mposolda
cd154cf318
User Profile: If required roles ('user') and reqired scopes are set, the required scopes have no effect
...
closes #25475
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-18 11:32:27 +01:00
Takashi Norimatsu
59536becec
Client policies : executor for enforcing DPoP
...
closes #25315
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2023-12-18 10:45:18 +01:00
Yoshiyuki Tabata
0ca73829d0
Fix OpenAPI spec POST /admin/realms/{realm}/clients
...
Closes #21536
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 10:08:54 +01:00
Yoshiyuki Tabata
66ee27f413
Fix OpenAPI spec POST /admin/realms/{realm}/clients-initial-access
...
Closes #25656
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 09:12:02 +01:00
Joshua Sorah
a10149bbe9
For post logout redirect URI - Make '+' represent existing redirect URIs and merge with existing post logout redirect URIs
...
Closes keycloak#25544
Signed-off-by: Joshua Sorah <jsorah@redhat.com>
2023-12-18 09:05:51 +01:00
Yoshiyuki Tabata
5bdadaacbc
Modify OpenAPI spec POST /admin/realms
...
Closes #25565
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 08:41:23 +01:00
Sophie Tauchert
3ab24afe93
Add response annotations to resourceserver
...
Closes : #25604
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-12-15 19:45:39 +01:00
Erwin Rooijakkers
860978b15a
Change arg of getSubGroups to briefRepresentation
...
Parameter name briefRepresentation should mean briefRepresentation,
not full. This way callers will by default get the full
representation, unless true is passed as value for
briefRepresentation.
Fixes #25096
Signed-off-by: Erwin Rooijakkers <erwin@rooijakkers.software>
2023-12-14 17:23:27 +01:00
Steven Hawkins
08751001db
enhance: adds truststores to the keycloak cr ( #25215 )
...
also generally correcting the misspelling trustore
closes : #24798
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2023-12-14 11:15:06 -03:00
mposolda
c81b533cf6
Update UserProfileProvider.setConfiguration. Tuning of UserProfileProvider.getConfiguration
...
closes #25416
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-14 14:43:28 +01:00
Douglas Palmer
4b11afa87b
NullPointerException when key is not available in the database ( #25395 )
...
* NullPointerException when key is not available in the database
Closes #24485
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
2023-12-14 09:57:53 +01:00
Václav Muzikář
e4c348e99e
Add new --proxy-headers
option ( #25178 )
...
* Add new `--proxy-headers` option
Closes #23431
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
* Address review comments vol. 03
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
* Address review comments vol. 04
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
---------
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-13 10:48:12 -03:00
Pedro Igor
fa79b686b6
Refactoring user profile interfaces and consolidating user representation for both admin and account context
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-13 08:27:55 +01:00
Pedro Igor
78ba7d4a38
Do not allow removing username and email from user profile configuration
...
Closes #25147
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-11 08:30:28 +01:00
Sophie Tauchert
1d56e0371e
Make sure authz endpoints are documented in openapi spec
...
Closes : #25259
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-12-08 16:45:13 +01:00
mposolda
90bf88c540
Introduce ProtocolMapper.getEffectiveModel to make sure values displayed in the admin console UI are 'effective' values used when processing mappers
...
closes #24718
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-12-08 12:26:35 +01:00
saumeen prajapati
d829534237
Remove single quote from log string
...
Closes #25060
Signed-off-by: saumeen prajapati <psaumeen@gmail.com>
2023-12-07 20:08:07 +00:00
wojnarfilip
925c5572ad
Re-enable Federated Access Token in user sessions
...
Closes #25290
Signed-off-by: wojnarfilip <fwojnar@redhat.com>
2023-12-07 19:55:20 +01:00
Vlasta Ramik
df465456b8
Map Store Removal: Remove LockObjectsForModification
( #25323 )
...
Signed-off-by: vramik <vramik@redhat.com>
Closes #24793
2023-12-07 12:43:43 +00:00
Fouad Almalki
0e535d2bbe
Retrieve ClientConnection by invoking getConnection() instead of getContextObject()
...
Signed-off-by: Fouad Almalki <me@fouad.io>
2023-12-07 13:11:54 +01:00
Stefan Guilhen
7b63d6d500
Remove ResponseSessionTask
...
- this was tightly related to retriable transactions added to map store and is no longer needed.
Closes #25309
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2023-12-06 19:53:53 +01:00
Stefan Guilhen
8e918c2ebf
Revert changes to OIDCIdentityProvider that enlisted the client logout requests in a separate transaction.
...
Closes #25308
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2023-12-06 19:47:04 +01:00
rmartinc
522e8d2887
Workaround to allow percent chars in getGroupByPath via PathSegment
...
Closes #25111
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-06 14:22:34 -03:00
rmartinc
d004e9295f
Do not allow remove a credential in account endpoint if provider marks it as not removable
...
Closes #25220
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-05 17:11:57 +01:00
Michal Hajas
ec061e77ed
Remove GlobalLockProviderSpi ( #25206 )
...
Closes #24103
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-12-01 16:40:56 +00:00
Ricardo Martin
3b26e5d489
Add active RSA key to decryption if deprecated mode ( #25205 )
...
Closes https://github.com/keycloak/keycloak/issues/24652
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-01 13:40:47 +00:00
mposolda
3fa2d155ca
Decouple factory methods from the provider methods on UserProfileProvider implementation
...
closes #25146
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-01 10:30:57 -03:00
Pedro Igor
c7f63d5843
Add options to change behavior on how unmanaged attributes are managed
...
Closes #24934
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-11-30 06:58:21 -03:00
Steven Hawkins
8c3df19722
feature: add option for creating a global truststore ( #24473 )
...
closes #24148
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2023-11-30 08:57:17 +01:00
Douglas Palmer
d0b86d2f64
Register event not triggered on external to internal token exchange
...
Closes #9684
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 15:30:47 -03:00
mposolda
479e6bc86b
Update Kerberos provider for user-profile
...
closes #25074
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-29 15:21:26 -03:00
rmartinc
16afecd6b4
Allow automatic download of SAML certificates in the identity provider
...
Closes https://github.com/keycloak/keycloak/issues/24424
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 18:03:31 +01:00
rmartinc
3bc028fe2d
Remove lowercase for the hostname as recommended/advised by OAuth spec
...
Closes https://github.com/keycloak/keycloak/issues/25001
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 10:26:00 -03:00
rmartinc
b6cdcb3c27
Revert "Fix lowerCaseHostname to lower-case scheme and host properly"
...
This reverts commit 1241bd2919
.
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 10:26:00 -03:00
Douglas Palmer
5ce41a462b
NPE in HardcodedUserSessionAttributeMapper on Token Exchange
...
Closes #11996
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:35:49 -03:00
Douglas Palmer
7e78d29f8d
NPE in User Session Note mapper on Token Exchange
...
Closes #24200
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:35:49 -03:00
hokuda
a83b9d11fa
Fix typo in the balloon help of SAML Username Template Importer
...
closes #25033
Signed-off-by: hokuda <hisanobu.okuda@gmail.com>
2023-11-29 09:32:16 -03:00
Douglas Palmer
e99bd4aa3a
External to Internal Token exchange fails with Null pointer Exception if the user is not yet registered (first time token exchange)
...
Closes #16059
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:16:14 -03:00
Michal Hajas
2b2207af93
Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled
...
Closes #25077
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-29 11:06:41 +00:00
Jon Koops
0b9dd21b0a
Attempt to request storage access for cookies ( #25055 )
...
Closes #23872
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2023-11-27 18:23:40 +00:00
Pedro Igor
2c611cb8fc
User profile configuration scoped to user-federation provider
...
closes #23878
Co-Authored-By: mposolda <mposolda@gmail.com>
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-27 14:45:44 +01:00
Stian Thorgersen
a32b58d337
Escape ldap id when using normal attribute syntax ( #25 ) ( #25036 )
...
Closes https://github.com/keycloak/security/issues/46
Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
2023-11-27 11:38:14 +01:00
Takashi Norimatsu
1f5ee9bf80
NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token
...
closes #25022
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2023-11-27 08:49:48 +01:00
Sophie Tauchert
855aebabc2
Rename clientUuid path parameter to client-uuid for consistency
...
Closes #24960
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-11-23 16:08:58 +01:00
Sophie Tauchert
496c0e7f03
Rename some path parameter placeholders to avoid duplicating {id} in the path
...
Closes #24960
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-11-23 16:08:58 +01:00
Sophie Tauchert
3e17cb0452
Add correct annotation for 204 responses to POST methods returning void
...
Closes #24960
Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-11-23 16:08:58 +01:00
Douglas Palmer
efde3adf60
Wrong value for VALIDATED_ID_TOKEN stored in the brokered identity context for external token exchange
...
Closes #23985
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-23 11:52:37 -03:00
Douglas Palmer
2ec1d2f7ea
Fix logic error in AbstractOAuth2IdentityProvider
...
Closes #24943
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-23 11:43:42 -03:00
Tero Saarni
fd58cb1bec
Attempt to remove warning about not using inference
...
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2023-11-23 10:49:58 -03:00
Tero Saarni
e35f3d7e87
Fix compilation error with ServerInfoAdminResource
...
This change fixes following type inference error:
* Type mismatch: cannot convert from Map<Boolean,Object> to Map<Boolean,List<String>>
The error comes when opening and compiling on vscode or Eclipse, which uses
Eclipse JDT compiler.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2023-11-23 10:49:58 -03:00
Sebastian Schuster
030f42ec83
More efficient listing of assigned and available client role mappings
...
Closes #23404
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2023-11-22 14:10:11 +01:00
Thomas Darimont
d30d692335
Introduce MaxAuthAge Password policy ( #12943 )
...
This policy allows to specify the maximum age of an authentication
with which a password may be changed without re-authentication.
Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible.
A value of 0 will always require reauthentication to update the password.
Add documentation for MaxAuthAgePasswordPolicy to server_admin
Fixes #12943
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2023-11-20 14:48:17 +01:00
rmartinc
1241bd2919
Fix lowerCaseHostname to lower-case scheme and host properly
...
Closes https://github.com/keycloak/keycloak/issues/24792
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-20 10:00:50 +01:00
Erik Jan de Wit
941457b805
added theme name as parameter
...
moved messages to theme bundle
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-11-17 08:35:54 +01:00
rmartinc
5fad76070a
Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience
...
Closes https://github.com/keycloak/keycloak/issues/24659
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 18:22:16 +01:00
Hynek Mlnarik
70d0f731f5
Use session ID rather than broker session ID
...
Closes : #24455
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2023-11-16 17:01:40 +01:00
Vlasta Ramik
d86e062a0e
Removal of retry blocks introduced for CRDB
...
Closes #24095
Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-16 13:50:56 +01:00
rmartinc
cca33baac3
Avoid NPE if RelayState is null and return a proper error
...
Closes https://github.com/keycloak/keycloak/issues/24079
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 12:56:49 +01:00
Erik Jan de Wit
89abc094d1
userprofile shared ( #23600 )
...
* move account ui user profile to shared
* use ui-shared on admin same error handling
also introduce optional renderer for added component
* move scroll form to ui-shared
* merged with main
* fix lock file
* fixed merge error
* fixed merge errors
* fixed tests
* moved user profile types to admin client
* fixed more types
* pr comments
* fixed some types
2023-11-14 08:04:55 -03:00
Erik Jan de Wit
fe7833c957
Load Admin Console localizations from resource bundles ( #24316 )
...
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-11-13 12:39:46 -05:00
Hynek Mlnařík
0ceaed0e2e
Transient users: Consents ( #24496 )
...
closes #24494
2023-11-10 11:18:27 +01:00
mposolda
7863c3e563
Moving UPConfig and related classes from keycloak-services
...
closes #24535
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-07 12:41:29 +01:00
Joshua Sorah
7ca00975d4
Feature flag DPoP metadata in OIDC Well Known endpoint
...
Closes keycloak/keycloak#24547
Signed-off-by: Joshua Sorah <jsorah@gmail.com>
2023-11-06 03:13:57 -08:00
Oliver
563ae104fd
[issue-14134] test partial import user with id
...
Fix #14134
2023-11-02 05:56:12 -07:00
rmartinc
d7bb59461d
Escape $ sign when replacing clientId in the role mappers
...
Closes https://github.com/keycloak/keycloak/issues/23692
2023-11-01 20:47:15 +01:00
rokkiter
e1735138cb
clean util * ( #24174 )
...
Signed-off-by: rokkiter <yongen.pan@daocloud.io>
2023-11-01 17:14:11 +01:00
Pedro Igor
be65ba8689
Make sure optional default attributes are removed when decorating the user-define user profile configuration
...
Closes #24420
2023-11-01 14:54:09 +01:00
mposolda
0bd2b342d7
Update per review
2023-10-31 12:56:46 -07:00
mposolda
6f992915d7
Move some UserProfile and Validation classes into keycloak-server-spi
...
closes #24387
2023-10-31 12:56:46 -07:00
Justin Tay
3ff0476cc3
Allow customization of aud claim with JWT Authentication
...
Closes #21445
2023-10-31 11:33:47 -07:00
rmartinc
7deb4ca545
Group count and PartialExport permission fixes
...
Closes https://github.com/keycloak/keycloak/issues/12171
2023-10-31 01:40:21 -07:00
rmartinc
6484a3e705
Add userProfileEnabled attribute to realm response if admin can view users
...
closes https://github.com/keycloak/keycloak/issues/19093
2023-10-30 07:39:03 -07:00
Alice
69497382d8
Group scalability upgrades ( #22700 )
...
closes #22372
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-26 16:50:45 +02:00
Hynek Mlnarik
2c4d58f5af
Fix KcOidcBrokerTransientSessionsTest
...
Closes : #24313
2023-10-26 14:36:01 +02:00
rmartinc
faf398e3c3
Add openapi annotations to the UserProfileResource
...
Closes https://github.com/keycloak/keycloak/issues/9318
2023-10-25 07:44:24 -07:00
Hynek Mlnarik
a668c2cb2b
Support for transient brokering in admin console
...
Part-of: Add support for not importing brokered user into Keycloak database
Closes : #11334
2023-10-25 12:02:35 +02:00
Hynek Mlnarik
26328a7c1e
Support for transient sessions via lightweight users
...
Part-of: Add support for not importing brokered user into Keycloak database
Closes : #11334
2023-10-25 12:02:35 +02:00
ggraziano
84112f57b5
Verification of iss at refresh token request
...
Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method.
Closes #22191
2023-10-24 23:42:11 +02:00
Marek Posolda
1bd6aca629
Remove RegistrationProfile class and handle migration ( #24215 )
...
closes #24182
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-10-24 20:19:33 +02:00
Thomas Darimont
e567210ed1
Add dedicated feature flag for oauth device grant flow ( #23892 )
...
Closes #23891
2023-10-24 10:09:26 +02:00
Erik Jan de Wit
e4632c9e78
move to theme resource
2023-10-23 15:17:18 -07:00
Erik Jan de Wit
f3d387172e
changed to realm, because that is the source
2023-10-23 15:17:18 -07:00
Erik Jan de Wit
0f878566ab
add new locale endpoint that returns the messages
2023-10-23 15:17:18 -07:00
vramik
a0f04fa2be
Declarative User Profile export
...
Closes #12062
Resolves #20885
2023-10-21 19:21:20 +02:00
Pedro Igor
e47389f199
Username now shown when creating a user and edit username is not allowed
...
Closes #24183
2023-10-20 10:22:31 -07:00
Pedro Igor
55a5a8c0eb
Ignore custom attributes when processing attributes in verify profile action
...
Closes #24077
2023-10-20 17:51:40 +02:00
mposolda
c18e8ff535
User profile tweaks in registration forms
...
closes #24024
2023-10-20 06:31:21 -07:00
kaustubh-rh
1ac2c0997d
Inconsistent handling of parenthesis in auth flow name ( #24113 )
...
closes #16379
2023-10-20 10:00:46 +02:00
mposolda
04777299b0
After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly
...
closes #23880
2023-10-19 19:23:50 +02:00
Andrew
77c3e7190c
updates to method contracts and code impl to be more specific about providerAlias ( #24070 )
...
closes #24072
2023-10-18 08:33:06 +02:00
Pedro Igor
e91a0afca2
The username in account is required and don't change when email as username is enabled
...
Closes #23976
2023-10-17 16:43:44 -03:00
shigeyuki kabano
6112b25648
Enhancing Light Weight Token( #22148 )
...
Closes #21183
2023-10-17 13:12:36 +02:00
Pedro Igor
9c19a8972b
Removing the default cache metadata
...
Closes #23910
2023-10-13 16:32:55 +02:00
Charley Wu
31759f9c37
WebAuthn support for native applications. Support custom FIDO2 origin validation ( #23156 )
...
Closes #23155
2023-10-13 15:25:10 +02:00
Moritz Becker
e9f08b6500
Do not return empty scope field in token introspection response
...
Closes #16526
2023-10-13 08:36:12 +02:00
duckboy81
197b39492e
Update TokenManager.java
...
Fixed minor spelling typos
2023-10-12 14:56:24 +02:00
ici-dev-gb
32b373f05f
Don't use top-level await
for storage access checks ( #23793 )
...
Closes #23743
2023-10-12 09:28:01 +00:00
Vojtěch Boček
8871983b33
Add support for single-tenant mode to Microsoft Identity Provider ( #20699 )
...
* Add support for single-tenant mode to Microsoft Identity Provider
Fixes #20695
Closes #11207
* Add SocialLoginTest for Microsoft single-tenant variant
2023-10-10 16:35:36 -04:00
Marek Posolda
a6609bd969
Remove "You are already logged in" during authentication. Make other browser tabs to authenticate automatically when some browser tab successfully authenticate ( #23517 )
...
Closes #12406
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-10 21:54:37 +02:00
Pedro Igor
7385ed56c7
Avoid creating the component when there is no component and configuration is not provided
...
Closes #20970
Co-authored-by: Pedro Igor <psilva@redhat.com>
2023-10-10 13:28:48 +02:00
Daniel Fesenmeyer
dd37e02140
Improve logging in case of OIDC Identity provider errors:
...
- log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter
- log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response
Closes #23690
2023-10-06 19:03:41 +02:00
mposolda
cdb61215c9
UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed
...
closes #23749
2023-10-06 11:27:48 -03:00
Pedro Igor
290bee0787
Resolve several usability issues around User Profile ( #23537 )
...
Closes #23507 , #23584 , #23740 , #23774
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-06 10:15:39 -03:00
rmartinc
890600c33c
Remove backward compatibility for ECDSA tokens
...
Closes https://github.com/keycloak/keycloak/issues/23734
2023-10-06 14:24:48 +02:00
Garth
2dfbbff343
added AccountResource SPI, Provider and ProviderFactory. ( #22317 )
...
Added AccountResource SPI, Provider and ProviderFactory. updated AccountLoader to load provider(s) and check if it is compatible with the chosen theme.
2023-10-05 15:08:01 +02:00
Justin Tay
55751a0830
Fix client assertion with invalid ES256, ES384, ES512 signatures
...
Closes #23721
2023-10-05 13:07:52 +02:00
Steve Hawkins
fb69936f14
Aligns the logic in the welcome resources
...
as a result the quarkus one can be removed
closes keycloak#23243
2023-09-28 19:33:12 -03:00
Jon Koops
1b6cb7b2a9
Always check storage access before placing test cookie ( #23393 )
2023-09-27 13:38:53 +02:00
Lucas Hedding
de5aa2e74d
Add createTimestamp to REST service ( #23293 )
...
Closes #14009
2023-09-27 13:38:16 +02:00
rmartinc
10c1e3ba6d
Client roles should be mapped to any claim name
...
Closes https://github.com/keycloak/keycloak/issues/22349
2023-09-27 08:11:22 -03:00
rmartinc
d90640b5a3
Change email checkserveridentity prop as angus mail sets it to true by default
...
Closes https://github.com/keycloak/keycloak/issues/22395
2023-09-26 09:11:16 +02:00
Maria Arias de Reyna
c15753266f
fix( Closes #21236 ): Adding client-id to logout event
2023-09-25 13:20:26 +02:00
Pedro Igor
741f76887c
Allow updating email when email as username is set and edit username disabed
...
#23438
2023-09-25 08:19:01 -03:00
Michal Hajas
496c5ad989
Use new findGroupByPath implementation and remove the old one
...
Closes #23344
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-09-25 10:44:24 +02:00
Justin Tay
7d3104ee76
Allow public clients to use PAR endpoint
...
Closes #8939
2023-09-21 13:57:42 +02:00
rmartinc
082b0ed308
verifyRedirectUri should return null when the passed redirectUri is invalid
...
Closes https://github.com/keycloak/keycloak/issues/22778
2023-09-21 08:19:00 +02:00
rmartinc
f8a9e0134a
Ensure that the EncryptedKey is passed to the DecryptionKeyLocator for SAML
...
Closes https://github.com/keycloak/keycloak/issues/22974
2023-09-20 15:09:18 +02:00
Jon Koops
e86bf1f0b2
Remove P3P
header from authentication flow
...
Closes #23348
2023-09-19 08:50:33 -03:00
rmartinc
743bb696d9
Allow duplicated keys in advanced claim mappers
...
Closes https://github.com/keycloak/keycloak/issues/22638
2023-09-19 07:49:34 -03:00
Pedro Igor
217a09ce46
Switch to Resteasy Reactive
...
Closes #10713
2023-09-18 09:19:03 -03:00
Thomas Darimont
04d16ed170
Prevent NPE in AuthenticationManager.backchannelLogout ( #23306 )
...
Previously, if the user was already removed from the userSession
and the log level was set to DEBUG, then an NPE was triggered by
the debug log statement during backchannelLogout.
Fixes #23306
2023-09-18 08:16:51 +02:00
paul
f684a70048
KEYCLOAK-15985 Add Brute Force Detection Lockout Event
2023-09-15 10:32:07 -03:00
Pedro Igor
1442f14c45
Registration page not showing username when edit username is not enabled
...
Closes #23185
2023-09-14 07:32:39 -03:00
Justin Tay
658c0ef19f
Send Client ID in token request with JWT Authentication
...
Closes #21444
2023-09-14 10:57:32 +02:00
Pedro Igor
5958c7948d
Ignore attributes when they are not prefixed with user.attributes prefix ( #23184 )
...
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: stianst <stianst@gmail.com>
2023-09-14 10:35:47 +02:00
Daniel Fesenmeyer
a68ad55a37
Support to define compatible mappers for (new) Identity Providers
...
- Also allows to use existing mappers for custom Identity Providers without having to change those mappers
Closes #21154
2023-09-13 17:19:06 -03:00
Konstantinos Georgilakis
0044472f87
Add regex support in 'Condition - User attribute' execution
...
Closes #265
2023-09-13 08:36:45 +02:00
Erik Jan de Wit
0789d3c1cc
better features overview ( #22641 )
...
Closes #17733
2023-09-12 16:03:13 +02:00
Thomas Darimont
3908537254
Show expiration date for certificates in Admin Console ( #23025 )
...
Closes #17743
2023-09-12 07:56:09 -04:00
Marek Posolda
56b94148a0
Remove bearer-only occurences in the documentation when possible. Mak… ( #23148 )
...
closes #23066
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-09-12 09:38:19 +02:00
Erik Jan de Wit
c7dcef7af8
fixed permissions for locale fetch ( #23078 )
...
fixes : #23065
2023-09-11 15:00:40 -04:00
Adeel Ahmad
4f90124612
Print 'key' in ReadOnlyAttributeUnchangedValidator failure log message
...
This change is quite useful for debugging and helps identify which specific attribute makes the update fail. Currently, the full pattern is printed which consists of multiple attributes.
2023-09-11 10:45:08 -03:00
kaustubh-rh
62927433dc
Fix for Keycloak 22.0.1 unable to create user with long email address ( #23109 )
...
Closes #22825
2023-09-11 08:56:13 +02:00
rmartinc
7da52a43bd
Add old LinkedIn provider to the deprecated profile
...
Closes https://github.com/keycloak/keycloak/issues/23067
2023-09-08 10:05:17 +02:00
Marek Posolda
506e2537ac
Registration flow fixed ( #23064 )
...
Closes #21514
Co-authored-by: Vilmos Nagy <vilmos.nagy@outlook.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-09-08 08:05:05 +02:00
Pedro Igor
bc31fde4c0
Broker claim mapper not recognizing claims from user info endpoint
...
Closes #12137
2023-09-07 16:34:45 +02:00
stianst
211c027adb
Remove use of Guava in services
...
Closes #23009
2023-09-07 08:59:02 +02:00
Kaustubh B
5ee2ba9372
Added tests
2023-09-07 08:43:35 +02:00
Kaustubh B
c57e775102
Fixed Regex
2023-09-07 08:43:35 +02:00
rmartinc
8887be7887
Add a new identity provider for LinkedIn based on OIDC
...
Closes https://github.com/keycloak/keycloak/issues/22383
2023-09-06 16:13:31 +02:00
Pedro Igor
13e5a02b9f
Role mappers must return a single value when they are not multivalued
...
Closes #20218
2023-08-31 19:16:12 +02:00
Pedro Igor
ea3225a6e1
Decoupling legacy and dynamic user profiles and exposing metadata from admin api
...
Closes #22532
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-08-29 08:14:47 -03:00
Pedro Igor
b779df6a55
Parsing response from user info rather than the access token
...
Closes #22581
2023-08-29 12:23:56 +02:00
rmartinc
b67ede2a30
RedirectUtils needs to use KeycloakUriBuilder with no parameter parsing
...
Closes https://github.com/keycloak/keycloak/issues/22424
2023-08-17 09:11:08 +02:00
Erik Jan de Wit
b4650b7742
use logged in realm as default ( #22460 )
2023-08-16 14:29:07 -04:00
t0xicCode
822c13ff6f
Switch Trusted Host policy redirect verification to URI
...
Switch parsing of the redirect URIs for the Trusted Host Client Registration Policy from URL to URI.
The java URL class tries to instantiate a handler for the scheme, which fails when a "custom" scheme, such as those used in phone apps is used.
In contrast, the URI class simply parses the string, ensuring the format is valid.
The other URLs (baseUrl, rootUrl, adminUrl) are still parsed as URLs.
See https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata for the Client Registration parameter documentation.
Closes #22309
2023-08-14 10:20:23 +02:00
Pedro Igor
baac060eb1
Fixing how e-mail attribute permissions are set for both USER_API and ACCOUNT contexts
...
Closes #21751
2023-08-11 13:32:16 +02:00
Erik Jan de Wit
874d2063b8
only add realm access to the current realm ( #21554 )
...
fixes : #21553
2023-08-10 12:43:15 +02:00
Takashi Norimatsu
258711ef4f
DPoP verification in UserInfo endpoint
...
closes #22215
2023-08-07 10:49:33 +02:00
Takashi Norimatsu
9d0960d405
Using DPoP token type in the access-token and as token_type in introspection response
...
closes #21919
2023-08-07 10:40:18 +02:00
Erik Jan de Wit
339619816a
lazy populate the treeview for groups ( #21520 )
...
* added lazy parameter
fixes : #19954
* changed to only have the parameter
* fixed merge errors
* removed the `lazy` and now add subgroups on select
* lint
* fixed prettier
* fixed nullpointer
* fixed member tab
2023-08-04 20:19:34 +00:00
Rishabh Dixit
d73298aab6
Add getStatus() to response obj
...
Closes #22241
2023-08-04 18:43:50 +02:00
Marek Posolda
4dc929abb3
Missing client_id validation match when authenticating client with JW… ( #22178 )
...
Closes #22177
2023-08-03 11:47:55 +02:00
Takashi Norimatsu
ee998fee66
Add FAPI 2.0 security profile as default profile of client policies
...
closes #21181
2023-08-03 09:26:16 +02:00
Ricardo Martin
a8bca522c1
Fix issue with access tokens claims not being imported using OIDC IDP Attribute Mappers ( #21627 )
...
Closes #9004
Co-authored-by: Armel Soro <armel@rm3l.org>
2023-08-02 09:36:50 +02:00
Thomas Darimont
82269f789a
Avoid using deprecated junit APIs in tests
...
- Replaced usage of Assert.assertThat with static import
- Replaced static import org.junit.Assert.assertThat with org.hamcrest.MatcherAssert.assertThat
Fixes : #22111
2023-08-01 11:44:25 +02:00
Alexander Schwartz
748c53df7f
Use Java mechanisms to read language files and default to UTF-8 ( #21755 )
...
Closes #21753
2023-08-01 11:27:10 +02:00
mposolda
6f6b5e8e84
Fix authenticatorConfig for javascript providers
...
Closes #20005
2023-07-31 19:28:25 +02:00
rmartinc
0a7fcf43fd
Initial pagination in the admin REST API for identity providers
...
Closes https://github.com/keycloak/keycloak/issues/21073
2023-07-27 14:48:02 +02:00
Takashi Norimatsu
9a921441cc
Adjustements to the behaviour of dpop_bound_access_tokens switch
...
closes #21920
2023-07-27 11:30:01 +02:00
Alexander Schwartz
1ec8d3a9a4
Convert LinkExpirationFormatterMethod to Java's ChoiceFormat pattern
...
Closes #21887
2023-07-27 10:30:37 +02:00
Takashi Norimatsu
6498b5baf3
DPoP: OIDC client registration support
...
closes #21918
2023-07-26 13:00:35 +02:00
Ricardo Martin
ee35cfe478
Add logout other sessions checkbox to TOTP, webauthn and recovery authn codes setup pages ( #21897 )
...
* Add logout other sessions checkbox to TOTP, webauthn, recovery authn codes setup pages and to update-email page
Closes #10232
2023-07-26 11:34:19 +02:00
Hunor Kovács
5eb505aba5
Handle error when Microsoft Graph API /me returns not successful ( #21696 )
...
* Response from Microsoft Graph API /me can be error too. So if that happens, throw an exception instead of trying to extract the user id.
* Update services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProvider.java
Co-authored-by: Ondra Pelech <ondra.pelech@gmail.com>
---------
Co-authored-by: Ondra Pelech <ondra.pelech@gmail.com>
2023-07-26 07:22:52 +00:00
Takashi Norimatsu
0ddef5dda8
DPoP support 1st phase ( #21202 )
...
closes #21200
Co-authored-by: Dmitry Telegin <dmitryt@backbase.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2023-07-24 16:44:24 +02:00
Takashi Norimatsu
05b8b9ee51
Enhancing Pluggable Features of Token Manager
...
closes #21182
2023-07-24 09:16:29 +02:00
Takashi Norimatsu
2efd79f982
FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
...
Closes #20584
2023-07-24 09:11:30 +02:00
ali_dandach
ef19e08814
Fix String comparisona ( #21752 )
...
Closes #21773
2023-07-21 10:37:24 +02:00
mposolda
03716ed452
Keycloak forgets ui_locales parameter when using reset password
...
closes #10981
2023-07-18 09:24:12 +02:00
rmartinc
630e3b2312
Revert emailVerified to false if email modified on force-sync non-trusted broker
...
Closes https://github.com/keycloak/security/issues/48
2023-07-17 13:13:47 +02:00
vramik
47eeece827
Update javadoc for user search in UserResource
...
Closes #21053
2023-07-11 11:14:29 +02:00
Pedro Igor
376d20c285
Remove user credentials from admin event representation ( #21561 )
...
Closes #17470
2023-07-11 08:26:29 +02:00
rmartinc
13870f3a69
Improve error management in the github provider
...
Closes https://github.com/keycloak/keycloak/issues/9429
2023-07-10 16:09:08 -03:00
Václav Muzikář
97a37f565e
Align guava dependency with the Quarkus Platform BOM ( #21544 )
...
Closes #21364
2023-07-10 16:13:13 +02:00
Daniele Martinoli
1644432df3
Reviewed solution as per reviewer's comments
2023-07-10 08:31:47 -03:00
Daniele Martinoli
d148a789f7
added clientNote to show the sign out option
2023-07-10 08:31:47 -03:00
Patrick Jennings
399a23bd56
Find an appropriate key based on the given KID and JWA ( #21160 )
...
* keycloak-20847 Find an appropriate key based on the given KID and JWA. Prefers matching on both inputs but will match on partials if found. Or return the first key if a match is not found.
Mark Key as fallback if it is the singular client certificate to be used for signed JWT authentication.
* Update js/apps/admin-ui/public/locales/en/clients.json
Co-authored-by: Marek Posolda <mposolda@gmail.com>
* Updating boolean variable name based on suggestions by Marek.
* Adding integration test specifically for the JWT parameters for regression #20847 .
---------
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-07-10 13:28:55 +02:00
Daniele Martinoli
817f129484
fix: closes #21095 ( #21289 )
...
* fix: closes #21095
* Added overloaded version of GroupUtils.toGroupHierarchy with additional full parameter.
2023-07-10 12:13:26 +02:00
Daniele Martinoli
7b8dcb42ea
Using "Account is disabled" message (and also added new test case)
2023-07-07 12:16:38 -03:00
Daniele Martinoli
13e2075ceb
Applying reviewer comments
2023-07-07 09:00:51 -03:00
Daniele Martinoli
e6d7749cbf
fix for 21476
2023-07-07 09:00:51 -03:00
Daniele Martinoli
b458356aa9
integrated reviewer comments
2023-07-07 08:59:36 -03:00
Daniele Martinoli
c9a226e220
Update services/src/main/java/org/keycloak/broker/provider/HardcodedGroupMapper.java
...
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-07-07 08:59:36 -03:00
Daniele Martinoli
96f09fcd90
Update services/src/main/java/org/keycloak/broker/provider/HardcodedGroupMapper.java
...
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-07-07 08:59:36 -03:00
Daniele Martinoli
83d88f6bb5
added Hardcoded Group mapper to IDP configuration
2023-07-07 08:59:36 -03:00
Erik Jan de Wit
2f5040f565
added locale selector for account console
...
fixes : #20941
2023-07-06 11:14:39 -03:00
Douglas Palmer
8cc04a6724
NullPointerException on reading auth.attemptedUsername in terms template
...
closes #21294
2023-07-04 16:07:44 -03:00
rmartinc
09e30b3c99
Support for JWE IDToken and UserInfo tokens in OIDC brokers
...
Closes https://github.com/keycloak/keycloak/issues/21254
2023-07-03 21:25:46 -03:00
mposolda
ccbddb2258
Fix updating locale on info/error page after authenticationSession was already removed
...
Closes #13922
2023-07-03 18:57:36 -03:00
Jon Koops
c0b0a25f71
Handle exceptions thrown when requesting storage-access
permission ( #21325 )
2023-06-30 00:35:10 +00:00
Daniele Martinoli
e2ac9487f7
Conditional login through identity provider ( #20188 )
...
Closes #20191
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-06-29 18:44:15 +02:00
Joshua Sorah
f695eeaa44
Refactor Admin REST API Documentation to use OpenAPI annotations.
...
Removes dependencies on swagger-doclet
Adds dependencies on microprofile-openapi-api
Plugins for smallrye-open-api-maven-plugin, openapi-generator-maven-plugin
Customized ascii doc template for openapi-generator-maven-plugin, to give similar feel to previous documentation.
OpenAPI annotations added to Admin REST API resources.
Closes keycloak/keycloak#20433
2023-06-29 17:03:38 +02:00
Fouad Almalki
b336732251
Add iat to JWT passed to CIBA HttpAuthenticationChannel ( #21280 )
...
Closes #21283
2023-06-29 07:55:57 +02:00
Marek Posolda
51a9712e59
Improper Client Certificate Validation for OAuth/OpenID clients ( #20 )
...
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2023-06-28 17:52:48 -03:00
Ricardo Martin
1973d0f0d4
Check the redirect URI is http(s) when used for a form Post ( #22 )
...
Closes https://github.com/keycloak/security/issues/22
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Signed-off-by: Peter Skopek <pskopek@redhat.com>
2023-06-28 17:52:48 -03:00
Pedro Igor
28aa1d730d
Verify holder of the device code ( #21 )
...
Closes https://github.com/keycloak/security/issues/32
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Conflicts:
services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java
2023-06-28 15:45:26 +02:00
rmartinc
4bc11bdf7f
Do not return an error when moving a group to the current parent
...
Closes https://github.com/keycloak/keycloak/issues/21242
2023-06-28 10:34:15 +02:00
rmartinc
a5a2753d11
Don't allow impersonate disabled users or service accounts
...
Closes https://github.com/keycloak/keycloak/issues/21106
2023-06-28 10:18:21 +02:00
Douglas Palmer
59e1a5d992
Custom theme - url.resourcesCommonPath references wrong theme
...
closes #20085
2023-06-28 08:25:44 +02:00
Douglas Palmer
c75bf31398
Empty shortVerificationUri not the same with default (null) value
...
closes #20851
2023-06-27 14:57:24 +02:00