Commit graph

3659 commits

Author SHA1 Message Date
Satria Hu
31d8a927ff KEYCLOAK-19602 moved create/update admin console event after commit, to prevent false alarm to event listeners 2022-02-16 19:53:29 -03:00
Pedro Igor
7da3953435 Path parameter is missing in the get account endpoint
Closes #10055
2022-02-15 15:44:05 -03:00
Pedro Igor
f3c3bb5001
Removing unnecessary code paths during startup (#10131)
Closes #10130
2022-02-15 12:09:14 +01:00
Marek Posolda
90d4e586b6
Show error in case of an unkown essential acr claim. Make sure correc… (#10088)
* Show error in case of an unkown essential acr claim. Make sure correct acr is set after authentication flow during step-up authentication
Closes #8724

Co-authored-by: Cornelia Lahnsteiner <cornelia.lahnsteiner@prime-sign.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2022-02-15 09:02:05 +01:00
Dominik Guhr
5d781304e7 Fix idelauncher resourceloading
caused by doubled slashes when getting the path for resources while running IDELauncher. So now we sanitize them. Tests by building and running  wf and quarkus distribution, running from idelauncher and running using quarkus:dev, assets got always loaded.

closes #9942
2022-02-14 15:51:58 -03:00
keycloak-bot
d9f1a9b207
Set version to 18.0.0-SNAPSHOT (#10165) 2022-02-11 21:28:06 +01:00
Francis PEROT
623aaf1e8b Fixes collection comparison ignoring order
Use of containsAll() does not permit to compare if 2 lists are equals
(ignoring order)
Previous implementation of CollectionUtil.collectionEquals(...) was not taking care of specific cases where you can have [ A, A, B ] and [ A, B, B ] and complexity was O(n²)
Using Map, complexity is now O(n)

Closes #9920
2022-02-11 10:01:41 +01:00
Martin Bartoš
6c09ec6de6 Hide 'unknown' transport media type label for WebAuthn authenticators
Closes #10036
2022-02-11 08:28:50 +01:00
Martin Bartoš
75c7491b85 Remove external Collection utility class for WebAuthn
Closes #10034
2022-02-09 11:53:03 +01:00
Mauro de Wit
2c238b9f04
session-limiting-feature (#8260)
Closes #10077
2022-02-08 19:16:06 +01:00
Alexander Schwartz
100dbb8781
Rework escaping of special characters in message properties for account console (#9995)
Closes #9503
2022-02-07 14:47:03 -05:00
Martin Bartoš
5494848f3f Not possible to register webauthn key on Firefox
Closes #10020
2022-02-07 12:21:22 +01:00
Marek Posolda
d9c8cb30a5
Closes #9498 - Fix cases when user is forced to re-authenticate (#9580) 2022-02-07 09:02:08 +01:00
Martin Bartoš
d82122b982 Store information about transport media of WebAuthn authenticator
Closes #9800
2022-02-04 19:36:30 +01:00
Takashi Norimatsu
07d43f31f3 Expected Scopes of ClientScopesCondition created on Admin UI are not saved onto ClientScopesCondition.Configuration
Closes #9371
2022-02-04 18:02:15 +01:00
Martin Kanis
0471ec4941 Cross-site validation for lazy loading of offline sessions & Switch default offline sessions to lazy loaded 2022-02-03 21:43:47 +01:00
Konstantinos Georgilakis
a1f2f77b82 Device Authorization Grant with PKCE
Closes #9710
2022-02-03 08:37:07 +01:00
Daniel Gozalo
db4642d250 [fixes #9919] - Enable Dynamic Scopes for the resource-owner-password-credentials grant
Change some calls to the new AuthorizationContextUtil class and add tests for the client-credentials grant
2022-02-03 08:19:44 +01:00
Marek Posolda
d27635fb1b
Fixing for token revocation checks only (#9707)
Closes #9705
2022-02-02 15:21:44 +01:00
Daniel Gozalo
3528e7ba54 [fixes #9224] - Get consented scopes from AuthorizationContext
Always show the consent screen when a dynamic scope is requested and show the requested parameter

Improve the code that handles dynamic scopes consent and add some log traces

Add a test to check how we show dynamic scope in the consent screen and added missing template file change

Fix merge problem in comment and improve other comments

Fix the Dynamic Scope test by assigning it to the client as optional instead of default

Change how dynamic scopes are represented in the consent screen and adapt test
2022-02-02 09:10:20 +01:00
Martin Bartoš
c40e842b45
Verify the WebAuthn functionality and settings for authentication (#9851)
* Verify the WebAuthn functionality and settings for authentication

Closes #9504
2022-01-31 15:42:08 +01:00
Alexander Schwartz
df7ddbf9b3 Added ModelIllegalStateException to handle lazy loading exception.
Closes #9645
2022-01-31 10:10:41 +01:00
Stian Thorgersen
d1d656162d
Enable keycloak.v2 admin theme by default when admin2 feature is enabled (#9859)
Closes #9858
2022-01-28 13:24:50 +01:00
Takashi Norimatsu
ef134390c2 Client Policies : Condition's negative logic configuration is not shown in Admin Console's form view
Closes #9447
2022-01-27 09:55:22 +01:00
Daniel Gozalo
4136bf7700 [fixes #9750] Make sure a Dynamic scope isn't assignable to a client as a default scope, and only show non-dynamic scopes in the available client scopes client menu 2022-01-26 13:32:04 +01:00
Daniel Gozalo
dad51773ea [fixes #9223] - Create an internal representation of RAR that also handles Static and Dynamic Client Scopes
Parse scopes to RAR representation and validate them against the requested scopes in the AuthorizationEndpointChecker

Parse scopes as RAR representation and add the created context on the different cache models in order to store the state and make it available for mappers in the ClientSessionContext

Create a new AuthorizationRequestSpi to provide different implementations for either dynamic scopes or RAR requests parsing

Move the AuthorizationRequest objects to server-spi

Add the AuthorizationRequestContext property to the MapAuthenticationSessionEntity and configure MapAuthenticationSessionAdapter to access it

Remove the AuthorizationRequestContext object from the cache adapters and entities and instead recalculate the RAR representations from scopes every time

Refactor the way we parse dynamic scopes and put everything behind the DYNAMIC_SCOPES feature flag

Added a login test and added a function to get the requested client scopes, including the dynamic one, behind a feature flag

Add a new filter to the Access Token dynamic scopes to avoid adding scopes that are not permitted for a user

Add tests around Dynamic Scopes: replaying existing tests while enabling the DYNAMIC_SCOPES feature and adding a few more

Test how the server genereates the AuthorizationDetails object

Fix formatting, move classes to better packages and fix parent test class by making it Abstract

Match Dynamic scopes to Optional scopes only and fix tests

Avoid running these tests on remote auth servers
2022-01-26 13:19:23 +01:00
Thomas Darimont
438fc2865f Fix embedded theme-resources lookup in Keycloak.X
Previously lookups for embedded theme-resources did not work for Keycloak.X because of a missing
`ClasspathThemeResourceProvider` registration.

This PR ensures that a `ClasspathThemeResourceProvider` is registered in Keycloak.X based deployments.

Added empty constructors to ClasspathThemeResourceProvider to enable dynamic instantiation by Quarkus.

Fixes #9653
2022-01-21 09:52:26 -03:00
mposolda
3dd97f3f2f Fix migration test
Closes #9550
2022-01-20 13:42:47 +01:00
Konstantinos Georgilakis
0c9ab32cf4 Fix scope bug in device authorization request
Closes #9617
2022-01-19 18:13:42 +01:00
Pedro Igor
4c747047ce
Backward compatibility for lower-case bearer type in token responses (#9538)
Closes #9537
2022-01-13 08:34:45 +01:00
Daniel Gozalo
8ea09d3816
[fixes #9222] - Let users configure Dynamic Client Scopes (#9327) 2022-01-12 14:27:24 +01:00
Marek Posolda
8f221bb21e
Validation for CIBA binding_message parameter (#9470)
closes #9469
2022-01-11 11:19:15 +01:00
Martin Bartoš
d75d28468e
KEYCLOAK-19490 Add more details about 2FA to authenticate page (#9252)
Closes #9494
2022-01-11 09:16:22 +01:00
CorneliaLahnsteiner
dff79cee3c
KEYCLOAK-847 Add support for step up authentication (#7897)
KEYCLOAK-847 Fix behavior of unknown not essential acr claim

Co-authored-by: Georg Romstorfer <georg.romstorfer@gmail.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2021-12-22 12:43:12 +01:00
keycloak-bot
9f3d4a7d42 Set version to 17.0.0-SNAPSHOT 2021-12-20 10:50:39 +01:00
Stian Thorgersen
45e9243054
Verify fine-grained admin permissions feature is enabled before checking fine-grained permissions when creating users (#9211)
* Verify fine-grained admin permissions feature is enabled before checking fine-grained permissions when creating users

Co-authored-by: stianst <stianst@gmail.com>

* fixing test

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-12-17 14:45:56 +01:00
vramik
e61da278ba When ternary conditional operator uses primitive type it could throw NPE in some cases
Closes #9137
2021-12-15 10:25:54 +01:00
Pedro Igor
7dc5556b40 [fixes #9092] - Avoid failing when request is not a form-urlencoded 2021-12-14 03:32:43 -08:00
stianst
85240c9606 Remove deprecated kcinit from keycloak
Closes #9106
2021-12-13 15:51:51 +01:00
thomasmicro
c474e770fe Clarify Admin UI Name of NoCookieFlowRedirectAuthenticator
In the Admin UI, the Authenticator was simply called Browser Redirect/Refresh which gives the impression that it is a generic redirector (which would be a cool validator).

This Quick Fix changes the Name to "Browser Redirect for Cookie free authentication" which should bring more clarity.
2021-12-13 13:14:49 +01:00
Martin Bartoš
3a2bf0c04b WebAuthnAuthenticator add timeout property 2021-12-12 11:36:51 +01:00
Hynek Mlnarik
95614e8b40 Fix NPE for component creation when realm unset but config known
Fixes #9019
2021-12-07 20:15:05 +01:00
Yoshiyuki Tabata
b1eeb0626e KEYCLOAK-13847 fix offline token refresh date 2021-12-01 08:30:08 +01:00
Andre Fucs de Miranda
b03b390dd2 KEYCLOAK-19228: Prevent user enumeration in FIPS mode 2021-11-24 18:11:27 +01:00
Nemanja Hiršl
c9e1e00b95 KEYCLOAK-19773 BFD and Direct Grant - inconsistent number of failures
Do not "failure" on temporary or permanently locked users, but "forceChallenge"
Failure increments number of failures, and forceChallenge doesn't

Test cases cover:
1. Already disabled users
2. Temporarily disabled users by BFD
3. Permanently disabled users by BFD
2021-11-24 15:28:18 +01:00
Martin Bartoš
1e1a6779be Issue 8814: Replace deprecated hamcrest-all dependencies 2021-11-23 13:56:28 +01:00
bal1imb
661aca4452 KEYCLOAK-19283 Implemented new identity provider mapper "Advanced claim to group mapper" alongside tests. 2021-11-19 16:54:39 +01:00
Hiroyuki Wada
884471c729 KEYCLOAK-19237 Avoid using stream that has been operated 2021-11-18 17:46:35 +01:00
Takashi Norimatsu
10c3e149d3 KEYCLOAK-19699 RSA key provider with key use = enc cannot select corresponding algorithm on Admin Console 2021-11-18 13:24:50 +01:00
Olivier Boudet
ed6eea26ea KEYCLOAK-19413 Allows to set login_hint on registration and reset-credentials pages 2021-11-18 13:17:10 +01:00