Commit graph

3866 commits

Author SHA1 Message Date
mposolda
1213556eff Fixes for UsernameIDNHomographValidator
closes #26564

Signed-off-by: mposolda <mposolda@gmail.com>
2024-01-30 14:30:28 +01:00
Chris Tanaskoski
5373f3c97a
Don't fail reset credentials action upon first broker login without EXISTING_USER_INFO (#26324)
The ResetCredentialsActionTokenHandler depends upon the `EXISTING_USER_INFO` through `AbstractIdpAuthenticator.getExistingUser` solely to log the username. However, if the first broker login flow does not include a `IdpCreateUserIfUniqueAuthenticator` or `IdpDetectExistingBrokerUserAuthenticator`, the `EXISTING_USER_INFO` is never set.

This commit does not attempt to fetch the existing user if we don't have this info set.

Closes #26323

Signed-off-by: Chris Tanaskoski <chris@devristo.com>
2024-01-30 11:16:52 +00:00
Stian Thorgersen
0fb6bdfcac
Cookie Provider - move remaining cookies (#26531)
Closes #26500

Signed-off-by: stianst <stianst@gmail.com>
2024-01-29 11:06:37 +01:00
Lex Cao
cf3f05a259
Skip grant role if exists for federated storage (#26508)
Closes #26507

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-26 17:08:47 +00:00
Stian Thorgersen
bc3c27909e
Cookie Provider (#26499)
Closes #26500

Signed-off-by: stianst <stianst@gmail.com>
2024-01-26 10:45:00 +01:00
Martin Kanis
7797f778d1 Map Store Removal: Rename legacy modules
Closes #24107

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-25 16:29:16 +01:00
Ricardo Martin
b58f35fb47
Revert "Enable verify profile required action by default for new realms" (#26495)
This reverts commit 7f195acc14.

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-25 12:28:16 +01:00
Stian Thorgersen
cbfdae5e75
Remove support for multiple AUTH_SESSION_ID cookies (#26462)
Closes #26457

Signed-off-by: stianst <stianst@gmail.com>
2024-01-25 06:58:42 +01:00
rmartinc
7f195acc14 Enable verify profile required action by default for new realms
Closes #25985

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-24 20:28:06 +01:00
Thomas Darimont
e7363905fa Change password hashing defaults according to OWASP recommendations (#16629)
Changes according to the latest [OWASP cheat sheet for secure Password Storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2):

- Changed default password hashing algorithm from pbkdf2-sha256 to pbkdf2-sha512
- Increased number of hash iterations for pbkdf2-sha1 from 20.000 to 1.300.000
- Increased number of hash iterations for pbkdf2-sha256 from 27.500 to 600.000
- Increased number of hash iterations for pbkdf2-sha512 from 30.000 to 210.000
- Adapt PasswordHashingTest to new defaults
- The test testBenchmarkPasswordHashingConfigurations can be used to compare the different hashing configurations.
- Document changes in changes document with note on performance and how
  to keep the old behaviour.
- Log a warning at the first time when Pbkdf2PasswordHashProviderFactory is used directly

Fixes #16629

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-01-24 18:35:51 +01:00
Florian Garcia
af0b9164e3
fix: hardcoded conditional rendering of client secret input field (#25776)
Closes #22660

Signed-off-by: ImFlog <garcia.florian.perso@gmail.com>
Co-authored-by: useresd <yousifmagdi@gmail.com>
2024-01-24 16:30:22 +01:00
Stian Thorgersen
85ddac26ed
Remove code that expires old cookie paths (#26444)
Closes #26416

Signed-off-by: stianst <stianst@gmail.com>
2024-01-24 13:43:03 +01:00
Lex Cao
142c14138f Add verify email required action for IdP email verification
Closes #26418

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-24 12:15:09 +01:00
Takashi Norimatsu
b99f45ed3d Supporting EdDSA
closes #15714

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>

Co-authored-by: Muhammad Zakwan Bin Mohd Zahid <muhammadzakwan.mohdzahid.fg@hitachi.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-01-24 12:10:41 +01:00
Martin Kanis
84603a9363
Map Store Removal: Rename Legacy* classes (#26273)
Closes #24105

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-23 13:50:31 +00:00
Douglas Palmer
e7d842ea32 Invalidate session secretly
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-19 15:44:35 -03:00
Douglas Palmer
18d0105de0 Invalidate authentication session on repeated OTP failures
Closes #26177
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-19 15:44:35 -03:00
rmartinc
2f0a0b6ad8 Remove deprecated mode for saml encryption
Closes #26291

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-18 16:52:10 +01:00
cgeorgilakis-grnet
ccade62289 Enhance error logs and error events during UserInfo endpoint and Token Introspection failure
Closes #24344

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-01-16 11:26:29 +01:00
Alexander Schwartz
b9498b91cb
Deprecating the offline session preloading (#26160)
Closes #25300

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-16 09:29:01 +01:00
cgeorgilakis-grnet
a3257ce08f OIDC Protocol Mappers with same claim
Closes #25774

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-01-15 09:16:12 -03:00
rmartinc
e162974a8d Integrate registration with terms and conditions required action
Closes #25891

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-15 10:19:30 +01:00
Alexander Schwartz
a8eca6add0
Changing to the Infinispan BOM to avoid mis-aligned Infinispan dependencies (#26137)
Closes #22922

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
2024-01-15 09:20:47 +01:00
MikeTangoEcho
c2b132171d Add X509 thumbprint to JWT when using private_key_jwt
Closes keycloak#12946

Signed-off-by: MikeTangoEcho <mathieu.thine@gmail.com>
2024-01-12 16:01:01 +01:00
Lex Cao
47f7e3e8f1 Use email verification instead of executing action for send-verify-email endpoint
Closes #15190

Add support for `send-verify-email` endpoint to use the `email-verification.ftl` instead of `executeActions.ftl`

Also introduce a new parameter `lifespan` to be able to override the default lifespan value (12 hours)

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-11 16:28:02 -03:00
Jon Koops
5eb7363ddd
Promote Account Console v3 to default and deprecate v2 (#25852)
Closes #19663

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2024-01-11 19:42:10 +01:00
mposolda
692aeee17d Enable user profile by default
closes #25151

Signed-off-by: mposolda <mposolda@gmail.com>
2024-01-11 12:48:44 -03:00
Patrick Hamann
d36913a240 Ensure protocol forced reauthentication is correctly mapped during SAML identity brokering
Closes #25980

Signed-off-by: Patrick Hamann <patrick@fastly.com>
2024-01-10 20:46:35 +01:00
remi
b22efeec78 Add a toggle to use context attributes on the regex policy provider
Signed-off-by: remi <remi.tuveri@gmail.com>
2024-01-10 16:15:25 -03:00
rmartinc
42f0488d76 Avoid returning duplicated users in LDAP and unsynced
Closes #24141

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-10 12:47:15 +01:00
Réda Housni Alaoui
3c05c123ea On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-09 16:04:52 -03:00
Alexander Schwartz
03372d2f41
Fix OfflineServletAdapterTest failures, and improve logging (#25724)
Closes #25714
Closes #14448

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-09 14:59:20 +01:00
shigeyuki kabano
67e73d3d4e Enhancing Lightweight access token M2(keycloak#25716)
Closes keycloak#23724

Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
2024-01-09 09:42:30 +01:00
Ricardo Martin
097d68c86b
Escape action in the form_post.jwt and only decode path in RedirectUtils (#93) (#25995)
Closes #90

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-09 08:20:14 +01:00
Alexander Schwartz
0a16b64805 Stabilizing test cases by adding cleanups
Closes #24651

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-08 19:32:01 -03:00
Douglas Palmer
58d167fe59 Deleting a User or User Group might cause that all users suddenly get the permissions of the deleted user.
Closes #24651
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-08 19:32:01 -03:00
Steven Hawkins
d1d1d69840
fix: adds a general error message and descriptions for some exceptions (#25806)
closes: #25746

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-01-08 18:19:40 +00:00
Felix Gustavsson
0f47071a29 Check if UMA is enabled on resource, if not reject the request.
Closes #24422

Signed-off-by: Felix Gustavsson <felix.gustavsson@topgolf.com>
2024-01-08 11:28:57 -03:00
Tomas Ondrusko
e4fa5c034a
Update web element of the LinkedIn login page (#25905)
Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>
2024-01-08 11:32:45 +01:00
Pedro Igor
d540584449 Using a valid URI when deleting cookies before/after running tests
Closes #22691

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 15:13:12 -03:00
atharva kshirsagar
d7542c9344 Fix for empty realm name issue
Throw ModelException if name is empty when creating/updating a realm

Closes #17449

Signed-off-by: atharva kshirsagar <atharva4894@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-05 14:23:42 +01:00
Pedro Igor
8ff9e71eae Do not allow verifying email from a different account
Closes #14776

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 12:45:07 +01:00
Pedro Igor
f476a42d66 Fixing the registration_client_uri to point to a valid URI after updating a client
Closes #23229

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 12:41:36 +01:00
Ben Cresitello-Dittmar
057d8a00ac Implement Authentication Method Reference (AMR) claim from OIDC specification
This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens.

This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note.

The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens.

Closes #19190

Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>
2024-01-03 14:59:05 -03:00
Jon Koops
07f9ead128 Upgrade Welcome theme to PatternFly 5
Closes #21343

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-01-03 14:46:01 -03:00
Réda Housni Alaoui
5287500703 @NoCache is not considered anymore
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-02 09:06:55 -03:00
Alexander Schwartz
9e890264df Adding a test case to check that the expiration time is set on logout tokens
Closes #25753

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-22 20:13:40 +01:00
Niko Köbler
5e623f42d4 add the exp claim to the backchannel logout token
This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4.

As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time.

resolves #25753

Signed-off-by: Niko Köbler <niko@n-k.de>
2023-12-22 20:13:40 +01:00
Pedro Igor
ceb085e7b8 Update the UPDATE_EMAIL feature to rely on the user profile configuration when rendering templates and validating the email
Closes #25704

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-20 15:15:06 -03:00
rmartinc
c2e41b0eeb Make Locale updater generate an event and use the user profile
Closes #24369

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-20 15:26:45 +01:00