Commit graph

1058 commits

Author SHA1 Message Date
Alexander Schwartz
c580c88c93
Persist online sessions to the database (#27977)
Adding two feature toggles for new code paths to store online sessions in the existing offline sessions table. Separate the code which is due to be changed in the next iteration in new classes/providers which used instead of the old one.

Closes #27976

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-03-28 09:17:07 +01:00
Gilvan Filho
757c524cc5 Password policy for not having username in the password
closes #27643

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
2024-03-28 08:29:03 +01:00
Lex Cao
a53cacc0a7 Fire logout event when logout other sessions (#26658)
Closes #26658

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-03-27 11:13:48 +01:00
Steven Hawkins
be32f8b1bf
fix: limit the use of Resteasy to the KeycloakSession (#28150)
* fix: limit the use of Resteasy to the KeycloakSession

contextualizes other state to the KeycloakSession

close: #28152
2024-03-26 13:43:41 -04:00
Stian Thorgersen
8cbd39083e
Default password hashing algorithm should be set to default password hash provider (#28128)
Closes #28120

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 12:44:11 +01:00
Stian Thorgersen
cae92cbe8c
Argon2 password hashing provider (#28031)
Closes #28030

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 07:08:09 +01:00
Pedro Igor
32541f19a3 Allow managing members for an organization
Closes #27934

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-21 10:26:30 -03:00
Pedro Igor
7fc2269ba5 The bare minimum implementation for organization
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: vramik <vramik@redhat.com>
2024-03-15 11:06:43 -03:00
Alexander Schwartz
6de5325d1c Limit the received content when handling the content as a String
Closes #27293

Co-authored-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-13 16:43:03 +01:00
Pedro Igor
9ad447390a Only remove attributes with empty values when updating user profile
Closes #27797

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-13 15:03:08 +01:00
vramik
a81d6bb618 Organizations SPI
Closes #27829

Signed-off-by: vramik <vramik@redhat.com>
2024-03-13 10:57:02 -03:00
Steve Hawkins
4091baf4c2 fix: accounting for the possibility of null flows from existing realms
closes: #23980

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-08 14:25:23 +01:00
rmartinc
ea4155bbcd Remove recursively when deleting an authentication executor
Closes #24795

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 14:43:23 +01:00
Alexander Schwartz
595959398b
Instead of an InputStream that doesn't know about its encoding, use a String
Closes #20916

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-07 10:24:36 +00:00
Theresa Henze
653d09f39a trigger REMOVE_TOTP event on removal of an OTP credential
Closes #15403

Signed-off-by: Theresa Henze <theresa.henze@bare.id>
2024-03-06 17:12:50 +01:00
vramik
7adcc98c6c Map Store Removal: Remove obsolete KeycloakModelUtils.isRealmProviderJpa method
Closes #27445

Signed-off-by: vramik <vramik@redhat.com>
2024-03-04 12:22:04 +01:00
vramik
032bb8e9cc Map Store Removal: Remove obsolete KeycloakModelUtils.isUsernameCaseSensitive method
Closes #27438

Signed-off-by: vramik <vramik@redhat.com>
2024-03-02 04:40:46 +09:00
graziang
082f9ec15b Update client scopes in Client Update Request in DCR
Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation.
Add updateClientScopes method to set client scopes in Client Update Request in DCR.

Closes #24361

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-01 12:32:45 +01:00
Steven Hawkins
8d9439913c
fix: removal of resteasy-core (#27032)
* fix: partial removal of resteasy-core

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* fix: fully removing resteasy-core

closes: #26315

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-29 11:43:13 +00:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm
Closes #25823

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-02-28 16:17:51 +01:00
Dmitry Telegin
c18c4bbeb8 Remove setContext() + minor cleanup
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
87c2df0ea4 Fix UMA 2024-02-27 19:11:32 +09:00
Dmitry Telegin
be3d0b6202 Split OAuth2GrantType and OAuth2GrantTypeFactory 2024-02-27 19:11:32 +09:00
Dmitry Telegin
c73516ba5b Revert dynamic grant type resolution 2024-02-27 19:11:32 +09:00
Dmitry Telegin
5f04ce310a simplify OAuth2GrantType.Context creation 2024-02-27 19:11:32 +09:00
Dmitry Telegin
b81bf85a06 rebase 2024-02-27 19:11:32 +09:00
Dmitry Telegin
854ec17fd3 - rework grant type resolution to use supports() in addition to grant type
- replace initialize() with setContext()
- use EnvironmentDependentProviderFactory instead of runtime checks
- move OAuth2GrantTypeManager to server-spi-private
- javadocs, imports, minor fixes

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
983680ce0e OAuth 2.0 Grant Type SPI
Closes: #26250

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
graziang
cecce40aa5 Avoid regenerating the totpSecret on every reload of the OTP configuration page
Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload

Closes #26052

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-22 19:09:09 +01:00
Pedro Igor
604274fb76 Allow setting an attribute as multivalued
Closes #23539

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-02-22 12:56:44 +01:00
Douglas Palmer
b0ef746f39 Permanently lock users out after X temporary lockouts during a brute force attack
Closes #26172

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-22 09:34:51 +01:00
Pedro Igor
52fe8b0feb Allow overriding the default validators added to attributes
Closes #27148

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-21 00:13:49 +09:00
Pedro Hos
6b3fa8b7a7
Invalid redirect uri when identity provider alias has spaces (#22840)
closes #22836


Co-authored-by: Marek Posolda <mposolda@gmail.com>
2024-02-19 14:40:42 +01:00
Vlasta Ramik
76453550a5
User attribute value length extension
Closes #9758

Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-02-16 08:09:34 +01:00
mposolda
b4d289c562 Fixing UriValidator
closes #26792

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-15 10:30:39 +01:00
rmartinc
4ff4c3f897 Increase internal algorithm security using HS512 and 128 byte hmac keys
Closes #13080

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-15 08:16:45 +01:00
rmartinc
bc82929e3a Cors modifications for UserInfo endpoint
Closes #26782

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-14 18:24:06 +01:00
vibrown
161d03efd2 Added SPIs for ClientType and ClientTypeManager
Grabbed the SPIs for ClientType and ClientTypeManager from Marek's Client Type prototype.

Closes #26431

Signed-off-by: vibrown <vibrown@redhat.com>

Cleaned up TODOs

Signed-off-by: vibrown <vibrown@redhat.com>

Added isSupported methods

Signed-off-by: vibrown <vibrown@redhat.com>
2024-02-13 19:26:19 +01:00
Tero Saarni
ac1780a54f
Added event for temporary lockout for brute force protector (#26630)
This change adds event for brute force protector when user account is
temporarily disabled.

It also lowers the priority of free-text log for failed login attempts.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-02-07 14:13:33 +00:00
Stian Thorgersen
4d9f33efe3
Add cookie type builder (#26848)
Closes #26847

Signed-off-by: stianst <stianst@gmail.com>
2024-02-07 13:16:04 +01:00
Dmitry Telegin
da69beed4d CORS SPI - code review
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-06 15:27:53 -03:00
Dmitry Telegin
b0403e2268 CORS SPI
Closes #25446

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-06 15:27:53 -03:00
mposolda
f468885fdd Empty error message when validation issue due the PersonNameProhibitedValidator validation
closes #26750

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-06 12:56:50 -03:00
Stian Thorgersen
c4b1fd092a
Use code from RestEasy to create and set cookies (#26558)
Closes #26557

Signed-off-by: stianst <stianst@gmail.com>
2024-02-06 15:14:04 +01:00
Michal Hajas
00742a62dd
Remove RealmModel from authorization services interfaces (#26708)
Closes #26530
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-02 16:51:32 +01:00
Thomas Darimont
277af021d7 Improve ScheduledTask task-name handling
This PR introduces a String getTaskName() default method to
the ScheduledTask interface and adjusts call sites to use the
implementation derived task name where possible.

Previously, ScheduledTask names were passed around separately, which
lead to unhelpful debug messages.
We now give ScheduledTask implementations control over their task-name
which allows for more flexible naming.

Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database.
Ensure that Realm is already committed before updating sync via UserStorageSyncManager
Align Sync task name generation for cancellation to support SyncFederationTest
Only log a message if sync task was actually canceled.

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-02-02 09:57:03 -03:00
Lex Cao
a43ba73b93 Skip link only when client is not system when logout (#24595)
Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-31 17:50:26 +01:00
rmartinc
01be4032d8 Enable verify-profile required action by default
Closes #25985

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-31 13:32:53 +01:00
Stian Thorgersen
0fb6bdfcac
Cookie Provider - move remaining cookies (#26531)
Closes #26500

Signed-off-by: stianst <stianst@gmail.com>
2024-01-29 11:06:37 +01:00
Stian Thorgersen
bc3c27909e
Cookie Provider (#26499)
Closes #26500

Signed-off-by: stianst <stianst@gmail.com>
2024-01-26 10:45:00 +01:00
Ricardo Martin
b58f35fb47
Revert "Enable verify profile required action by default for new realms" (#26495)
This reverts commit 7f195acc14.

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-25 12:28:16 +01:00
rmartinc
7f195acc14 Enable verify profile required action by default for new realms
Closes #25985

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-24 20:28:06 +01:00
Thomas Darimont
e7363905fa Change password hashing defaults according to OWASP recommendations (#16629)
Changes according to the latest [OWASP cheat sheet for secure Password Storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2):

- Changed default password hashing algorithm from pbkdf2-sha256 to pbkdf2-sha512
- Increased number of hash iterations for pbkdf2-sha1 from 20.000 to 1.300.000
- Increased number of hash iterations for pbkdf2-sha256 from 27.500 to 600.000
- Increased number of hash iterations for pbkdf2-sha512 from 30.000 to 210.000
- Adapt PasswordHashingTest to new defaults
- The test testBenchmarkPasswordHashingConfigurations can be used to compare the different hashing configurations.
- Document changes in changes document with note on performance and how
  to keep the old behaviour.
- Log a warning at the first time when Pbkdf2PasswordHashProviderFactory is used directly

Fixes #16629

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-01-24 18:35:51 +01:00
Martin Kanis
84603a9363
Map Store Removal: Rename Legacy* classes (#26273)
Closes #24105

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-23 13:50:31 +00:00
Erik Jan de Wit
37790c7956
Add a way to extend the UI with an Java API (#23772)
* POC to see how we could extend the UI

This is very crude and there are still open issues that need to be worked out

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added saving option

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added list and recreate client form

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* add tab ui

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* integrate tabs

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* remove examples

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* fixed error messages

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added Feature for ui customization

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

---------

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-01-22 08:19:58 +00:00
Douglas Palmer
e7d842ea32 Invalidate session secretly
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-19 15:44:35 -03:00
Steven Hawkins
74b56201c3
fix: adds hostname:v1 (#26003)
closes: #25336

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-01-17 21:35:23 +01:00
cgeorgilakis-grnet
ccade62289 Enhance error logs and error events during UserInfo endpoint and Token Introspection failure
Closes #24344

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-01-16 11:26:29 +01:00
mposolda
692aeee17d Enable user profile by default
closes #25151

Signed-off-by: mposolda <mposolda@gmail.com>
2024-01-11 12:48:44 -03:00
Thomas Darimont
9d429400d4
Avoid calling primitive wrapper constructors in server-spi-private (#24163)
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-01-11 11:54:44 +01:00
remi
b22efeec78 Add a toggle to use context attributes on the regex policy provider
Signed-off-by: remi <remi.tuveri@gmail.com>
2024-01-10 16:15:25 -03:00
shigeyuki kabano
67e73d3d4e Enhancing Lightweight access token M2(keycloak#25716)
Closes keycloak#23724

Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
2024-01-09 09:42:30 +01:00
Douglas Palmer
58d167fe59 Deleting a User or User Group might cause that all users suddenly get the permissions of the deleted user.
Closes #24651
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-08 19:32:01 -03:00
Alice W
cf19c06341 Add logging to the policy providers for general debugging purposes
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-01-05 11:56:00 -03:00
Pedro Igor
8ff9e71eae Do not allow verifying email from a different account
Closes #14776

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 12:45:07 +01:00
Ben Cresitello-Dittmar
057d8a00ac Implement Authentication Method Reference (AMR) claim from OIDC specification
This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens.

This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note.

The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens.

Closes #19190

Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>
2024-01-03 14:59:05 -03:00
mposolda
eb184a8554 More info on UserProfileContext
closes #25691

Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-19 13:00:31 -03:00
arhine
57cbb391f3 Updates
Signed-off-by: arhine <arhine@redhat.com>
2023-12-18 19:18:18 -03:00
arhine
777b3bd410 update method visibility
Signed-off-by: arhine <arhine@redhat.com>
2023-12-18 19:18:18 -03:00
Pedro Igor
778847a3ce Updating theme templates to render user attributes based on the user profile configuration
Closes #25149

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-18 15:35:52 -03:00
rmartinc
d841971ff4 Updating the UP configuration needs to trigger an admin event
Close #23896

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-18 19:24:30 +01:00
mposolda
c81b533cf6 Update UserProfileProvider.setConfiguration. Tuning of UserProfileProvider.getConfiguration
closes #25416

Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-14 14:43:28 +01:00
rmartinc
c14bc6f2b0 Create terms and conditions execution when registration form is added
Closes #21730

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-13 15:32:58 +01:00
Pedro Igor
fa79b686b6 Refactoring user profile interfaces and consolidating user representation for both admin and account context
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-13 08:27:55 +01:00
Ricardo Martin
f78c54fa42
Fixes for LDAP group membership and search in chunks
Closes #23966
2023-12-08 17:55:17 +01:00
mposolda
90bf88c540 Introduce ProtocolMapper.getEffectiveModel to make sure values displayed in the admin console UI are 'effective' values used when processing mappers
closes #24718

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-12-08 12:26:35 +01:00
Vlasta Ramik
df465456b8
Map Store Removal: Remove LockObjectsForModification (#25323)
Signed-off-by: vramik <vramik@redhat.com>

Closes #24793
2023-12-07 12:43:43 +00:00
rmartinc
522e8d2887 Workaround to allow percent chars in getGroupByPath via PathSegment
Closes #25111

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-06 14:22:34 -03:00
Pedro Igor
ab1173182c Make sure realm is available from session when migrating to 23
Closes #25183

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-06 07:42:54 -03:00
Michal Hajas
ec061e77ed
Remove GlobalLockProviderSpi (#25206)
Closes #24103

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-12-01 16:40:56 +00:00
mposolda
3fa2d155ca Decouple factory methods from the provider methods on UserProfileProvider implementation
closes #25146

Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-01 10:30:57 -03:00
Pedro Igor
c5bcdbdc3f Make sure username is lowercase when normalizing attributes
Closes #25173

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-01 12:16:13 +01:00
vramik
587cef7de4 Delete Profile.Feature.MAP_STORAGE
Signed-off-by: vramik <vramik@redhat.com>

Closes #24102
2023-11-30 13:04:39 +01:00
Pedro Igor
c7f63d5843 Add options to change behavior on how unmanaged attributes are managed
Closes #24934

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-11-30 06:58:21 -03:00
Steven Hawkins
8c3df19722
feature: add option for creating a global truststore (#24473)
closes #24148

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2023-11-30 08:57:17 +01:00
mposolda
479e6bc86b Update Kerberos provider for user-profile
closes #25074

Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-29 15:21:26 -03:00
rmartinc
16afecd6b4 Allow automatic download of SAML certificates in the identity provider
Closes https://github.com/keycloak/keycloak/issues/24424

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 18:03:31 +01:00
Douglas Palmer
5ce41a462b NPE in HardcodedUserSessionAttributeMapper on Token Exchange
Closes #11996

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:35:49 -03:00
Douglas Palmer
7e78d29f8d NPE in User Session Note mapper on Token Exchange
Closes #24200

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-29 09:35:49 -03:00
Michal Hajas
2b2207af93
Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled
Closes #25077

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-29 11:06:41 +00:00
Tero Saarni
ab3758842c
Add configuration option for LDAP referral (#24852)
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2023-11-28 14:06:34 +01:00
Pedro Igor
2c611cb8fc User profile configuration scoped to user-federation provider
closes #23878

Co-Authored-By: mposolda <mposolda@gmail.com>

Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-27 14:45:44 +01:00
Thomas Darimont
d30d692335 Introduce MaxAuthAge Password policy (#12943)
This policy allows to specify the maximum age of an authentication
with which a password may be changed without re-authentication.

Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible.
A value of 0 will always require reauthentication to update the password.
Add documentation for MaxAuthAgePasswordPolicy to server_admin

Fixes #12943

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2023-11-20 14:48:17 +01:00
vramik
42e5055cfb Delete SearchableModelField and its usages
Signed-off-by: vramik <vramik@redhat.com>

Closes #24722
2023-11-16 18:44:49 +01:00
Hynek Mlnarik
70d0f731f5 Use session ID rather than broker session ID
Closes: #24455

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2023-11-16 17:01:40 +01:00
Vlasta Ramik
d86e062a0e
Removal of retry blocks introduced for CRDB
Closes #24095

Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-16 13:50:56 +01:00
rmartinc
e3b2eec1ba Make user profile validation success if the attribute was already wrong and read-only in the context
Closes https://github.com/keycloak/keycloak/issues/24697

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-14 03:07:00 -08:00
Réda Housni Alaoui
3f014c7299
Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients (#21058)
closes #21010 

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2023-11-13 19:13:01 +01:00
Hynek Mlnařík
0ceaed0e2e
Transient users: Consents (#24496)
closes #24494
2023-11-10 11:18:27 +01:00
mposolda
7863c3e563 Moving UPConfig and related classes from keycloak-services
closes #24535

Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-07 12:41:29 +01:00
rokkiter
e1735138cb
clean util * (#24174)
Signed-off-by: rokkiter <yongen.pan@daocloud.io>
2023-11-01 17:14:11 +01:00
mposolda
0bd2b342d7 Update per review 2023-10-31 12:56:46 -07:00
mposolda
6f992915d7 Move some UserProfile and Validation classes into keycloak-server-spi
closes #24387
2023-10-31 12:56:46 -07:00
rmartinc
ea398c21da Add a property to the User Profile Email Validator for max length of the local part
Closes https://github.com/keycloak/keycloak/issues/24273
2023-10-27 15:09:42 +02:00
Alice
69497382d8
Group scalability upgrades (#22700)
closes #22372 


Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-26 16:50:45 +02:00
Hynek Mlnarik
c036980c37 Add TRANSIENT_USERS feature flag 2023-10-25 12:02:35 +02:00
Hynek Mlnarik
26328a7c1e Support for transient sessions via lightweight users
Part-of: Add support for not importing brokered user into Keycloak database

Closes: #11334
2023-10-25 12:02:35 +02:00
Hynek Mlnarik
1ec2a97f92 Create serializable lightweight user adapter
Part-of: Add support for not importing brokered user into Keycloak database

Closes: #11334
2023-10-25 12:02:35 +02:00
Hynek Mlnarik
35a226f928 Expose InMemoryUserAdapter to services and model modules
Part-of: Add support for not importing brokered user into Keycloak database

Closes: #11334
2023-10-25 12:02:35 +02:00
mposolda
c18e8ff535 User profile tweaks in registration forms
closes #24024
2023-10-20 06:31:21 -07:00
Pedro Igor
e91a0afca2 The username in account is required and don't change when email as username is enabled
Closes #23976
2023-10-17 16:43:44 -03:00
Charley Wu
31759f9c37
WebAuthn support for native applications. Support custom FIDO2 origin validation (#23156)
Closes #23155
2023-10-13 15:25:10 +02:00
Marek Posolda
a6609bd969
Remove "You are already logged in" during authentication. Make other browser tabs to authenticate automatically when some browser tab successfully authenticate (#23517)
Closes #12406


Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-10 21:54:37 +02:00
Martin Bartoš
21a23ace1d Mark required config properties for LDAP Mappers
Closes #23685
2023-10-09 08:46:57 +02:00
Daniel Fesenmeyer
dd37e02140 Improve logging in case of OIDC Identity provider errors:
- log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter
- log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response

Closes #23690
2023-10-06 19:03:41 +02:00
Steve Hawkins
7c6f173d3a adds the ability to set the default groups via kcadm
Closes #19125
2023-10-06 17:30:24 +02:00
mposolda
cdb61215c9 UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed
closes #23749
2023-10-06 11:27:48 -03:00
Pedro Igor
290bee0787
Resolve several usability issues around User Profile (#23537)
Closes #23507, #23584, #23740, #23774

Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-06 10:15:39 -03:00
Garth
2dfbbff343
added AccountResource SPI, Provider and ProviderFactory. (#22317)
Added AccountResource SPI, Provider and ProviderFactory. updated AccountLoader to load provider(s) and check if it is compatible with the chosen theme.
2023-10-05 15:08:01 +02:00
Pedro Igor
741f76887c Allow updating email when email as username is set and edit username disabed
#23438
2023-09-25 08:19:01 -03:00
Michal Hajas
496c5ad989 Use new findGroupByPath implementation and remove the old one
Closes #23344

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-09-25 10:44:24 +02:00
Bernd Bohmann
bb2f59df87
Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted (#8430)
Closes #14820 
---------
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-09-20 17:20:43 +02:00
paul
f684a70048 KEYCLOAK-15985 Add Brute Force Detection Lockout Event 2023-09-15 10:32:07 -03:00
Daniel Fesenmeyer
a68ad55a37 Support to define compatible mappers for (new) Identity Providers
- Also allows to use existing mappers for custom Identity Providers without having to change those mappers

Closes #21154
2023-09-13 17:19:06 -03:00
Pedro Igor
04dd9afc5e Do not store empty attributes when updating user profile
Closes #22960
2023-09-11 07:47:31 -03:00
kaustubh-rh
62927433dc
Fix for Keycloak 22.0.1 unable to create user with long email address (#23109)
Closes #22825
2023-09-11 08:56:13 +02:00
Marek Posolda
506e2537ac
Registration flow fixed (#23064)
Closes #21514


Co-authored-by: Vilmos Nagy <vilmos.nagy@outlook.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-09-08 08:05:05 +02:00
Pedro Igor
ea3225a6e1 Decoupling legacy and dynamic user profiles and exposing metadata from admin api
Closes #22532

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-08-29 08:14:47 -03:00
rmartinc
05bac4ff0e Remove option Nerver Expires for tokens in Advanced OIDC client configuration
Closes https://github.com/keycloak/keycloak/issues/21927
2023-08-03 12:16:08 +02:00
mposolda
6f6b5e8e84 Fix authenticatorConfig for javascript providers
Closes #20005
2023-07-31 19:28:25 +02:00
rmartinc
0a7fcf43fd Initial pagination in the admin REST API for identity providers
Closes https://github.com/keycloak/keycloak/issues/21073
2023-07-27 14:48:02 +02:00
Takashi Norimatsu
0ddef5dda8
DPoP support 1st phase (#21202)
closes #21200


Co-authored-by: Dmitry Telegin <dmitryt@backbase.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2023-07-24 16:44:24 +02:00
Takashi Norimatsu
2efd79f982 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
Closes #20584
2023-07-24 09:11:30 +02:00
Richard Stiller
9b80746b3d
improve realm file to not switch randomly otpSupportedApplications by export (#21661) 2023-07-18 13:32:41 +00:00
Michal Hajas
07c27336aa Check whether realm has store enabled for immediately sent events
Closes #21698

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-07-14 20:50:33 +02:00
Daniele Martinoli
817f129484
fix: closes #21095 (#21289)
* fix: closes #21095

* Added overloaded version of GroupUtils.toGroupHierarchy with additional full parameter.
2023-07-10 12:13:26 +02:00
Daniele Martinoli
13e2075ceb Applying reviewer comments 2023-07-07 09:00:51 -03:00
Daniele Martinoli
e6d7749cbf fix for 21476 2023-07-07 09:00:51 -03:00
Douglas Palmer
b59faa51d5 NPE in getDefaultRequiredActionCaseInsensitively
closes #21123
2023-07-04 12:15:22 -03:00
Thomas Darimont
637fa741b0
Align naming of OTP policy window setting with actual semantics (#20469) (#21316)
Closes #20469
2023-07-04 12:41:21 +02:00
mposolda
ccbddb2258 Fix updating locale on info/error page after authenticationSession was already removed
Closes #13922
2023-07-03 18:57:36 -03:00
Pedro Igor
28aa1d730d Verify holder of the device code (#21)
Closes https://github.com/keycloak/security/issues/32

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Conflicts:
    services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java
2023-06-28 15:45:26 +02:00
Hynek Mlnarik
c092c76ae8 Remove ldapsOnly (Java)
In `LDAPConstants.java`, the function to set the Truststore SPI system property was removed, as this is now handled by the `shouldUseTruststoreSpi` method in `LdapUtil`.

Closes: #9313
2023-06-28 08:30:09 +02:00
Pedro Igor
d0691b0884 Support for the locale user attribute
Closes #21163
2023-06-27 09:21:08 -03:00
Erik Jan de Wit
3a3907ab15
changed to use ConfiguredProvider instead (#21097)
fixes: #15344
2023-06-27 08:00:32 -04:00
Douglas Palmer
f526f7a091 Emails with non-ascii characters are not allowed since v21.0.0
closes #20878
2023-06-22 10:27:48 -03:00
Pedro Igor
eb5edb3a9b Support reading base32 encoded OTP secret
Closes #9434
Closes #11561
2023-06-22 08:08:13 -03:00
mposolda
dc3b037e3a Incorrect Signature algorithms presented by Client Authenticator
closes #15853

Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-06-21 08:55:58 +02:00
Stian Thorgersen
f82577a7f3
Removed old account console (#21098)
Co-authored-by: Jon Koops <jonkoops@gmail.com>

Closes #9864
2023-06-20 20:46:57 +02:00
Alexander Schwartz
9425432f2c Handle HTTP response codes when retrieving data from remote endpoints
Closes #20895
2023-06-12 13:37:59 +02:00