etiksouma
1afd20e4c3
return proper error message for admin users endpoint
...
closes #28416
Signed-off-by: etiksouma <al@mouskite.com>
2024-04-20 12:17:53 +02:00
Giuseppe Graziano
f6071f680a
Avoid the same userSessionId after re-authentication
...
Closes keycloak/keycloak-private#69
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-19 14:44:39 +02:00
mposolda
c427e65354
Secondary factor bypass in step-up authentication
...
closes #34
Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit e632c03ec4dbfbb7c74c65b0627027390b2e605d)
2024-04-19 14:43:53 +02:00
Giuseppe Graziano
897c44bd1f
Validation of providerId during required action registration
...
Closes #26109
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-19 13:06:51 +02:00
Joerg Matysiak
76a5a27082
Refactored StripSecretsUtils in order to make it unit-testable, added unit tests for it
...
Don't mask secrets at realm export
Closes #21562
Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Pedro Igor
7483bae130
Make sure admin events are not referencing sensitive data from their representation
...
Closes #21562
Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Steve Hawkins
0be34d64e7
task: refactor overlap between cli clients
...
also repackaging to more clearly delineate code roles
closes : #28329
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-04-18 17:39:16 -03:00
cgeorgilakis-grnet
89263f5255
Fix refresh token scope in refresh token flow with scope request parameter
...
Closes #28463
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-04-18 16:17:46 -03:00
Ricardo Martin
8daace3f69
Validate Saml URLs inside DefaultClientValidationProvider ( #135 ) ( #28873 )
...
Closes keycloak/keycloak-private#62
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-18 16:04:13 +02:00
Ricardo Martin
fc6b6f0d94
Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access ( #131 ) ( #28872 )
...
Closes keycloak/keycloak-private#113
Closes keycloak/keycloak-private#134
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2024-04-18 16:02:24 +02:00
Douglas Palmer
00d4cab55e
Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLink
...
Closes #21422
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-18 15:54:30 +02:00
vramik
860f3b7320
Prevent updating IdP via organization API not linked with the organization
...
Closes #28833
Signed-off-by: vramik <vramik@redhat.com>
2024-04-18 09:14:54 -03:00
Stian Thorgersen
0d60e58029
Restrict the token types that can be verified when not using the user info endpoint ( #146 ) ( #28866 )
...
Closes #47
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Conflicts:
core/src/main/java/org/keycloak/util/TokenUtil.java
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-18 14:11:05 +02:00
Justin Tay
d807093f63
Fix OCSP nonce handling
...
Closes #26439
Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-18 09:04:46 +02:00
Pedro Igor
f0f8a88489
Automatically fill username when authenticating to through a broker
...
Closes #28848
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-18 08:24:34 +02:00
Pedro Igor
1e3837421e
Organization member onboarding using the organization identity provider
...
Closes #28273
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-17 07:24:01 -03:00
Šimon Vacek
0205262c91
Workflow failure: Fuse adapter tests
...
Closes : #27021
Signed-off-by: Simon Vacek <simonvacky@email.cz>
2024-04-15 17:28:16 +02:00
Steven Hawkins
58398d1f69
fix: replaces aesh with picocli ( #28276 )
...
* fix: replaces aesh with picocli
closes : #28275
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* fix: replaces aesh with picocli
closes : #28275
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-04-15 13:04:58 +00:00
Stefan Guilhen
2ab8bf852d
Add validation for the organization's internet domains.
...
Closes #28634
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-15 09:03:52 -03:00
Patrick Jennings
551a3db987
Updating validation logic to match our expectations on what applicable should mean.
...
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
03db2e8b56
Integration tests around client type parameter validation. Throw common ClientTypeException with invalid params requested during client creation/update requests. This gets translated into ErrorResponseException in the Resource handlers.
...
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
9814733dd3
DefaultClientType service will now validate all client type default values and respond with bad request message with the affending parameters that attempt to override readonly in the client type config.
...
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
42202ae45e
Translate client type exception during client create into bad request response.
...
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Giuseppe Graziano
4672366eb9
Simplified checks in IntrospectionEndpoint ( #28642 )
...
Closes #24466
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2024-04-12 21:19:04 +02:00
rmartinc
92bcd2645c
Retry the login in the SAML adapter if response is authentication_expired
...
Closes #28412
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-12 14:55:31 +02:00
Marek Posolda
e6747bfd23
Adjust priority of SubMapper ( #28663 )
...
closes #28661
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-12 14:13:03 +02:00
Pedro Igor
61b1eec504
Prevent members with an email other than the domain set to an organization
...
Closes #28644
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-12 08:33:18 -03:00
Alexander Schwartz
b4cfebd8d5
Persistent sessions code also for offline sessions ( #28319 )
...
Persistent sessions code also for offline sessions
Closes #28318
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-12 13:15:02 +02:00
Martin Bartoš
a3669a6562
Make general cache options runtime ( #28542 )
...
Closes #27549
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-04-12 11:56:11 +02:00
rmartinc
6d74e6b289
Escape slashes in full group path representation but disabled by default
...
Closes #23900
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-12 10:53:39 +02:00
Stefan Guilhen
e6b9d287af
Add null checks after retrieving user from LDAP for validation to prevent NPE when user is removed in LDAP.
...
Closes #28523
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-11 14:29:30 -03:00
rmartinc
d31f128ca2
Fix test IdentityProviderTest#testSamlImportWithAnyEncryptionMethod
...
Closes #28577
Closes #28576
Closes #28575
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-11 18:56:37 +02:00
Steven Hawkins
d059a2af36
task: remove MultiVersionClusterTest ( #28520 )
...
closes : #17483
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-04-11 14:13:52 +02:00
Martin Bartoš
ad4cbf2a14
OrganizationTest.testAttributes fails in GHA CI
...
Fixes #28606
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-04-11 11:56:43 +02:00
tqe1999
6e0fc8a774
fix integer overflow with explicit cast
...
Closes #28564
Signed-off-by: tqe1999 <tqe1999@gmail.com>
2024-04-11 10:58:44 +02:00
Giuseppe Graziano
33b747286e
Changed userId value for refresh token events
...
Closes #28567
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-11 07:46:44 +02:00
Stefan Guilhen
9a466f90ab
Add ability to set one or more internet domain to an organization.
...
Closed #28274
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-10 13:18:12 -03:00
devjos
cccddc0810
Fix brute force detection for LDAP read-only users
...
Closes #28579
Signed-off-by: devjos <github_11837948@feido.de>
2024-04-10 16:36:11 +02:00
vramik
00ce3e34bd
Manage a single identity provider for an organization
...
Closes #28272
Signed-off-by: vramik <vramik@redhat.com>
2024-04-10 09:47:51 -03:00
Martin Kanis
51fa054ba7
Manage organization attributes
...
Closes #28253
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-04-10 09:10:49 -03:00
rmartinc
41b706bb6a
Initial security profile SPI to integrate default client policies
...
Closes #27189
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-10 11:19:56 +02:00
Giuseppe Graziano
c76cbc94d8
Add sub via protocol mapper to access token
...
Closes #21185
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-10 10:40:42 +02:00
mposolda
aa619f0170
Redirect error to client right-away when browser tab detects that another browser tab authenticated
...
closes #27880
Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-09 17:59:34 +02:00
Konstantinos Georgilakis
a40a953644
SAML element EncryptionMethod can consist any element
...
closes #12585
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-04-09 14:15:56 +02:00
Stian Thorgersen
a499512f35
Set SameSite for all cookies ( #28467 )
...
Closes #28465
Signed-off-by: stianst <stianst@gmail.com>
2024-04-09 12:29:19 +02:00
Václav Muzikář
e4987f10f5
Hostname SPI v2 ( #26345 )
...
* Hostname SPI v2
Closes : #26084
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Fix HostnameV2DistTest#testServerFailsToStartWithoutHostnameSpecified
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Address review comment
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Partially revert the previous fix
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Do not polish values
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Remove filtering of denied categories
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
---------
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
2024-04-09 11:25:19 +02:00
vibrown
3fffc5182e
Added ClientType implementation from Marek's prototype
...
Signed-off-by: vibrown <vibrown@redhat.com>
More updates
Signed-off-by: vibrown <vibrown@redhat.com>
Added client type logic from Marek's prototype
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
Testing to see if skipRestart was cause of test failures in MR
2024-04-08 20:20:37 +02:00
Pedro Igor
52ba9b4b7f
Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user
...
Closes #28248
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-08 09:05:16 -03:00
Justin Tay
e765932df3
Skip unsupported keys in JWKS
...
Closes #16064
Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-08 08:42:31 +02:00
rmartinc
2b769e5129
Better management of the CSP header
...
Closes https://github.com/keycloak/keycloak/issues/24568
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-08 08:19:57 +02:00