signed-off-by: Kamontat Chantrachirathumrong <14089557+kamontat@users.noreply.github.com>
2024-02-06 20:41:39 -05:00
Dmitry Telegin
da69beed4d
CORS SPI - code review
...
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-06 15:27:53 -03:00
Dmitry Telegin
b0403e2268
CORS SPI
...
Closes #25446
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-06 15:27:53 -03:00
mposolda
f468885fdd
Empty error message when validation issue due the PersonNameProhibitedValidator validation
...
closes #26750
Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-06 12:56:50 -03:00
Stian Thorgersen
c4b1fd092a
Use code from RestEasy to create and set cookies ( #26558 )
...
Closes #26557
Signed-off-by: stianst <stianst@gmail.com>
2024-02-06 15:14:04 +01:00
rmartinc
720c5c6576
PKCE should return error if code_verifier sent but no code_challenge in the authorization request
...
Closes #26430
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-06 08:31:56 -03:00
Michal Hajas
00742a62dd
Remove RealmModel from authorization services interfaces ( #26708 )
...
Closes #26530
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-02 16:51:32 +01:00
Thomas Darimont
277af021d7
Improve ScheduledTask task-name handling
...
This PR introduces a String getTaskName() default method to
the ScheduledTask interface and adjusts call sites to use the
implementation derived task name where possible.
Previously, ScheduledTask names were passed around separately, which
lead to unhelpful debug messages.
We now give ScheduledTask implementations control over their task-name
which allows for more flexible naming.
Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database.
Ensure that Realm is already committed before updating sync via UserStorageSyncManager
Align Sync task name generation for cancellation to support SyncFederationTest
Only log a message if sync task was actually canceled.
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-02-02 09:57:03 -03:00
ShefeeqPM
65c7cd6008
removing duplicate open id scope ( #26542 )
...
Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-02-02 09:08:18 +00:00
alcalin
59b2dd69e3
Update AuthenticationManager.java ( #26586 )
...
Fix typo in log message for unlogged clients
Signed-off-by: alcalin <alexcalin02@gmail.com>
2024-02-01 13:56:26 +00:00
Pedro Igor
3a7ce54266
Allow formating numbers when rendering attributes
...
Closes keycloak#26320
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-01 08:14:58 -03:00
Stian Thorgersen
64b5f42c4a
Revert new behaviour around setting secure flag for cookies ( #26650 )
...
Closes #26649
Signed-off-by: stianst <stianst@gmail.com>
2024-01-31 19:33:56 +01:00
Lex Cao
a43ba73b93
Skip link only when client is not system when logout ( #24595 )
...
Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-31 17:50:26 +01:00
rmartinc
01be4032d8
Enable verify-profile required action by default
...
Closes #25985
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-31 13:32:53 +01:00
Lex Cao
f83756b177
Error handle for the Json request in createErrorPage
...
Closes #13368
These changes introduce a new error handler for building error based on the media type.
- It should create error form response when it is valid HTML request
- It could create error response with JSON if content type matches
Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-31 09:31:30 -03:00
mposolda
10ba70c972
Possibility to email being not required
...
closes #26552
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-01-31 10:57:10 +01:00
Thomas Darimont
346c2926f6
Fix error type in SAML response on missing destination
...
We now use INVALID_SAML_RESPONSE insteadof INVALID_LOGOUT_RESPONSE.
Added proposed test case.
Closes #11178
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Chris Dolphy <cdolphy@redhat.com>
2024-01-31 09:32:14 +01:00
Stefan Wiedemann
fa948f37e0
Issue Verifiable Credentials in jwt_vc format #25941 ( #26484 )
...
closes #25941
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-01-30 18:35:20 +01:00
mposolda
1213556eff
Fixes for UsernameIDNHomographValidator
...
closes #26564
Signed-off-by: mposolda <mposolda@gmail.com>
2024-01-30 14:30:28 +01:00
Chris Tanaskoski
5373f3c97a
Don't fail reset credentials action upon first broker login without EXISTING_USER_INFO
( #26324 )
...
The ResetCredentialsActionTokenHandler depends upon the `EXISTING_USER_INFO` through `AbstractIdpAuthenticator.getExistingUser` solely to log the username. However, if the first broker login flow does not include a `IdpCreateUserIfUniqueAuthenticator` or `IdpDetectExistingBrokerUserAuthenticator`, the `EXISTING_USER_INFO` is never set.
This commit does not attempt to fetch the existing user if we don't have this info set.
Closes #26323
Signed-off-by: Chris Tanaskoski <chris@devristo.com>
2024-01-30 11:16:52 +00:00
Stian Thorgersen
0fb6bdfcac
Cookie Provider - move remaining cookies ( #26531 )
...
Closes #26500
Signed-off-by: stianst <stianst@gmail.com>
2024-01-29 11:06:37 +01:00
Stian Thorgersen
bc3c27909e
Cookie Provider ( #26499 )
...
Closes #26500
Signed-off-by: stianst <stianst@gmail.com>
2024-01-26 10:45:00 +01:00
Marek Posolda
651d99db25
Allow selecting attributes from user profile when managing token mappers ( #26415 )
...
* Allow selecting attributes from user profile when managing token mappers
closes #24250
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-01-25 17:01:02 +01:00
Martin Kanis
7797f778d1
Map Store Removal: Rename legacy modules
...
Closes #24107
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-25 16:29:16 +01:00
Erik Jan de Wit
28c9f98930
moved login screen to patternfly 5 ( #25340 )
...
* moved login screen to patternfly 5
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added Feature flag to enable login v2
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* removed the old css and only include logo and background styles
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* changed to experimental
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added login2
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added windows help texts
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-01-25 13:45:53 +01:00
Ricardo Martin
b58f35fb47
Revert "Enable verify profile required action by default for new realms" ( #26495 )
...
This reverts commit 7f195acc14
.
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-25 12:28:16 +01:00
Stefan Wiedemann
efa6ddc41e
Create SPI and Provider for Verifiable Credentials Signing #25937 ( #26263 )
...
* implement oid4vci service interfaces
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* add oid4vc to the disabled features test
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* fix test and add doc
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* add the new preview feature
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* add class-level doc
remove wildcard imports
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* add license headers
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* fix year
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* fix teste
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* two additional test fixes
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* make the feature experimental
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* remove clock
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* remove usage of var
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* fix tests
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
---------
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-01-25 07:36:28 +01:00
Stian Thorgersen
cbfdae5e75
Remove support for multiple AUTH_SESSION_ID cookies ( #26462 )
...
Closes #26457
Signed-off-by: stianst <stianst@gmail.com>
2024-01-25 06:58:42 +01:00
rmartinc
7f195acc14
Enable verify profile required action by default for new realms
...
Closes #25985
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-24 20:28:06 +01:00
Florian Garcia
af0b9164e3
fix: hardcoded conditional rendering of client secret input field ( #25776 )
...
Closes #22660
Signed-off-by: ImFlog <garcia.florian.perso@gmail.com>
Co-authored-by: useresd <yousifmagdi@gmail.com>
2024-01-24 16:30:22 +01:00
Stian Thorgersen
85ddac26ed
Remove code that expires old cookie paths ( #26444 )
...
Closes #26416
Signed-off-by: stianst <stianst@gmail.com>
2024-01-24 13:43:03 +01:00
Lex Cao
142c14138f
Add verify email required action for IdP email verification
...
Closes #26418
Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-24 12:15:09 +01:00
Takashi Norimatsu
b99f45ed3d
Supporting EdDSA
...
closes #15714
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Co-authored-by: Muhammad Zakwan Bin Mohd Zahid <muhammadzakwan.mohdzahid.fg@hitachi.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-01-24 12:10:41 +01:00
Martin Kanis
84603a9363
Map Store Removal: Rename Legacy* classes ( #26273 )
...
Closes #24105
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-23 13:50:31 +00:00
Douglas Palmer
ffa069a33b
Invalidate authentication session on repeated Recovery Code failures
...
Closes #26180
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-22 11:57:47 +01:00
Stian Thorgersen
656e680019
Remove unused HttpResponse.setWriteCookiesOnTransactionComplete ( #26326 )
...
Closes #26325
Signed-off-by: stianst <stianst@gmail.com>
2024-01-20 11:31:10 +01:00
Martin Bartoš
98be32d9ff
Parse default UserProfile configuration in the build time
...
Closes #24890
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-01-19 17:05:59 -03:00
Douglas Palmer
e7d842ea32
Invalidate session secretly
...
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-19 15:44:35 -03:00
Douglas Palmer
18d0105de0
Invalidate authentication session on repeated OTP failures
...
Closes #26177
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-19 15:44:35 -03:00
Pedro Igor
62020ffc68
Make sure the component resolves to a UPConfig before cloning it
...
Closes #26308
2024-01-18 19:11:48 +01:00
rmartinc
2f0a0b6ad8
Remove deprecated mode for saml encryption
...
Closes #26291
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-18 16:52:10 +01:00
cgeorgilakis-grnet
ccade62289
Enhance error logs and error events during UserInfo endpoint and Token Introspection failure
...
Closes #24344
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-01-16 11:26:29 +01:00
Alexander Schwartz
b9498b91cb
Deprecating the offline session preloading ( #26160 )
...
Closes #25300
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-16 09:29:01 +01:00
cgeorgilakis-grnet
a3257ce08f
OIDC Protocol Mappers with same claim
...
Closes #25774
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-01-15 09:16:12 -03:00
rmartinc
e162974a8d
Integrate registration with terms and conditions required action
...
Closes #25891
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-15 10:19:30 +01:00
MikeTangoEcho
c2b132171d
Add X509 thumbprint to JWT when using private_key_jwt
...
Closes keycloak#12946
Signed-off-by: MikeTangoEcho <mathieu.thine@gmail.com>
2024-01-12 16:01:01 +01:00
Lex Cao
47f7e3e8f1
Use email verification instead of executing action for send-verify-email
endpoint
...
Closes #15190
Add support for `send-verify-email` endpoint to use the `email-verification.ftl` instead of `executeActions.ftl`
Also introduce a new parameter `lifespan` to be able to override the default lifespan value (12 hours)
Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-11 16:28:02 -03:00
mposolda
692aeee17d
Enable user profile by default
...
closes #25151
Signed-off-by: mposolda <mposolda@gmail.com>
2024-01-11 12:48:44 -03:00
Patrick Hamann
d36913a240
Ensure protocol forced reauthentication is correctly mapped during SAML identity brokering
...
Closes #25980
Signed-off-by: Patrick Hamann <patrick@fastly.com>
2024-01-10 20:46:35 +01:00
rmartinc
179ca3fa3a
Sanitize logs in JBossLoggingEventListenerProvider
...
Closes #25078
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-10 16:50:27 +01:00
Réda Housni Alaoui
3c05c123ea
On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template
...
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-09 16:04:52 -03:00
shigeyuki kabano
67e73d3d4e
Enhancing Lightweight access token M2(keycloak#25716)
...
Closes keycloak#23724
Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
2024-01-09 09:42:30 +01:00
Ricardo Martin
097d68c86b
Escape action in the form_post.jwt and only decode path in RedirectUtils ( #93 ) ( #25995 )
...
Closes #90
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-09 08:20:14 +01:00
Steven Hawkins
d1d1d69840
fix: adds a general error message and descriptions for some exceptions ( #25806 )
...
closes : #25746
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-01-08 18:19:40 +00:00
Felix Gustavsson
0f47071a29
Check if UMA is enabled on resource, if not reject the request.
...
Closes #24422
Signed-off-by: Felix Gustavsson <felix.gustavsson@topgolf.com>
2024-01-08 11:28:57 -03:00
agagancarczyk
768231d950
Localization tabs ( #25532 )
...
* Add new localization tabs to Administration Console
Closes #23057
Signed-off-by: Agnieszka <agancarc@redhat.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* css cleanup
Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com>
* css cleanup
Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com>
---------
Signed-off-by: Agnieszka <agancarc@redhat.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Agnieszka Gancarczyk <agancarc@redhat.com>
2024-01-08 14:03:26 +00:00
atharva kshirsagar
d7542c9344
Fix for empty realm name issue
...
Throw ModelException if name is empty when creating/updating a realm
Closes #17449
Signed-off-by: atharva kshirsagar <atharva4894@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-05 14:23:42 +01:00
Pedro Igor
8ff9e71eae
Do not allow verifying email from a different account
...
Closes #14776
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 12:45:07 +01:00
Pedro Igor
f476a42d66
Fixing the registration_client_uri to point to a valid URI after updating a client
...
Closes #23229
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 12:41:36 +01:00
Pedro Igor
986b6af4f5
Make sure the context path from the base URI is respected when building TOTP URIs
...
Closes #21542
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 07:10:49 -03:00
Réda Housni Alaoui
a21e95c5ae
In UserProfileContext.IDP_REVIEW, NPE on UserModel#getEmail because UserModelDelegate#delegate is null
...
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-03 15:00:30 -03:00
Ben Cresitello-Dittmar
057d8a00ac
Implement Authentication Method Reference (AMR) claim from OIDC specification
...
This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens.
This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note.
The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens.
Closes #19190
Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>
2024-01-03 14:59:05 -03:00
Jon Koops
07f9ead128
Upgrade Welcome theme to PatternFly 5
...
Closes #21343
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-01-03 14:46:01 -03:00
Pedro Igor
15b10f58fc
Make the user attribute available to the idp-review-user-profile.ftl template
...
Closes #25872
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-03 13:26:33 -03:00
Réda Housni Alaoui
5287500703
@NoCache is not considered anymore
...
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-02 09:06:55 -03:00
Alexander Schwartz
9e890264df
Adding a test case to check that the expiration time is set on logout tokens
...
Closes #25753
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-22 20:13:40 +01:00
Niko Köbler
5e623f42d4
add the exp claim to the backchannel logout token
...
This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4.
As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time.
resolves #25753
Signed-off-by: Niko Köbler <niko@n-k.de>
2023-12-22 20:13:40 +01:00
DAHAG-ArisNourbakhsh
b52d97475a
Add raw OpenApi documentation files to rest-api documentation ( #22940 )
...
Add raw OpenApi documentation files to rest-api documentation
Closes #21559
Signed-off-by: Aris Nourbakhsh <aris.nourbakhsh@dahag.de>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-21 12:07:33 +01:00
Pedro Igor
ceb085e7b8
Update the UPDATE_EMAIL feature to rely on the user profile configuration when rendering templates and validating the email
...
Closes #25704
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-20 15:15:06 -03:00
rmartinc
c2e41b0eeb
Make Locale updater generate an event and use the user profile
...
Closes #24369
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-20 15:26:45 +01:00
Konstantinos Georgilakis
cf57af1d10
scope parameter in refresh flow
...
Closes #12009
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2023-12-20 14:00:10 +01:00
mposolda
eb184a8554
More info on UserProfileContext
...
closes #25691
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-19 13:00:31 -03:00
Ricardo Martin
32a70cbedd
Strip off user-info from redirect URI when validating using wildcard ( #61 )
...
Closes keycloak/keycloak-private#58
Closes https://issues.redhat.com/browse/RHBK-679
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-19 10:13:36 -03:00
Joshua Sorah
d411eafc42
Ensure 'iss' is returned when 'prompt=none' and user is not authenticated, per RFC9207
...
Closes keycloak/keycloak#25584
Signed-off-by: Joshua Sorah <jsorah@redhat.com>
2023-12-19 10:38:05 +01:00
Ricardo Martin
2ba7a51da6
Escape action in the form_post response mode ( #60 )
...
Closes keycloak/keycloak-private#31
Closes https://issues.redhat.com/browse/RHBK-652
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-18 18:10:41 -03:00
Konstantinos Georgilakis
ba8c22eaf0
Scope parameter in Oauth 2.0 token exchange
...
Closes #21578
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2023-12-18 15:44:26 -03:00
Pedro Igor
778847a3ce
Updating theme templates to render user attributes based on the user profile configuration
...
Closes #25149
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-18 15:35:52 -03:00
rmartinc
d841971ff4
Updating the UP configuration needs to trigger an admin event
...
Close #23896
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-18 19:24:30 +01:00
mposolda
cd154cf318
User Profile: If required roles ('user') and reqired scopes are set, the required scopes have no effect
...
closes #25475
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-18 11:32:27 +01:00
Takashi Norimatsu
59536becec
Client policies : executor for enforcing DPoP
...
closes #25315
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2023-12-18 10:45:18 +01:00
Yoshiyuki Tabata
0ca73829d0
Fix OpenAPI spec POST /admin/realms/{realm}/clients
...
Closes #21536
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 10:08:54 +01:00
Yoshiyuki Tabata
66ee27f413
Fix OpenAPI spec POST /admin/realms/{realm}/clients-initial-access
...
Closes #25656
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 09:12:02 +01:00
Joshua Sorah
a10149bbe9
For post logout redirect URI - Make '+' represent existing redirect URIs and merge with existing post logout redirect URIs
...
Closes keycloak#25544
Signed-off-by: Joshua Sorah <jsorah@redhat.com>
2023-12-18 09:05:51 +01:00
Yoshiyuki Tabata
5bdadaacbc
Modify OpenAPI spec POST /admin/realms
...
Closes #25565
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 08:41:23 +01:00
Sophie Tauchert
3ab24afe93
Add response annotations to resourceserver
...
Closes : #25604
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-12-15 19:45:39 +01:00
Erwin Rooijakkers
860978b15a
Change arg of getSubGroups to briefRepresentation
...
Parameter name briefRepresentation should mean briefRepresentation,
not full. This way callers will by default get the full
representation, unless true is passed as value for
briefRepresentation.
Fixes #25096
Signed-off-by: Erwin Rooijakkers <erwin@rooijakkers.software>
2023-12-14 17:23:27 +01:00
Steven Hawkins
08751001db
enhance: adds truststores to the keycloak cr ( #25215 )
...
also generally correcting the misspelling trustore
closes : #24798
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2023-12-14 11:15:06 -03:00
mposolda
c81b533cf6
Update UserProfileProvider.setConfiguration. Tuning of UserProfileProvider.getConfiguration
...
closes #25416
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-14 14:43:28 +01:00
Douglas Palmer
4b11afa87b
NullPointerException when key is not available in the database ( #25395 )
...
* NullPointerException when key is not available in the database
Closes #24485
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
2023-12-14 09:57:53 +01:00
Václav Muzikář
e4c348e99e
Add new --proxy-headers
option ( #25178 )
...
* Add new `--proxy-headers` option
Closes #23431
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
* Address review comments vol. 03
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Address review comments vol. 04
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
---------
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-13 10:48:12 -03:00
Pedro Igor
fa79b686b6
Refactoring user profile interfaces and consolidating user representation for both admin and account context
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-13 08:27:55 +01:00
Pedro Igor
78ba7d4a38
Do not allow removing username and email from user profile configuration
...
Closes #25147
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-11 08:30:28 +01:00
Sophie Tauchert
1d56e0371e
Make sure authz endpoints are documented in openapi spec
...
Closes : #25259
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-12-08 16:45:13 +01:00
mposolda
90bf88c540
Introduce ProtocolMapper.getEffectiveModel to make sure values displayed in the admin console UI are 'effective' values used when processing mappers
...
closes #24718
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-12-08 12:26:35 +01:00
saumeen prajapati
d829534237
Remove single quote from log string
...
Closes #25060
Signed-off-by: saumeen prajapati <psaumeen@gmail.com>
2023-12-07 20:08:07 +00:00
wojnarfilip
925c5572ad
Re-enable Federated Access Token in user sessions
...
Closes #25290
Signed-off-by: wojnarfilip <fwojnar@redhat.com>
2023-12-07 19:55:20 +01:00
Vlasta Ramik
df465456b8
Map Store Removal: Remove LockObjectsForModification
( #25323 )
...
Signed-off-by: vramik <vramik@redhat.com>
Closes #24793
2023-12-07 12:43:43 +00:00
Fouad Almalki
0e535d2bbe
Retrieve ClientConnection by invoking getConnection() instead of getContextObject()
...
Signed-off-by: Fouad Almalki <me@fouad.io>
2023-12-07 13:11:54 +01:00
Stefan Guilhen
7b63d6d500
Remove ResponseSessionTask
...
- this was tightly related to retriable transactions added to map store and is no longer needed.
Closes #25309
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2023-12-06 19:53:53 +01:00
Stefan Guilhen
8e918c2ebf
Revert changes to OIDCIdentityProvider that enlisted the client logout requests in a separate transaction.
...
Closes #25308
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2023-12-06 19:47:04 +01:00
rmartinc
522e8d2887
Workaround to allow percent chars in getGroupByPath via PathSegment
...
Closes #25111
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-06 14:22:34 -03:00
rmartinc
d004e9295f
Do not allow remove a credential in account endpoint if provider marks it as not removable
...
Closes #25220
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-05 17:11:57 +01:00
Michal Hajas
ec061e77ed
Remove GlobalLockProviderSpi ( #25206 )
...
Closes #24103
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-12-01 16:40:56 +00:00
Ricardo Martin
3b26e5d489
Add active RSA key to decryption if deprecated mode ( #25205 )
...
Closes https://github.com/keycloak/keycloak/issues/24652
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-01 13:40:47 +00:00
mposolda
3fa2d155ca
Decouple factory methods from the provider methods on UserProfileProvider implementation
...
closes #25146
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-01 10:30:57 -03:00
Pedro Igor
c7f63d5843
Add options to change behavior on how unmanaged attributes are managed
...
Closes #24934
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-11-30 06:58:21 -03:00
Steven Hawkins
8c3df19722
feature: add option for creating a global truststore ( #24473 )
...
closes #24148
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2023-11-30 08:57:17 +01:00
Douglas Palmer
d0b86d2f64
Register event not triggered on external to internal token exchange
...
Closes #9684
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 15:30:47 -03:00
mposolda
479e6bc86b
Update Kerberos provider for user-profile
...
closes #25074
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-29 15:21:26 -03:00
rmartinc
16afecd6b4
Allow automatic download of SAML certificates in the identity provider
...
Closes https://github.com/keycloak/keycloak/issues/24424
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 18:03:31 +01:00
rmartinc
3bc028fe2d
Remove lowercase for the hostname as recommended/advised by OAuth spec
...
Closes https://github.com/keycloak/keycloak/issues/25001
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 10:26:00 -03:00
rmartinc
b6cdcb3c27
Revert "Fix lowerCaseHostname to lower-case scheme and host properly"
...
This reverts commit 1241bd2919
.
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 10:26:00 -03:00
Douglas Palmer
5ce41a462b
NPE in HardcodedUserSessionAttributeMapper on Token Exchange
...
Closes #11996
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:35:49 -03:00
Douglas Palmer
7e78d29f8d
NPE in User Session Note mapper on Token Exchange
...
Closes #24200
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:35:49 -03:00
hokuda
a83b9d11fa
Fix typo in the balloon help of SAML Username Template Importer
...
closes #25033
Signed-off-by: hokuda <hisanobu.okuda@gmail.com>
2023-11-29 09:32:16 -03:00
Douglas Palmer
e99bd4aa3a
External to Internal Token exchange fails with Null pointer Exception if the user is not yet registered (first time token exchange)
...
Closes #16059
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:16:14 -03:00
Michal Hajas
2b2207af93
Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled
...
Closes #25077
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-29 11:06:41 +00:00
Jon Koops
0b9dd21b0a
Attempt to request storage access for cookies ( #25055 )
...
Closes #23872
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2023-11-27 18:23:40 +00:00
Pedro Igor
2c611cb8fc
User profile configuration scoped to user-federation provider
...
closes #23878
Co-Authored-By: mposolda <mposolda@gmail.com>
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-27 14:45:44 +01:00
Stian Thorgersen
a32b58d337
Escape ldap id when using normal attribute syntax ( #25 ) ( #25036 )
...
Closes https://github.com/keycloak/security/issues/46
Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
2023-11-27 11:38:14 +01:00
Takashi Norimatsu
1f5ee9bf80
NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token
...
closes #25022
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2023-11-27 08:49:48 +01:00
Sophie Tauchert
855aebabc2
Rename clientUuid path parameter to client-uuid for consistency
...
Closes #24960
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-11-23 16:08:58 +01:00
Sophie Tauchert
496c0e7f03
Rename some path parameter placeholders to avoid duplicating {id} in the path
...
Closes #24960
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-11-23 16:08:58 +01:00
Sophie Tauchert
3e17cb0452
Add correct annotation for 204 responses to POST methods returning void
...
Closes #24960
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-11-23 16:08:58 +01:00
Douglas Palmer
efde3adf60
Wrong value for VALIDATED_ID_TOKEN stored in the brokered identity context for external token exchange
...
Closes #23985
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-23 11:52:37 -03:00
Douglas Palmer
2ec1d2f7ea
Fix logic error in AbstractOAuth2IdentityProvider
...
Closes #24943
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-23 11:43:42 -03:00
Tero Saarni
fd58cb1bec
Attempt to remove warning about not using inference
...
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2023-11-23 10:49:58 -03:00
Tero Saarni
e35f3d7e87
Fix compilation error with ServerInfoAdminResource
...
This change fixes following type inference error:
* Type mismatch: cannot convert from Map<Boolean,Object> to Map<Boolean,List<String>>
The error comes when opening and compiling on vscode or Eclipse, which uses
Eclipse JDT compiler.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2023-11-23 10:49:58 -03:00
Sebastian Schuster
030f42ec83
More efficient listing of assigned and available client role mappings
...
Closes #23404
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2023-11-22 14:10:11 +01:00
Thomas Darimont
d30d692335
Introduce MaxAuthAge Password policy ( #12943 )
...
This policy allows to specify the maximum age of an authentication
with which a password may be changed without re-authentication.
Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible.
A value of 0 will always require reauthentication to update the password.
Add documentation for MaxAuthAgePasswordPolicy to server_admin
Fixes #12943
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2023-11-20 14:48:17 +01:00
rmartinc
1241bd2919
Fix lowerCaseHostname to lower-case scheme and host properly
...
Closes https://github.com/keycloak/keycloak/issues/24792
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-20 10:00:50 +01:00
Erik Jan de Wit
941457b805
added theme name as parameter
...
moved messages to theme bundle
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-11-17 08:35:54 +01:00
rmartinc
5fad76070a
Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience
...
Closes https://github.com/keycloak/keycloak/issues/24659
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 18:22:16 +01:00
Hynek Mlnarik
70d0f731f5
Use session ID rather than broker session ID
...
Closes : #24455
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2023-11-16 17:01:40 +01:00
Vlasta Ramik
d86e062a0e
Removal of retry blocks introduced for CRDB
...
Closes #24095
Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-16 13:50:56 +01:00
rmartinc
cca33baac3
Avoid NPE if RelayState is null and return a proper error
...
Closes https://github.com/keycloak/keycloak/issues/24079
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 12:56:49 +01:00
Erik Jan de Wit
89abc094d1
userprofile shared ( #23600 )
...
* move account ui user profile to shared
* use ui-shared on admin same error handling
also introduce optional renderer for added component
* move scroll form to ui-shared
* merged with main
* fix lock file
* fixed merge error
* fixed merge errors
* fixed tests
* moved user profile types to admin client
* fixed more types
* pr comments
* fixed some types
2023-11-14 08:04:55 -03:00
Erik Jan de Wit
fe7833c957
Load Admin Console localizations from resource bundles ( #24316 )
...
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-11-13 12:39:46 -05:00
Hynek Mlnařík
0ceaed0e2e
Transient users: Consents ( #24496 )
...
closes #24494
2023-11-10 11:18:27 +01:00
mposolda
7863c3e563
Moving UPConfig and related classes from keycloak-services
...
closes #24535
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-07 12:41:29 +01:00
Joshua Sorah
7ca00975d4
Feature flag DPoP metadata in OIDC Well Known endpoint
...
Closes keycloak/keycloak#24547
Signed-off-by: Joshua Sorah <jsorah@gmail.com>
2023-11-06 03:13:57 -08:00
Oliver
563ae104fd
[issue-14134] test partial import user with id
...
Fix #14134
2023-11-02 05:56:12 -07:00
rmartinc
d7bb59461d
Escape $ sign when replacing clientId in the role mappers
...
Closes https://github.com/keycloak/keycloak/issues/23692
2023-11-01 20:47:15 +01:00
rokkiter
e1735138cb
clean util * ( #24174 )
...
Signed-off-by: rokkiter <yongen.pan@daocloud.io>
2023-11-01 17:14:11 +01:00
Pedro Igor
be65ba8689
Make sure optional default attributes are removed when decorating the user-define user profile configuration
...
Closes #24420
2023-11-01 14:54:09 +01:00
mposolda
0bd2b342d7
Update per review
2023-10-31 12:56:46 -07:00
mposolda
6f992915d7
Move some UserProfile and Validation classes into keycloak-server-spi
...
closes #24387
2023-10-31 12:56:46 -07:00
Justin Tay
3ff0476cc3
Allow customization of aud claim with JWT Authentication
...
Closes #21445
2023-10-31 11:33:47 -07:00
rmartinc
7deb4ca545
Group count and PartialExport permission fixes
...
Closes https://github.com/keycloak/keycloak/issues/12171
2023-10-31 01:40:21 -07:00
rmartinc
6484a3e705
Add userProfileEnabled attribute to realm response if admin can view users
...
closes https://github.com/keycloak/keycloak/issues/19093
2023-10-30 07:39:03 -07:00
Alice
69497382d8
Group scalability upgrades ( #22700 )
...
closes #22372
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-26 16:50:45 +02:00
Hynek Mlnarik
2c4d58f5af
Fix KcOidcBrokerTransientSessionsTest
...
Closes : #24313
2023-10-26 14:36:01 +02:00
rmartinc
faf398e3c3
Add openapi annotations to the UserProfileResource
...
Closes https://github.com/keycloak/keycloak/issues/9318
2023-10-25 07:44:24 -07:00
Hynek Mlnarik
a668c2cb2b
Support for transient brokering in admin console
...
Part-of: Add support for not importing brokered user into Keycloak database
Closes : #11334
2023-10-25 12:02:35 +02:00
Hynek Mlnarik
26328a7c1e
Support for transient sessions via lightweight users
...
Part-of: Add support for not importing brokered user into Keycloak database
Closes : #11334
2023-10-25 12:02:35 +02:00
ggraziano
84112f57b5
Verification of iss at refresh token request
...
Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method.
Closes #22191
2023-10-24 23:42:11 +02:00
Marek Posolda
1bd6aca629
Remove RegistrationProfile class and handle migration ( #24215 )
...
closes #24182
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-10-24 20:19:33 +02:00
Thomas Darimont
e567210ed1
Add dedicated feature flag for oauth device grant flow ( #23892 )
...
Closes #23891
2023-10-24 10:09:26 +02:00
Erik Jan de Wit
e4632c9e78
move to theme resource
2023-10-23 15:17:18 -07:00
Erik Jan de Wit
f3d387172e
changed to realm, because that is the source
2023-10-23 15:17:18 -07:00
Erik Jan de Wit
0f878566ab
add new locale endpoint that returns the messages
2023-10-23 15:17:18 -07:00
vramik
a0f04fa2be
Declarative User Profile export
...
Closes #12062
Resolves #20885
2023-10-21 19:21:20 +02:00
Pedro Igor
e47389f199
Username now shown when creating a user and edit username is not allowed
...
Closes #24183
2023-10-20 10:22:31 -07:00
Pedro Igor
55a5a8c0eb
Ignore custom attributes when processing attributes in verify profile action
...
Closes #24077
2023-10-20 17:51:40 +02:00
mposolda
c18e8ff535
User profile tweaks in registration forms
...
closes #24024
2023-10-20 06:31:21 -07:00
kaustubh-rh
1ac2c0997d
Inconsistent handling of parenthesis in auth flow name ( #24113 )
...
closes #16379
2023-10-20 10:00:46 +02:00
mposolda
04777299b0
After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly
...
closes #23880
2023-10-19 19:23:50 +02:00
Andrew
77c3e7190c
updates to method contracts and code impl to be more specific about providerAlias ( #24070 )
...
closes #24072
2023-10-18 08:33:06 +02:00
Pedro Igor
e91a0afca2
The username in account is required and don't change when email as username is enabled
...
Closes #23976
2023-10-17 16:43:44 -03:00
shigeyuki kabano
6112b25648
Enhancing Light Weight Token( #22148 )
...
Closes #21183
2023-10-17 13:12:36 +02:00
Pedro Igor
9c19a8972b
Removing the default cache metadata
...
Closes #23910
2023-10-13 16:32:55 +02:00
Charley Wu
31759f9c37
WebAuthn support for native applications. Support custom FIDO2 origin validation ( #23156 )
...
Closes #23155
2023-10-13 15:25:10 +02:00
Moritz Becker
e9f08b6500
Do not return empty scope field in token introspection response
...
Closes #16526
2023-10-13 08:36:12 +02:00
duckboy81
197b39492e
Update TokenManager.java
...
Fixed minor spelling typos
2023-10-12 14:56:24 +02:00
ici-dev-gb
32b373f05f
Don't use top-level await
for storage access checks ( #23793 )
...
Closes #23743
2023-10-12 09:28:01 +00:00
Vojtěch Boček
8871983b33
Add support for single-tenant mode to Microsoft Identity Provider ( #20699 )
...
* Add support for single-tenant mode to Microsoft Identity Provider
Fixes #20695
Closes #11207
* Add SocialLoginTest for Microsoft single-tenant variant
2023-10-10 16:35:36 -04:00
Marek Posolda
a6609bd969
Remove "You are already logged in" during authentication. Make other browser tabs to authenticate automatically when some browser tab successfully authenticate ( #23517 )
...
Closes #12406
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-10 21:54:37 +02:00
Pedro Igor
7385ed56c7
Avoid creating the component when there is no component and configuration is not provided
...
Closes #20970
Co-authored-by: Pedro Igor <psilva@redhat.com>
2023-10-10 13:28:48 +02:00
Daniel Fesenmeyer
dd37e02140
Improve logging in case of OIDC Identity provider errors:
...
- log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter
- log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response
Closes #23690
2023-10-06 19:03:41 +02:00
mposolda
cdb61215c9
UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed
...
closes #23749
2023-10-06 11:27:48 -03:00
Pedro Igor
290bee0787
Resolve several usability issues around User Profile ( #23537 )
...
Closes #23507 , #23584 , #23740 , #23774
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-06 10:15:39 -03:00
rmartinc
890600c33c
Remove backward compatibility for ECDSA tokens
...
Closes https://github.com/keycloak/keycloak/issues/23734
2023-10-06 14:24:48 +02:00
Garth
2dfbbff343
added AccountResource SPI, Provider and ProviderFactory. ( #22317 )
...
Added AccountResource SPI, Provider and ProviderFactory. updated AccountLoader to load provider(s) and check if it is compatible with the chosen theme.
2023-10-05 15:08:01 +02:00
Justin Tay
55751a0830
Fix client assertion with invalid ES256, ES384, ES512 signatures
...
Closes #23721
2023-10-05 13:07:52 +02:00
Steve Hawkins
fb69936f14
Aligns the logic in the welcome resources
...
as a result the quarkus one can be removed
closes keycloak#23243
2023-09-28 19:33:12 -03:00
Jon Koops
1b6cb7b2a9
Always check storage access before placing test cookie ( #23393 )
2023-09-27 13:38:53 +02:00
Lucas Hedding
de5aa2e74d
Add createTimestamp to REST service ( #23293 )
...
Closes #14009
2023-09-27 13:38:16 +02:00
rmartinc
10c1e3ba6d
Client roles should be mapped to any claim name
...
Closes https://github.com/keycloak/keycloak/issues/22349
2023-09-27 08:11:22 -03:00
rmartinc
d90640b5a3
Change email checkserveridentity prop as angus mail sets it to true by default
...
Closes https://github.com/keycloak/keycloak/issues/22395
2023-09-26 09:11:16 +02:00
Maria Arias de Reyna
c15753266f
fix( Closes #21236 ): Adding client-id to logout event
2023-09-25 13:20:26 +02:00
Pedro Igor
741f76887c
Allow updating email when email as username is set and edit username disabed
...
#23438
2023-09-25 08:19:01 -03:00
Michal Hajas
496c5ad989
Use new findGroupByPath implementation and remove the old one
...
Closes #23344
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-09-25 10:44:24 +02:00
Justin Tay
7d3104ee76
Allow public clients to use PAR endpoint
...
Closes #8939
2023-09-21 13:57:42 +02:00
rmartinc
082b0ed308
verifyRedirectUri should return null when the passed redirectUri is invalid
...
Closes https://github.com/keycloak/keycloak/issues/22778
2023-09-21 08:19:00 +02:00
rmartinc
f8a9e0134a
Ensure that the EncryptedKey is passed to the DecryptionKeyLocator for SAML
...
Closes https://github.com/keycloak/keycloak/issues/22974
2023-09-20 15:09:18 +02:00
Jon Koops
e86bf1f0b2
Remove P3P
header from authentication flow
...
Closes #23348
2023-09-19 08:50:33 -03:00
rmartinc
743bb696d9
Allow duplicated keys in advanced claim mappers
...
Closes https://github.com/keycloak/keycloak/issues/22638
2023-09-19 07:49:34 -03:00
Pedro Igor
217a09ce46
Switch to Resteasy Reactive
...
Closes #10713
2023-09-18 09:19:03 -03:00
Thomas Darimont
04d16ed170
Prevent NPE in AuthenticationManager.backchannelLogout ( #23306 )
...
Previously, if the user was already removed from the userSession
and the log level was set to DEBUG, then an NPE was triggered by
the debug log statement during backchannelLogout.
Fixes #23306
2023-09-18 08:16:51 +02:00
paul
f684a70048
KEYCLOAK-15985 Add Brute Force Detection Lockout Event
2023-09-15 10:32:07 -03:00
Pedro Igor
1442f14c45
Registration page not showing username when edit username is not enabled
...
Closes #23185
2023-09-14 07:32:39 -03:00
Justin Tay
658c0ef19f
Send Client ID in token request with JWT Authentication
...
Closes #21444
2023-09-14 10:57:32 +02:00
Pedro Igor
5958c7948d
Ignore attributes when they are not prefixed with user.attributes prefix ( #23184 )
...
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: stianst <stianst@gmail.com>
2023-09-14 10:35:47 +02:00
Daniel Fesenmeyer
a68ad55a37
Support to define compatible mappers for (new) Identity Providers
...
- Also allows to use existing mappers for custom Identity Providers without having to change those mappers
Closes #21154
2023-09-13 17:19:06 -03:00
Konstantinos Georgilakis
0044472f87
Add regex support in 'Condition - User attribute' execution
...
Closes #265
2023-09-13 08:36:45 +02:00
Erik Jan de Wit
0789d3c1cc
better features overview ( #22641 )
...
Closes #17733
2023-09-12 16:03:13 +02:00
Thomas Darimont
3908537254
Show expiration date for certificates in Admin Console ( #23025 )
...
Closes #17743
2023-09-12 07:56:09 -04:00
Marek Posolda
56b94148a0
Remove bearer-only occurences in the documentation when possible. Mak… ( #23148 )
...
closes #23066
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-09-12 09:38:19 +02:00
Erik Jan de Wit
c7dcef7af8
fixed permissions for locale fetch ( #23078 )
...
fixes : #23065
2023-09-11 15:00:40 -04:00
Adeel Ahmad
4f90124612
Print 'key' in ReadOnlyAttributeUnchangedValidator failure log message
...
This change is quite useful for debugging and helps identify which specific attribute makes the update fail. Currently, the full pattern is printed which consists of multiple attributes.
2023-09-11 10:45:08 -03:00
kaustubh-rh
62927433dc
Fix for Keycloak 22.0.1 unable to create user with long email address ( #23109 )
...
Closes #22825
2023-09-11 08:56:13 +02:00
rmartinc
7da52a43bd
Add old LinkedIn provider to the deprecated profile
...
Closes https://github.com/keycloak/keycloak/issues/23067
2023-09-08 10:05:17 +02:00
Marek Posolda
506e2537ac
Registration flow fixed ( #23064 )
...
Closes #21514
Co-authored-by: Vilmos Nagy <vilmos.nagy@outlook.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-09-08 08:05:05 +02:00
Pedro Igor
bc31fde4c0
Broker claim mapper not recognizing claims from user info endpoint
...
Closes #12137
2023-09-07 16:34:45 +02:00
stianst
211c027adb
Remove use of Guava in services
...
Closes #23009
2023-09-07 08:59:02 +02:00
Kaustubh B
5ee2ba9372
Added tests
2023-09-07 08:43:35 +02:00
Kaustubh B
c57e775102
Fixed Regex
2023-09-07 08:43:35 +02:00
rmartinc
8887be7887
Add a new identity provider for LinkedIn based on OIDC
...
Closes https://github.com/keycloak/keycloak/issues/22383
2023-09-06 16:13:31 +02:00
Pedro Igor
13e5a02b9f
Role mappers must return a single value when they are not multivalued
...
Closes #20218
2023-08-31 19:16:12 +02:00