Bug: SerializedBrokeredIdentityContext was changed to mirror
UserModel changes. However, when creating the user in LDAP,
the username must be provided first (everything else can
be handled via attributes).
- custom attributes in UserModel are removed during update
- this can break caching (doesn't break if user is written
to database)
- also ensure that we don't accidentally change username
and/or firstName/lastName through attributes
The discovery document is advertizing both token_introspection_endpoint
and introspection_endpoint. The former has been removed as it is not
defined by OAuth2/OIDC.
Some ProviderFactory returns null as properties instead of
Collections.emptyList() and it leads to NPE.
Fix it with using Optional.ofNullable(...).orElse(Collections.emptyList())
- In order to make lastName/firstName/email/username field
configurable in profile
we need to store it as an attribute
- Keep database as is for now (no impact on performance, schema)
- Keep field names and getters and setters (no impact on FTL files)
Fix tests with logic changes
- PolicyEvaluationTest: We need to take new user attributes into account
- UserTest: We need to take into account new user attributes
Potential impact on users:
- When subclassing UserModel, consistency issues may occur since one can
now set e.g. username via setSingleAttribute also
- When using PolicyEvaluations, the number of attributes has changed
We now expose the claims "sub" for use in Identity Broker mappers.
Previously claims directly mapped to `JsonWebToken` fields were not
accessible for mappings.
empty state
change case
added dropdown menu instead of buttons
now on edit you can add and remove permissions
changed how the actions work
updated success messages
use live region alerts toast alerts
username or email search
labels for the buttons
margin between accecpt and deny button
fixed test and types
changed to bigger distance with split component
changed to use seperate empty state component
Previously firstname and lastname were derived from the name claim.
We now use direct mappings to extract firstname and lastname from
given_name and family_name claims.
Added test to KcOidcFirstBrokerLoginTest
Marked org.keycloak.broker.provider.BrokeredIdentityContext#setName
as deprecated to avoid breaking existing integrations.
* Updated Invalid URLs
The docker-compose.yaml file generated creates an invalid url for REGISTRY_AUTH_TOKEN_REALM and REGISTRY_AUTH_TOKEN_ISSUER. Fixed
* KEYCLOAK-14072 JIRA#14072
Test coverage fix for the the JIRA#14072
The exported realm json file includes a field named "KeycloakVersion", which is assigned
Version.Version. In community edition, Version.Version is identical to Version.KeycloakVersion.
If we rebrand product based on keycloak project, Version.Version will be Product version, while
keycloak codes expect exported realm file including KeycloakVersion for normal migrating.
For RHSSO product, there are somes codes in class MigrationModelManager for converting the right
KeycloakVersion.
From semantic point, a field named "KeycloakVersion" should be assigned variable named "KeycloakVersion".
- Store in config map in database and model
- Expose the field in the OIDC-IDP
- Write logic for import, force and legacy mode
- Show how mappers can be updated keeping correct legacy mode
- Show how mappers that work correctly don't have to be modified
- Log an error if sync mode is not supported
Fix updateBrokeredUser method for all mappers
- Allow updating of username (UsernameTemplateMapper)
- Delete UserAttributeStatementMapper: mapper isn't even registered
Was actually rejected but never cleaned up: https://github.com/keycloak/keycloak/pull/4513
The mapper won't work as specified and it's not easy to tests here
- Fixup json mapper
- Fix ExternalKeycloakRoleToRoleMapper:
Bug: delete cannot work - just delete it. Don't fix it in legacy mode
Rework mapper tests
- Fix old tests for Identity Broker:
Old tests did not work at all:
They tested that if you take a realm and assign the role,
this role is then assigned to the user in that realm,
which has nothing to do with identity brokering
Simplify logic in OidcClaimToRoleMapperTests
- Add SyncMode tests to most mappers
Added tests for UsernameTemplateMapper
Added tests to all RoleMappers
Add test for json attribute mapper (Github as example)
- Extract common test setup(s)
- Extend admin console tests for sync mode
Signed-off-by: Martin Idel <external.Martin.Idel@bosch.io>
