Hynek Mlnarik
26468e11f2
Use correct path to account console
...
Fixes : #27709
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-03-08 14:31:32 +01:00
Ricardo Martin
299118c45a
Change oidcScopeMissing from WARN to DEBUG ( #27439 )
...
Closes #27391
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-08 10:50:21 +00:00
Erik Jan de Wit
7d104dbe9d
no result to parse on success ( #27336 )
...
* no result to parse on success
fixes : #27245
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* translate error message
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-03-08 09:56:23 +01:00
Pedro Igor
40385061f7
Make sure refresh token expiration is based on the current time when the token is issued
...
Closes #27180
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-07 15:23:19 +01:00
rmartinc
ea4155bbcd
Remove recursively when deleting an authentication executor
...
Closes #24795
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 14:43:23 +01:00
graziang
54b40d31b6
Revoked token cache expiration fix
...
Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.
Closes #26113
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-07 13:33:37 +01:00
Alexander Schwartz
595959398b
Instead of an InputStream that doesn't know about its encoding, use a String
...
Closes #20916
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-07 10:24:36 +00:00
rmartinc
dea15e25da
Only add the nonce claim to the ID Token (mapper for backwards compatibility)
...
Closes #26893
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 09:56:57 +01:00
Theresa Henze
653d09f39a
trigger REMOVE_TOTP event on removal of an OTP credential
...
Closes #15403
Signed-off-by: Theresa Henze <theresa.henze@bare.id>
2024-03-06 17:12:50 +01:00
graziang
39299eeb38
Encode role name parameter in the location header uri
...
The role is encoded to avoid template resolution by the URIBuilder. This fix avoids the exception when creating roles with names containing {patterns}.
Closes #27514
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-06 15:59:26 +01:00
rmartinc
82af0b6af6
Initial client policies integration for SAML
...
Closes #26654
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-06 15:18:35 +01:00
graziang
4fa940a31e
Device verification flow always requires consent
...
Force consent for device verification flow when there are no client scopes to approve by adding a default client scope to approve
Closes #26100
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-05 14:14:19 +01:00
Tero Saarni
e06fcbe6ae
Change supported criteria for Google Authenticator
...
List Google Authenticator as supported when
- hash algorithm is SHA256 or SHA512
- number of digits is 8
- OTP type is hotp
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2024-03-05 11:19:06 +01:00
Jon Koops
7afd75ba08
Use browser router for Account Console ( #22192 )
...
Closes #27442
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-03-04 12:38:28 +00:00
Steven Hawkins
be3e2fabc4
fix: remove the reliance on allowed classes ( #27368 )
...
closes : #25038
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-04 12:17:53 +00:00
Lucy Linder
aa6771205a
Update ReCAPTCHA and add support for ReCAPTCHA Enterprise
...
Closes #16138
Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>
2024-03-04 20:28:06 +09:00
vramik
032bb8e9cc
Map Store Removal: Remove obsolete KeycloakModelUtils.isUsernameCaseSensitive
method
...
Closes #27438
Signed-off-by: vramik <vramik@redhat.com>
2024-03-02 04:40:46 +09:00
rmartinc
f970803738
Check email and username for duplicated if isLoginWithEmailAllowed
...
Closes #27297
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-02 00:14:27 +09:00
Andy
137907f5ef
Roles admin REST API: Don't expand composite roles
...
Additionally:
- Import clean-up
- Added requireMapComposite as in RoleResource.addComposites
Closes #26951
Signed-off-by: synth3 <19573241+synth3@users.noreply.github.com>
2024-03-02 00:03:03 +09:00
Takashi Norimatsu
1792af6850
OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor
...
closes #27412
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-03-01 14:49:23 +01:00
graziang
082f9ec15b
Update client scopes in Client Update Request in DCR
...
Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation.
Add updateClientScopes method to set client scopes in Client Update Request in DCR.
Closes #24361
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-01 12:32:45 +01:00
Albrecht Scheidig
cad34cbb04
Restore support for locales with extensions ( #27285 )
...
Closes #27284
Signed-off-by: Albrecht Scheidig <albrecht.scheidig@hype.de>
2024-02-29 17:16:44 +00:00
Marek Posolda
ae0a0ea30b
SecureRedirectUrisEnforcerExecutor fixes ( #27369 )
...
closes #27344
Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-29 17:24:20 +01:00
Steven Hawkins
8d9439913c
fix: removal of resteasy-core ( #27032 )
...
* fix: partial removal of resteasy-core
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* fix: fully removing resteasy-core
closes : #26315
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-29 11:43:13 +00:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm
...
Closes #25823
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-02-28 16:17:51 +01:00
Pedro Igor
788d146bf2
Use the target client when processing scopes for internal exchanges
...
Closes #19183
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-28 15:18:43 +01:00
graziang
16a854c91b
Add option to clients to use lightweight access token
...
Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute.
The attribute value is used to enable or disable the lightweight access token.
Closes #27238
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-28 10:18:26 +01:00
Pedro Igor
0c91fceaad
Allow setting if both 'client_id' and 'id_token_hint' params should be sent in logout requests
...
Closes #27281
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-27 20:37:27 +09:00
Dmitry Telegin
c18c4bbeb8
Remove setContext() + minor cleanup
...
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
87c2df0ea4
Fix UMA
2024-02-27 19:11:32 +09:00
Dmitry Telegin
be3d0b6202
Split OAuth2GrantType and OAuth2GrantTypeFactory
2024-02-27 19:11:32 +09:00
Dmitry Telegin
c73516ba5b
Revert dynamic grant type resolution
2024-02-27 19:11:32 +09:00
Dmitry Telegin
5f04ce310a
simplify OAuth2GrantType.Context creation
2024-02-27 19:11:32 +09:00
Dmitry Telegin
b81bf85a06
rebase
2024-02-27 19:11:32 +09:00
Dmitry Telegin
854ec17fd3
- rework grant type resolution to use supports() in addition to grant type
...
- replace initialize() with setContext()
- use EnvironmentDependentProviderFactory instead of runtime checks
- move OAuth2GrantTypeManager to server-spi-private
- javadocs, imports, minor fixes
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
cc9c8fe78a
Use EnvironmentDependentProviderFactory for DeviceGrantType
2024-02-27 19:11:32 +09:00
Dmitry Telegin
983680ce0e
OAuth 2.0 Grant Type SPI
...
Closes : #26250
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
rmartinc
562decde35
Perform internal introspect for the access token in the account app
...
Closes #27243
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-27 09:19:20 +01:00
kaustubh-rh
03f6cda85a
Prevent user from removing built-in client scopes ( #27134 )
...
Closes #26937
Signed-off-by: Kaustubh B <kbawanka@redhat.com>
2024-02-26 11:16:23 +01:00
Gilvan Filho
83af01c4c0
Add failedLoginNotBefore to AttackDetectionResource
...
Closes #17574
Signed-off-by: Gilvan Filho <gfilho@redhat.com>
2024-02-26 09:35:51 +01:00
graziang
cecce40aa5
Avoid regenerating the totpSecret on every reload of the OTP configuration page
...
Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload
Closes #26052
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-22 19:09:09 +01:00
Pedro Igor
604274fb76
Allow setting an attribute as multivalued
...
Closes #23539
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-02-22 12:56:44 +01:00
Takashi Norimatsu
1e12b15890
Supporting OAuth 2.1 for public clients
...
closes #25316
Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-22 10:57:29 +01:00
Douglas Palmer
b0ef746f39
Permanently lock users out after X temporary lockouts during a brute force attack
...
Closes #26172
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-22 09:34:51 +01:00
Takashi Norimatsu
9ea679ff35
Supporting OAuth 2.1 for confidential clients
...
closes #25314
Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-22 08:34:21 +01:00
Sebastian Schuster
5e34769ee0
27031 ReadOnlyAttributeUnchangedValidator logs validation errors on debug not warning
...
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
2024-02-22 08:24:08 +09:00
Peter Keuter
01d66a662b
Expose display name and locales when user has ANY admin role ( #27160 )
...
* chore: expose display name and locales when user has view-realm
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: supportedlocales are available as stream
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: tests
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: remove unnecessarily added ignore
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
---------
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
2024-02-21 13:30:31 -05:00
graziang
d13dc57a29
Removing duplicate claims in action tokens
...
Using variables instead of otherClaims map for claims in action tokens to avoid duplicate claims in the jwt payload
Closes #24980
Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-21 11:30:49 +01:00
Takashi Norimatsu
1bdbaa2ca5
Client policies: executor for validate and match a redirect URI
...
closes #25637
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-20 08:37:33 +01:00
Stefan Wiedemann
aa6b102e3d
Support EC Key-Imports for the JavaKeystoreKeyProvider #26936 ( #27030 )
...
closes #26936
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-02-19 17:41:40 +01:00