mposolda
eb184a8554
More info on UserProfileContext
...
closes #25691
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-19 13:00:31 -03:00
Ricardo Martin
32a70cbedd
Strip off user-info from redirect URI when validating using wildcard ( #61 )
...
Closes keycloak/keycloak-private#58
Closes https://issues.redhat.com/browse/RHBK-679
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-19 10:13:36 -03:00
Joshua Sorah
d411eafc42
Ensure 'iss' is returned when 'prompt=none' and user is not authenticated, per RFC9207
...
Closes keycloak/keycloak#25584
Signed-off-by: Joshua Sorah <jsorah@redhat.com>
2023-12-19 10:38:05 +01:00
Ricardo Martin
2ba7a51da6
Escape action in the form_post response mode ( #60 )
...
Closes keycloak/keycloak-private#31
Closes https://issues.redhat.com/browse/RHBK-652
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-18 18:10:41 -03:00
Konstantinos Georgilakis
ba8c22eaf0
Scope parameter in Oauth 2.0 token exchange
...
Closes #21578
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2023-12-18 15:44:26 -03:00
Pedro Igor
778847a3ce
Updating theme templates to render user attributes based on the user profile configuration
...
Closes #25149
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-18 15:35:52 -03:00
rmartinc
d841971ff4
Updating the UP configuration needs to trigger an admin event
...
Close #23896
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-18 19:24:30 +01:00
mposolda
cd154cf318
User Profile: If required roles ('user') and reqired scopes are set, the required scopes have no effect
...
closes #25475
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-18 11:32:27 +01:00
Takashi Norimatsu
59536becec
Client policies : executor for enforcing DPoP
...
closes #25315
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2023-12-18 10:45:18 +01:00
Yoshiyuki Tabata
0ca73829d0
Fix OpenAPI spec POST /admin/realms/{realm}/clients
...
Closes #21536
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 10:08:54 +01:00
Yoshiyuki Tabata
66ee27f413
Fix OpenAPI spec POST /admin/realms/{realm}/clients-initial-access
...
Closes #25656
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 09:12:02 +01:00
Joshua Sorah
a10149bbe9
For post logout redirect URI - Make '+' represent existing redirect URIs and merge with existing post logout redirect URIs
...
Closes keycloak#25544
Signed-off-by: Joshua Sorah <jsorah@redhat.com>
2023-12-18 09:05:51 +01:00
Yoshiyuki Tabata
5bdadaacbc
Modify OpenAPI spec POST /admin/realms
...
Closes #25565
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 08:41:23 +01:00
Sophie Tauchert
3ab24afe93
Add response annotations to resourceserver
...
Closes : #25604
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-12-15 19:45:39 +01:00
Erwin Rooijakkers
860978b15a
Change arg of getSubGroups to briefRepresentation
...
Parameter name briefRepresentation should mean briefRepresentation,
not full. This way callers will by default get the full
representation, unless true is passed as value for
briefRepresentation.
Fixes #25096
Signed-off-by: Erwin Rooijakkers <erwin@rooijakkers.software>
2023-12-14 17:23:27 +01:00
Steven Hawkins
08751001db
enhance: adds truststores to the keycloak cr ( #25215 )
...
also generally correcting the misspelling trustore
closes : #24798
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2023-12-14 11:15:06 -03:00
mposolda
c81b533cf6
Update UserProfileProvider.setConfiguration. Tuning of UserProfileProvider.getConfiguration
...
closes #25416
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-14 14:43:28 +01:00
Douglas Palmer
4b11afa87b
NullPointerException when key is not available in the database ( #25395 )
...
* NullPointerException when key is not available in the database
Closes #24485
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
2023-12-14 09:57:53 +01:00
Václav Muzikář
e4c348e99e
Add new --proxy-headers
option ( #25178 )
...
* Add new `--proxy-headers` option
Closes #23431
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
* Address review comments vol. 03
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Address review comments vol. 04
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
---------
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-13 10:48:12 -03:00
Pedro Igor
fa79b686b6
Refactoring user profile interfaces and consolidating user representation for both admin and account context
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-13 08:27:55 +01:00
Pedro Igor
78ba7d4a38
Do not allow removing username and email from user profile configuration
...
Closes #25147
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-11 08:30:28 +01:00
Sophie Tauchert
1d56e0371e
Make sure authz endpoints are documented in openapi spec
...
Closes : #25259
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-12-08 16:45:13 +01:00
mposolda
90bf88c540
Introduce ProtocolMapper.getEffectiveModel to make sure values displayed in the admin console UI are 'effective' values used when processing mappers
...
closes #24718
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-12-08 12:26:35 +01:00
saumeen prajapati
d829534237
Remove single quote from log string
...
Closes #25060
Signed-off-by: saumeen prajapati <psaumeen@gmail.com>
2023-12-07 20:08:07 +00:00
wojnarfilip
925c5572ad
Re-enable Federated Access Token in user sessions
...
Closes #25290
Signed-off-by: wojnarfilip <fwojnar@redhat.com>
2023-12-07 19:55:20 +01:00
Vlasta Ramik
df465456b8
Map Store Removal: Remove LockObjectsForModification
( #25323 )
...
Signed-off-by: vramik <vramik@redhat.com>
Closes #24793
2023-12-07 12:43:43 +00:00
Fouad Almalki
0e535d2bbe
Retrieve ClientConnection by invoking getConnection() instead of getContextObject()
...
Signed-off-by: Fouad Almalki <me@fouad.io>
2023-12-07 13:11:54 +01:00
Stefan Guilhen
7b63d6d500
Remove ResponseSessionTask
...
- this was tightly related to retriable transactions added to map store and is no longer needed.
Closes #25309
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2023-12-06 19:53:53 +01:00
Stefan Guilhen
8e918c2ebf
Revert changes to OIDCIdentityProvider that enlisted the client logout requests in a separate transaction.
...
Closes #25308
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2023-12-06 19:47:04 +01:00
rmartinc
522e8d2887
Workaround to allow percent chars in getGroupByPath via PathSegment
...
Closes #25111
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-06 14:22:34 -03:00
rmartinc
d004e9295f
Do not allow remove a credential in account endpoint if provider marks it as not removable
...
Closes #25220
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-05 17:11:57 +01:00
Michal Hajas
ec061e77ed
Remove GlobalLockProviderSpi ( #25206 )
...
Closes #24103
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-12-01 16:40:56 +00:00
Ricardo Martin
3b26e5d489
Add active RSA key to decryption if deprecated mode ( #25205 )
...
Closes https://github.com/keycloak/keycloak/issues/24652
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-01 13:40:47 +00:00
mposolda
3fa2d155ca
Decouple factory methods from the provider methods on UserProfileProvider implementation
...
closes #25146
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-01 10:30:57 -03:00
Pedro Igor
c7f63d5843
Add options to change behavior on how unmanaged attributes are managed
...
Closes #24934
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-11-30 06:58:21 -03:00
Steven Hawkins
8c3df19722
feature: add option for creating a global truststore ( #24473 )
...
closes #24148
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2023-11-30 08:57:17 +01:00
Douglas Palmer
d0b86d2f64
Register event not triggered on external to internal token exchange
...
Closes #9684
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 15:30:47 -03:00
mposolda
479e6bc86b
Update Kerberos provider for user-profile
...
closes #25074
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-29 15:21:26 -03:00
rmartinc
16afecd6b4
Allow automatic download of SAML certificates in the identity provider
...
Closes https://github.com/keycloak/keycloak/issues/24424
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 18:03:31 +01:00
rmartinc
3bc028fe2d
Remove lowercase for the hostname as recommended/advised by OAuth spec
...
Closes https://github.com/keycloak/keycloak/issues/25001
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 10:26:00 -03:00
rmartinc
b6cdcb3c27
Revert "Fix lowerCaseHostname to lower-case scheme and host properly"
...
This reverts commit 1241bd2919
.
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 10:26:00 -03:00
Douglas Palmer
5ce41a462b
NPE in HardcodedUserSessionAttributeMapper on Token Exchange
...
Closes #11996
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:35:49 -03:00
Douglas Palmer
7e78d29f8d
NPE in User Session Note mapper on Token Exchange
...
Closes #24200
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:35:49 -03:00
hokuda
a83b9d11fa
Fix typo in the balloon help of SAML Username Template Importer
...
closes #25033
Signed-off-by: hokuda <hisanobu.okuda@gmail.com>
2023-11-29 09:32:16 -03:00
Douglas Palmer
e99bd4aa3a
External to Internal Token exchange fails with Null pointer Exception if the user is not yet registered (first time token exchange)
...
Closes #16059
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:16:14 -03:00
Michal Hajas
2b2207af93
Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled
...
Closes #25077
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-29 11:06:41 +00:00
Jon Koops
0b9dd21b0a
Attempt to request storage access for cookies ( #25055 )
...
Closes #23872
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2023-11-27 18:23:40 +00:00
Pedro Igor
2c611cb8fc
User profile configuration scoped to user-federation provider
...
closes #23878
Co-Authored-By: mposolda <mposolda@gmail.com>
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-27 14:45:44 +01:00
Stian Thorgersen
a32b58d337
Escape ldap id when using normal attribute syntax ( #25 ) ( #25036 )
...
Closes https://github.com/keycloak/security/issues/46
Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
2023-11-27 11:38:14 +01:00
Takashi Norimatsu
1f5ee9bf80
NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token
...
closes #25022
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2023-11-27 08:49:48 +01:00
Sophie Tauchert
855aebabc2
Rename clientUuid path parameter to client-uuid for consistency
...
Closes #24960
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-11-23 16:08:58 +01:00
Sophie Tauchert
496c0e7f03
Rename some path parameter placeholders to avoid duplicating {id} in the path
...
Closes #24960
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-11-23 16:08:58 +01:00
Sophie Tauchert
3e17cb0452
Add correct annotation for 204 responses to POST methods returning void
...
Closes #24960
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-11-23 16:08:58 +01:00
Douglas Palmer
efde3adf60
Wrong value for VALIDATED_ID_TOKEN stored in the brokered identity context for external token exchange
...
Closes #23985
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-23 11:52:37 -03:00
Douglas Palmer
2ec1d2f7ea
Fix logic error in AbstractOAuth2IdentityProvider
...
Closes #24943
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-23 11:43:42 -03:00
Tero Saarni
fd58cb1bec
Attempt to remove warning about not using inference
...
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2023-11-23 10:49:58 -03:00
Tero Saarni
e35f3d7e87
Fix compilation error with ServerInfoAdminResource
...
This change fixes following type inference error:
* Type mismatch: cannot convert from Map<Boolean,Object> to Map<Boolean,List<String>>
The error comes when opening and compiling on vscode or Eclipse, which uses
Eclipse JDT compiler.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2023-11-23 10:49:58 -03:00
Sebastian Schuster
030f42ec83
More efficient listing of assigned and available client role mappings
...
Closes #23404
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2023-11-22 14:10:11 +01:00
Thomas Darimont
d30d692335
Introduce MaxAuthAge Password policy ( #12943 )
...
This policy allows to specify the maximum age of an authentication
with which a password may be changed without re-authentication.
Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible.
A value of 0 will always require reauthentication to update the password.
Add documentation for MaxAuthAgePasswordPolicy to server_admin
Fixes #12943
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2023-11-20 14:48:17 +01:00
rmartinc
1241bd2919
Fix lowerCaseHostname to lower-case scheme and host properly
...
Closes https://github.com/keycloak/keycloak/issues/24792
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-20 10:00:50 +01:00
Erik Jan de Wit
941457b805
added theme name as parameter
...
moved messages to theme bundle
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-11-17 08:35:54 +01:00
rmartinc
5fad76070a
Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience
...
Closes https://github.com/keycloak/keycloak/issues/24659
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 18:22:16 +01:00
Hynek Mlnarik
70d0f731f5
Use session ID rather than broker session ID
...
Closes : #24455
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2023-11-16 17:01:40 +01:00
Vlasta Ramik
d86e062a0e
Removal of retry blocks introduced for CRDB
...
Closes #24095
Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-16 13:50:56 +01:00
rmartinc
cca33baac3
Avoid NPE if RelayState is null and return a proper error
...
Closes https://github.com/keycloak/keycloak/issues/24079
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 12:56:49 +01:00
Erik Jan de Wit
89abc094d1
userprofile shared ( #23600 )
...
* move account ui user profile to shared
* use ui-shared on admin same error handling
also introduce optional renderer for added component
* move scroll form to ui-shared
* merged with main
* fix lock file
* fixed merge error
* fixed merge errors
* fixed tests
* moved user profile types to admin client
* fixed more types
* pr comments
* fixed some types
2023-11-14 08:04:55 -03:00
Erik Jan de Wit
fe7833c957
Load Admin Console localizations from resource bundles ( #24316 )
...
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-11-13 12:39:46 -05:00
Hynek Mlnařík
0ceaed0e2e
Transient users: Consents ( #24496 )
...
closes #24494
2023-11-10 11:18:27 +01:00
mposolda
7863c3e563
Moving UPConfig and related classes from keycloak-services
...
closes #24535
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-07 12:41:29 +01:00
Joshua Sorah
7ca00975d4
Feature flag DPoP metadata in OIDC Well Known endpoint
...
Closes keycloak/keycloak#24547
Signed-off-by: Joshua Sorah <jsorah@gmail.com>
2023-11-06 03:13:57 -08:00
Oliver
563ae104fd
[issue-14134] test partial import user with id
...
Fix #14134
2023-11-02 05:56:12 -07:00
rmartinc
d7bb59461d
Escape $ sign when replacing clientId in the role mappers
...
Closes https://github.com/keycloak/keycloak/issues/23692
2023-11-01 20:47:15 +01:00
rokkiter
e1735138cb
clean util * ( #24174 )
...
Signed-off-by: rokkiter <yongen.pan@daocloud.io>
2023-11-01 17:14:11 +01:00
Pedro Igor
be65ba8689
Make sure optional default attributes are removed when decorating the user-define user profile configuration
...
Closes #24420
2023-11-01 14:54:09 +01:00
mposolda
0bd2b342d7
Update per review
2023-10-31 12:56:46 -07:00
mposolda
6f992915d7
Move some UserProfile and Validation classes into keycloak-server-spi
...
closes #24387
2023-10-31 12:56:46 -07:00
Justin Tay
3ff0476cc3
Allow customization of aud claim with JWT Authentication
...
Closes #21445
2023-10-31 11:33:47 -07:00
rmartinc
7deb4ca545
Group count and PartialExport permission fixes
...
Closes https://github.com/keycloak/keycloak/issues/12171
2023-10-31 01:40:21 -07:00
rmartinc
6484a3e705
Add userProfileEnabled attribute to realm response if admin can view users
...
closes https://github.com/keycloak/keycloak/issues/19093
2023-10-30 07:39:03 -07:00
Alice
69497382d8
Group scalability upgrades ( #22700 )
...
closes #22372
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-26 16:50:45 +02:00
Hynek Mlnarik
2c4d58f5af
Fix KcOidcBrokerTransientSessionsTest
...
Closes : #24313
2023-10-26 14:36:01 +02:00
rmartinc
faf398e3c3
Add openapi annotations to the UserProfileResource
...
Closes https://github.com/keycloak/keycloak/issues/9318
2023-10-25 07:44:24 -07:00
Hynek Mlnarik
a668c2cb2b
Support for transient brokering in admin console
...
Part-of: Add support for not importing brokered user into Keycloak database
Closes : #11334
2023-10-25 12:02:35 +02:00
Hynek Mlnarik
26328a7c1e
Support for transient sessions via lightweight users
...
Part-of: Add support for not importing brokered user into Keycloak database
Closes : #11334
2023-10-25 12:02:35 +02:00
ggraziano
84112f57b5
Verification of iss at refresh token request
...
Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method.
Closes #22191
2023-10-24 23:42:11 +02:00
Marek Posolda
1bd6aca629
Remove RegistrationProfile class and handle migration ( #24215 )
...
closes #24182
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-10-24 20:19:33 +02:00
Thomas Darimont
e567210ed1
Add dedicated feature flag for oauth device grant flow ( #23892 )
...
Closes #23891
2023-10-24 10:09:26 +02:00
Erik Jan de Wit
e4632c9e78
move to theme resource
2023-10-23 15:17:18 -07:00
Erik Jan de Wit
f3d387172e
changed to realm, because that is the source
2023-10-23 15:17:18 -07:00
Erik Jan de Wit
0f878566ab
add new locale endpoint that returns the messages
2023-10-23 15:17:18 -07:00
vramik
a0f04fa2be
Declarative User Profile export
...
Closes #12062
Resolves #20885
2023-10-21 19:21:20 +02:00
Pedro Igor
e47389f199
Username now shown when creating a user and edit username is not allowed
...
Closes #24183
2023-10-20 10:22:31 -07:00
Pedro Igor
55a5a8c0eb
Ignore custom attributes when processing attributes in verify profile action
...
Closes #24077
2023-10-20 17:51:40 +02:00
mposolda
c18e8ff535
User profile tweaks in registration forms
...
closes #24024
2023-10-20 06:31:21 -07:00
kaustubh-rh
1ac2c0997d
Inconsistent handling of parenthesis in auth flow name ( #24113 )
...
closes #16379
2023-10-20 10:00:46 +02:00
mposolda
04777299b0
After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly
...
closes #23880
2023-10-19 19:23:50 +02:00
Andrew
77c3e7190c
updates to method contracts and code impl to be more specific about providerAlias ( #24070 )
...
closes #24072
2023-10-18 08:33:06 +02:00
Pedro Igor
e91a0afca2
The username in account is required and don't change when email as username is enabled
...
Closes #23976
2023-10-17 16:43:44 -03:00
shigeyuki kabano
6112b25648
Enhancing Light Weight Token( #22148 )
...
Closes #21183
2023-10-17 13:12:36 +02:00
Pedro Igor
9c19a8972b
Removing the default cache metadata
...
Closes #23910
2023-10-13 16:32:55 +02:00