Commit graph

4014 commits

Author SHA1 Message Date
Takashi Norimatsu
148c7695ff Pluggable Features of Token Manager
Closes #12065
2022-10-07 08:43:34 +02:00
Hynek Mlnarik
36a1ce6a1a Ensure map storage providers are closed upon session close
Fixes: #14730
2022-10-05 14:16:19 +02:00
Marek Posolda
425b6b8df2
Parameters 'client_id' and 'response_type' not strictly required in O… (#14679)
* Parameters 'client_id' and 'response_type' not strictly required in OIDC request object
Closes #14255
2022-10-05 11:20:15 +02:00
Douglas Palmer
44aae52fb4
Fixed locale switcher on error page (#14728)
Closes #14205
2022-10-05 10:30:07 +02:00
Marek Posolda
c59660ca86
KEYCLOAK_SESSION not working for some user federation setups when user ID has special chars (#14560)
closes #14354
2022-10-05 08:59:30 +02:00
Alice Wood
1eb7e95b97 enhance existing group search functionality allow exact name search keycloak/keycloak#13973
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
2022-09-30 10:37:52 +02:00
Marcelo Daniel Silva Sales
22713bc144
Incorrect error message OIDC client authentication (#14656)
closes #12162


Co-authored-by: Pedro Hos <pedro-hos@outlook.com>
2022-09-30 09:40:05 +02:00
David Anderson
a8db79a68c
Introduce crypto module using Wildfly Elytron (#14415)
Closes #12702
2022-09-27 08:53:46 +02:00
Alexander Schwartz
be2deb0517 Modify RealmsAdminResource.importRealm to work with InputStream
Closes #13609
2022-09-26 20:58:08 +02:00
Ivan Atanasov
4016dd95d2
Use temporary file to reduce the chance of serving partial gzipped resource (#14511)
Closes #14510
2022-09-23 07:51:41 +02:00
Alice Wood
55a660f50b enhance group search to allow searching for groups via attribute keycloak/keycloak#12964
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-09-19 15:19:36 +02:00
Takashi Norimatsu
0a832fc744 Intent support before issuing tokens (UK OpenBanking)
Closes #12883
2022-09-19 12:15:00 +02:00
Dmitry Telegin
cc2117bf7c UserInfo endpoint not fully standards compliant
Closes #14184
2022-09-16 10:15:08 +02:00
danielFesenmeyer
3af1134975 Update IDP link username when sync mode is "force"
Closes #13049
2022-09-14 08:02:17 -03:00
Václav Muzikář
e999aeeab8 Fix DefaultHostnameTest on Undertow 2022-09-13 14:41:23 -03:00
Christoph Leistert
7e5b45f999 Issue #8749: Add an option to control the order of the event query and admin event query 2022-09-11 21:30:12 +02:00
Alexander Schwartz
1d2d3e5ca5 Move UserFederatedStorageProvider into legacy module
Closes #13627
2022-09-11 18:37:45 +02:00
Thomas Darimont
962a685b7b KEYCLOAK-15773 Control availability of admin api and admin-console via feature flags
Inline profile checks for enabled admin-console to avoid issues during
static initialization with quarkus.

Potentially Re-enable admin-api feature if admin-console is enabled
via the admin/admin2 feature flag.

Add legacy admin console as deprecated feature flag
Throw exception if admin-api feature is disabled but admin-console is enabled

Adapt ProfileTest

Consider adminConsoleEnabled flag in QuarkusWelcomeResource
Fix check for Admin-Console / Admin-API feature dependency.

Add new features to approved help output files

Co-authored-by: Stian Thorgersen <stian@redhat.com>
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2022-09-09 18:18:51 -03:00
Pedro Igor
3518362002 Validate auth time when max_age is sent to brokered OPs
Closes #14146
2022-09-09 10:30:51 -03:00
Martin Bartoš
0fcf5d3936 Reuse of token in TOTP is possible
Fixes #13607
2022-09-09 08:56:02 -03:00
Marek Posolda
040e52cfd7
SAML javascript protocol mapper: disable uploading scripts through admin console by default (#14293)
Closes #14292
2022-09-09 13:47:51 +02:00
Dominik Guhr
f2b02f19e6 Closes #13786 2022-09-07 18:29:26 +02:00
cgeorgilakis
07b0df8f62
View groups from account console (#7933)
Closes #8748
2022-09-07 11:25:31 +02:00
Lex Cao
1f197aa96b
Add basic auth compliant to RFC 6749 (#14179)
Closes #14179
2022-09-07 10:09:30 +02:00
evtr
4469bdc0a9
RelayState max length not respected
Fixes: #10227
2022-09-06 22:01:14 +02:00
Stu Tomlinson
f57560afd3 Improve error messages for invalid SAML responses
Closes #13534
2022-09-06 21:49:14 +02:00
Christoph Leistert
cc2bb96abc Fixes #9482: A user could be assigned to a parent group if he is already assigned to a subgroup. 2022-09-06 21:31:31 +02:00
Pedro Igor
a6137b9b86 Do not empty attributes if they are not provided when user profile is enabled
Closes #11096
2022-09-06 12:59:05 +02:00
Michal Hajas
f69497eb28 KEYCLOAK-12988 Deprecate getUsers* methods in favor of searchUsers* variants
Closes #14018
2022-09-06 10:38:28 +02:00
Youssef El Houti
7f58c1c570 KEYCLOAK-19138 nginx x509 client trusted certificate lookup 2022-09-01 15:02:56 -03:00
Thomas Darimont
43623ea9d0 KEYCLOAK-18499 Add max_age support to oauth2 brokered logins
Revise KcOidcBrokerPassMaxAgeTest to use setTimeOffset(...)
2022-09-01 09:24:44 -03:00
Joerg Matysiak
a8019d78e7 Fixed handling of required setting for email in user profile.
Resolves #13923
2022-08-31 17:19:19 -03:00
Nagy Vilmos
f6db484172
Keep the locale related authNotes through the IdentityBroker flow. (#10444)
Closes #8827
2022-08-31 09:37:26 +02:00
Martin Bartoš
e6a5f9c124 Default required action providers are still available after feature disabling
Closes #13189
2022-08-31 08:42:47 +02:00
Moritz H
c4971d179c
KEYCLOAK-18273 Display Idp displayName if available (#8087)
Co-authored-by: moritz.hilberg <moritz.hilberg@pwc.com>
2022-08-30 15:32:27 -03:00
Manato Takai
1cdc21f0ff
Add duplicate parameter check for UserInfo endpoint. (#14024)
Closes #14016
2022-08-30 14:39:15 +02:00
Réda Housni Alaoui
3f088bfd21
KEYCLOAK-17013 Brute force protection: Successfully logged in user should not have to wait up to 5 seconds for event processing (#7748) 2022-08-29 19:41:35 +02:00
Tero Saarni
4f199c7245 Fix compilation errors with Eclipse Java compiler 2022-08-29 19:33:12 +02:00
Nemanja Hiršl
b7309e86d9
Closes #8992 - Extending DefaultBruteForceProtector (#8993)
* Closes #8992 - Extending DefaultBruteForceProtector

* Update services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtectorFactory.java

* Update services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtectorFactory.java

Co-authored-by: Stian Thorgersen <stian@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-29 16:43:13 +02:00
Stian Thorgersen
aeba5e9f4b
Add FreeMarkerProvider to prevent multiple instances of FreeMarker templates (#14062)
* Add FreeMarkerProvider to prevent multiple instances of FreeMarker templates

Closes #19185
2022-08-29 08:42:53 -03:00
jsarem
f0397f33b4
Expose same common informational variables to all email body templates (#13998)
Closes #14017
2022-08-29 08:09:18 +02:00
Jason
c6c65ad10b
Check IdP display name length before capitalizing (#13151)
https://github.com/keycloak/keycloak/issues/13150

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-26 13:16:10 +02:00
Hawk Newton
b1487b9d72
Increase max size of additional request params (#8382)
Closes #14015
2022-08-26 09:34:43 +02:00
GQ
518d318f0c
Update CorsPreflightService.java (#8387)
Adding DELETE & PUT

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-26 08:00:55 +02:00
Joerg Matysiak
62790b8ce0 Allow permission configuration for username and email in user profile.
Enhanced Account API to respect access to these attributes.

Resolves #12599
2022-08-25 21:54:51 -03:00
supersoaker
e47bbba7ef
added possibility to use user in terms.ftl (#7831) 2022-08-25 15:08:38 +02:00
Clay Risser
f145667144
Fixed spelling error (#13595)
Fixes issue #13594

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-25 12:46:43 +02:00
Christoph Leistert
5408d25e09
Fixes #10656: Sub realm localization GET endpoints can be called using tokens issued by the master realm. (#10660)
* Fixes #10656: Sub realm localization GET endpoints can be called using tokens issued by the master realm.

* Fixes #10656: Added some tests
2022-08-25 09:02:07 +02:00
Erich Bremer
c98a760beb
remove javax.json and replace with FasterXML (#11554)
remove javax.json and replace with FasterXML to be consistent with the rest of the project.

Closes #11544
2022-08-25 08:49:22 +02:00
Pedro Igor
ddcf0f45f9 Run import within the context of the realm being imported
Closes #12289
2022-08-25 08:18:43 +02:00
Pedro Igor
25be07be17 Allow introspecting tokens issued during token exchange with delegation semantics
Closes #9337
2022-08-24 09:47:04 -03:00
Takashi Norimatsu
8c1ea4b47c mTLS binding support for password grant
Closes #13662
2022-08-24 11:44:48 +02:00
Konstantinos Georgilakis
c5b9dc1e7b set context session client equal to clientsession client (fromClientSessionAndScopeParameter method of DefaultClientSessionContext)
Closes #13162
2022-08-23 17:33:07 +02:00
Konstantinos Georgilakis
baa89debd9 Correct isValidScope method of TokenManager for Dynamic scopes
Closes #13158
2022-08-23 16:30:04 +02:00
Konstantinos Georgilakis
2002fd983b Showing consent screen text instead of scope name in consent part of Application page in Account console
Closes #13109
2022-08-23 11:22:31 +02:00
rishabhsvats
c223291a1e Adds REGISTER event when new user login through first broker flow
Updates KcOidcBrokerEventTest, AbstractFirstBrokerLoginTest to factor in REGISTER event in first broker flow

Closes #11646

Correcting Indentation of AbstractFirstBrokerLoginTest
2022-08-23 10:43:56 +02:00
Stefan Guilhen
6d99686220
Fix user session deadlock by enlisting broker logout request after main logout transaction commits. (#13889)
- This also fixes broker test failures with CockroachDB

Closes #13348
Closes #13212
Closes #13214
2022-08-23 09:57:40 +02:00
David Anderson
ce1331f550
Remove bouncycastle dependency from keycloak-services (#13489)
Closes #12857


Co-authored-by: mposolda <mposolda@gmail.com>
2022-08-22 15:43:59 +02:00
Sebastian Schuster
fb978de0d8 12653 check if fine-grained permissions are enabled before retrieving group memberships of users 2022-08-22 09:34:46 -03:00
Sebastian Schuster
916cfbbaf1 13647 Added null checks and some comments/questions for discussions. Will be squashed later if accepted. 2022-08-22 09:34:12 -03:00
Sebastian Schuster
53472e097c 13647 fixed wrong feature flag for checking admin fine-grained authz 2022-08-22 09:34:12 -03:00
Pedro Igor
5f2191813a
Remove unnecessary code paths during startup (#13848)
Closes #13847
2022-08-19 14:54:11 +02:00
Pedro Igor
841c65d24f Return 404 when invoking authorization endpoints in case authz settings are disabled
Closes #10151
2022-08-16 16:37:44 -03:00
Markus Till
fa383bf76c
Suppress confirmation screen for logout in oidc (#13471)
Closes #13469
2022-08-10 18:25:50 +02:00
Marcelo Daniel Silva Sales
e44cea587f
NullPointer during OIDC logout client disabled (#13424)
closes #12624
2022-08-08 12:34:09 +02:00
Sebastian Knauer
21f700679f KEYCLOAK-19866 Fix user-defined- and xml-fragment-parsing/Add XPathAttributeMapper 2022-08-03 13:07:12 +02:00
Marek Posolda
7e925bfbff
Unit tests in "crypto/fips1402" passing on RHEL 8.6 with BC FIPS approved mode. Cleanup (#13406)
Closes #13128
2022-07-29 18:03:56 +02:00
Pedro Hos
ee2c5391bd
Possible client enumeration in the authorization endpoint
Closes #12164
2022-07-26 09:10:06 +02:00
Stian Thorgersen
7158e781be
Update base URL for admin rest docs (#13305)
Closes #10464
2022-07-25 16:25:55 +02:00
Douglas Palmer
c00514d659
Support for post_logout_redirect_uris in OIDC client registration (#12282)
Closes #10135
2022-07-25 10:57:52 +02:00
Stian Thorgersen
a251d785db
Remove text based login flows (#13249)
* Remove text based login flows

Closes #8752

* Add display param back in case it's used by some custom authenticators
2022-07-22 15:15:25 +02:00
Pedro Igor
e14bd51656 Properly enable/disable metrics and health endpoints
Closes #11506

Co-authored-by: Dominik Guhr <dguhr@redhat.com>
2022-07-22 09:41:29 -03:00
Alexander Schwartz
cb81a17611 Disable Infinispan for map storage and avoid the component factory when creating a realm independent provider factory
Provide startup time in UserSessionProvider independent of Infinispan,
cleanup code that is not necessary for the map storage as it isn't using Clustering.
Move classes to the legacy module.

Closes #12972
2022-07-22 08:20:00 +02:00
Douglas Palmer
adeef6c2a0 Partial import feature does not import Identity Provider mappers in Keycloak #12861 2022-07-21 18:04:15 +02:00
Pedro Igor
3631a413d2 Allow token exchange when subjec_token is not associated with a session
Closes #12596
2022-07-20 15:42:26 -03:00
Alexander Schwartz
d30646b1f6 Refactor object locking for UserSessions
Closes #12717
2022-07-19 17:47:33 -03:00
Lex Cao
f0988a62b8
Use base64 url decoded for client secret when authenticating with Basic Auth (#12486)
Closes #11908
2022-07-16 09:38:41 +02:00
Vlasta Ramik
ec853a6b83
JPA map storage: User / client session no-downtime store (#12241)
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>

Closes #9666
2022-07-14 12:07:02 -03:00
Pedro Igor
5b48d72730 Upgrade Resteasy v4
Closes #10916

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2022-07-11 12:17:51 -03:00
Takashi Norimatsu
29aad9dc45 PAR logic affecting /auth endpoint
Closes #9289
2022-07-11 11:56:37 +02:00
Alexander Schwartz
29a501552e Disable the JpaUserFederatedStorageProvider when map storage is enabled
Closes #12895
2022-07-07 10:47:42 -03:00
Alexander Schwartz
098d4dda0e
Split PublicKeyStorageProvider (#12897)
Split PublicKeyStorageProvider

- Extract clearCache() method to separate interface and move it to the legacy module
- Make PublicKeyProvider factories environment dependent
- Simple map storage for public keys that just delegates

Resolves #12763

Co-authored-by: Martin Kanis <mkanis@redhat.com>
2022-07-05 09:57:51 -03:00
Alexander Schwartz
4b20e90292 Move session persistence package to legacy-private module
Also, disabling the jpa session persister when map storage is enabled.

Closes #12712
2022-07-04 10:05:26 -03:00
Alexander Schwartz
d407a37ba3 Instead of returning instances with different semantics, throw an exception.
This exception points the caller to the migration guide of Keycloak 19.

Closes #12556
2022-07-01 14:12:39 -03:00
Konstantinos Georgilakis
32f8f30f36 Include 'urn:ietf:params:oauth:grant-type:token-exchange' in grant_types_supported field of Keycloak OP metadata, if token-exchange is enabled
closes #10888
2022-06-30 17:13:47 -03:00
Jon Koops
06d1b4faab Restore enum variant of ResourceType
This reverts commit 3b5a578934.
2022-06-30 12:20:51 -03:00
Pedro Igor
605b51890e Enables the new store and the concurrenthashmap provider
Closes #12651
2022-06-30 10:55:22 -03:00
Alexander Schwartz
692ce0cd91 Moving ClientStorageProvider to the legacy modules
This prepares the move of CachedObject and CacheableStorageProviderModel

Closes #12531

fixup! Moving ClientStorageProvider to the legacy modules
2022-06-29 20:04:32 +02:00
vramik
3b5a578934 Change enum ResourceType to interface with String constants
Closes #12485
2022-06-29 13:35:11 +02:00
Lex Cao
c3c8b9f0c8
Add client_secret to response when token_endpoint_auth_method is not private_key_jwt (#12609)
Closes #12565
2022-06-29 10:19:18 +02:00
Konstantinos Georgilakis
ccc0449314 json device code flow error responses
closes #11438
2022-06-29 07:23:02 +02:00
Marek Posolda
be1e31dc68
Introduce crypto/default module. Refactoring BouncyIntegration (#12692)
Closes #12625
2022-06-29 07:17:09 +02:00
vramik
91335ebaad Change returning type to Set in MapClientEntity when obtaining protocol mappers
Closes #11136
2022-06-28 21:47:56 +02:00
danielFesenmeyer
b6d8c27cac OIDC logout: In "legacy mode", support post_logout_redirect_uri param without requiring id_token_hint param
Closes #12680
2022-06-28 14:36:03 +02:00
Alexander Schwartz
4b499c869c Encapsulate MigrationModelManager in legacy module
Closes #12214
2022-06-28 10:53:04 +02:00
leandrobortoli
c5d5659100 Fixed bug on client credentials grant when encryption key not found
Closes #12348
2022-06-27 13:00:21 +02:00
Lex Cao
f8a7c8e160
Validate name of client scope (#12571)
Closes #12553
2022-06-27 12:26:18 +02:00
Pedro Igor
3d2c3fbc6a Support JSON objects when evaluating claims in regex policy
Closes #11514
2022-06-23 14:04:09 -03:00
Pedro Igor
d3a40e8620 Use backend baseURL for UMA-related backend endpoints
Closes #12549
2022-06-23 10:35:26 -03:00
Takashi Norimatsu
a10eef882f DeviceTokenRequestContext.getEvent returns a wrong ClientPolicyEvent
Closes #12455
2022-06-22 13:01:35 +02:00
Takashi Norimatsu
d396ee7d30 CIBA flow : no error on invalid scope
Closes #12589
2022-06-22 12:55:55 +02:00
rmartinc
711440e513 [#11036] Identity Providers: Add support for elliptic curve signatures (ES256/ES384/ES512) using JWKS URL 2022-06-21 10:52:25 -03:00
Alexander Schwartz
ae7c01b719 Moving the CacheRealmProvider interface to the legacy module 2022-06-21 08:53:06 +02:00
Alexander Schwartz
7855b93390 Moving the UserCache interface to the legacy module
Co-Authored-By: hmlnarik@redhat.com
2022-06-21 08:53:06 +02:00
Alexander Schwartz
6376db0f9c code cleanup 2022-06-21 08:53:06 +02:00
Alexander Schwartz
84d21f0230 for all added files in the PR, update the copyright header or add it if it was missing 2022-06-21 08:53:06 +02:00
Alexander Schwartz
3fe477885c when userStorageManager() is called recursively, provided a meaningful exception to the caller. 2022-06-21 08:53:06 +02:00
Alexander Schwartz
d41764b19b Inline deprecated methods in legacy code 2022-06-21 08:53:06 +02:00
Alexander Schwartz
30b5c646e1 Deprecated old KeycloakSession APIs 2022-06-21 08:53:06 +02:00
Alexander Schwartz
08bbb1fb92 Move LDAP REST Endpoints to LDAP package
- Thus remove implicit dependency on services on the legacy modules
- Disable tests for LDAP/Kerberos that won't work when map storage is enabled
2022-06-21 08:53:06 +02:00
Alexander Schwartz
a109e28be7 moving some functionality around imports 2022-06-21 08:53:06 +02:00
Alexander Schwartz
a43321c720 Moving logic to create service accounts in local storage only to legacy module 2022-06-21 08:53:06 +02:00
Hynek Mlnarik
e396d0daa1 Renaming SingleUserCredentialManager and UserModel.getUserCredentialManager():
- class SingleUserCredentialManager to SingleEntityCredentialManager
- method UserModel.getUserCredentialManager() to credentialManager()

Renaming of API without "get" prefix to make it consistent with other APIs like for example with KeycloakSession
2022-06-21 08:53:06 +02:00
Alexander Schwartz
14a369a8cc Added LegacySessionSupport SPI
While some methods around onCache() are still called from the legacy code, all other methods log a warning with a stacktrace.
2022-06-21 08:53:06 +02:00
Alexander Schwartz
6f287e7ded Avoid using methods on UserCredentialStoreManager 2022-06-21 08:53:06 +02:00
Alexander Schwartz
bc8fd21dc6 SingleUserCredentialManager moving in
- UserStorageManager now handles authentication for old Kerberos+LDAP style
- new getUserByCredential method in MapUserProvider would eventually do the same.
2022-06-21 08:53:06 +02:00
Alexander Schwartz
82094d113e Move User Storage SPI, introduce ExportImportManager 2022-06-21 08:53:06 +02:00
Hynek Mlnarik
703e868a51 Preparation for moving User Storage SPI
- Introduction of new AdminRealmResource SPI
- Moving handler of /realm/{realm}/user-storage into model/legacy-service
- session.users() and userStorageManager() moved refers legacy module
  IMPORTANT: Broken as UserStorageSyncManager is not yet moved
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
36f76a37ad Move realms, clients, groups, roles, clientscopes into legacy module
- Introduces Datastore SPI for isolating data store methods
- Introduces implementation of the datastore for legacy storage
- Updates DefaultKeycloakSession to leverage Datastore SPI instead
  of direct creating of area providers by the session
2022-06-21 08:53:06 +02:00
Lex Cao
06dfb45c39
Remove non-standard code_challenge_method from token request for IDP (#12473)
Closes #12141
2022-06-14 20:46:35 +02:00
mposolda
3aefb59d40 Fix test failure in X509BrowserCRLTest on IBM JDK. Don't display details of exception message to the end user
Closes #12458
2022-06-14 10:44:31 +02:00
Christoph Leistert
442eff0169
Closes #11851: Apply localization text from realm default locale when it is not defined for the requested language. (#11852) 2022-06-10 14:36:11 -04:00
Joerg Matysiak
3c19ad627f Repsect permissions configured to firstName and lastName when configured in user profile
Resolves #12109
2022-06-09 10:10:15 -03:00
mposolda
5d2bf6ea33 Cannot find ScriptEngine for JDK8 and Wildfly
Closes #12247
2022-06-08 11:11:36 +02:00
Pedro Igor
243e63c9f3 Do not set empty permissions to username and email attributes
Closes #11647
2022-06-07 10:59:35 -03:00
Sebastian Schuster
a0c402b93a
11198 added event information to consent granting and revocation via REST API (#11199) 2022-06-07 11:29:20 +02:00
Stian Thorgersen
e49e8335e0
Refactor BouncyIntegration (#12244)
Closes #12243
2022-06-07 09:02:00 +02:00
rmartinc
5332a7d435 Issue #9194: Client authentication fails when using signed JWT, if the JWA signing algorithm is not RS256 2022-06-06 12:07:09 +02:00
Takashi Norimatsu
3889eeda30 Client Policies: pkce-enforcer executor with client-access-type condition is not applied on client change via Admin API
Closes #12295
2022-06-06 11:30:48 +02:00
mposolda
f90fbb9c71 Changing locale on logout confirmation did not work
Closes #11951
2022-05-31 16:03:58 +02:00
Takashi Norimatsu
d083b6c484 ciba http auth channel sends client_id and client_secret via delegation request
Closes #10993
2022-05-31 08:22:50 +02:00
vramik
be28e866b9 JPA map storage: Authorization services no-downtime store
Closes #9669
2022-05-30 21:05:34 +02:00
mposolda
4222de8f41 OIDC RP-Initiated Logout POST method support
Closes #11958
2022-05-30 14:10:58 +02:00
Stefan Guilhen
808738220f Change CodeGenerateUtil so that it doesn't add/remove the code in an inner transaction
Fixes #11617
2022-05-30 12:55:48 +02:00
Marek Posolda
cf386efa40
Support for client_id parameter in OIDC RP-Initiated logout endpoint (#12202)
Closes #12002


Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2022-05-27 14:12:37 +02:00
Dmitry Telegin
86883fd68a
Remove org.keycloak.protocol.oidc.TokenManager.RefreshResult (#12196)
Closes #12194
2022-05-27 13:00:10 +02:00
Marek Posolda
eed944292b
Make script providers working on JDK 17 (#11322)
Closes #9945
2022-05-27 12:28:50 +02:00
Luca Leonardo Scorcia
27650ab816 Fix #10982 SAML Client - Introduce SAML Issuer validation 2022-05-27 10:58:10 +02:00
Yoshikazu Nojima
9fc6114ccd
Update webauth4j dependency version to 0.19.3.RELEASE (#11927)
Resolves #9506
2022-05-18 06:54:34 -03:00
Michal Hajas
0bda7e6038 Introduce map event store with CHM implementation
Closes #11189
2022-05-17 12:57:35 +02:00
Takashi Norimatsu
9541852a9b ID token encryption without specifying id_token_encrypted_response_enc does not follow OIDC Dynamic Client Registration specification
Closes #11392
2022-05-16 09:05:22 +02:00
Takashi Norimatsu
7fa24d247a Deprecated org.keycloak.jose.jws.Algorithm is used in OIDCAdvancedConfigWrapper
Closes #11394
2022-05-16 08:56:57 +02:00
Martin Kanis
0d6bbd437f
Merge single-use token providers into one
Fixes first part of: #11173

* Merge single-use token providers into one

* Remove PushedAuthzRequestStoreProvider

* Remove OAuth2DeviceTokenStoreProvider

* Delete SamlArtifactSessionMappingStoreProvider

* SingleUseTokenStoreProvider cleanup

* Addressing Michal's comments

* Add contains method

* Add revoked suffix

* Rename to SingleUseObjectProvider
2022-05-11 13:58:58 +02:00
Michal Hajas
d3b43a9f59 Make sure there is always Realm or ResourceServer when searching for authz entities
Closes #11817
2022-05-11 07:20:01 -03:00
Réda Housni Alaoui
5d87cdf1c6
KEYCLOAK-6455 Ability to require email to be verified before changing (#7943)
Closes #11875
2022-05-09 18:52:22 +02:00
Pedro Igor
eab2dff979
Loading message bundles using the flat-classpath theme provider (#11711)
Closes #11186
2022-05-05 15:34:54 +02:00
vramik
0d83b51b20 Enhance Map authz entities with REALM_ID (ResourceServer with CLIENT_ID) searchable field
Co-authored-by Michal Hajas <mhajas@redhat.com>

Closes #10883
2022-05-03 12:56:27 +02:00
vramik
2ecf250e37 Deletion of all objects when realm is being removed
Closes #11076
2022-04-28 11:09:17 +02:00
Guus der Kinderen
8d3a4803bb
Prevent service account lookup when feature is disabled on client (#9579)
Closes #9563
2022-04-26 09:12:46 +02:00
Hynek Mlnarik
0ce5dfc09c Remove dependency of map on services
Fixes: 8903
2022-04-22 17:27:21 +02:00
Jeff Tian
b356618cc2
docs: Correct the base path for Admin REST APIs. #11007 (#10933) 2022-04-22 11:24:07 +02:00
Pedro Igor
76d83f46fa
Avoid clients exchanging tokens using tokens issued to other clients (#11542) 2022-04-20 19:14:55 +02:00
Stian Thorgersen
ac79fd0c23
Disallow special characters in usernames to prevent confusion with similarly looking usernames (#11531)
Closes #11532

Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2022-04-20 15:53:15 +02:00
Stefan Guilhen
b29b27d731 Ensure code does not rely on a particular format for the realm id or component id 2022-04-20 14:40:38 +02:00
Stefan Guilhen
ae90b232ff Realms Map JPA implementation
Closes #9661
2022-04-20 14:40:38 +02:00
Pedro Igor
2cb5d8d972
Removing upload scripts feature (#11117)
Closes #9865

Co-authored-by: Michal Hajas <mhajas@redhat.com>

Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-04-20 14:25:16 +02:00
Martin Bartoš
3aa3db16ea
Fix error response for invalid characters (#11533)
Fixes #11530
2022-04-20 11:26:08 +02:00
m-takai
5f0e27a792 Add duplicate parameters check process in Device Authz Endpoint.
AuthorizationEndpointRequest class already checks duplicated parameters but DeviceEndpoint class has not checked its error. Thus a check process is added in handleDeviceRequest()

Closes #11294
2022-04-19 14:20:39 +02:00
Pedro Igor
c5e4dc8cec
Associated permissions should only add resource type permissions if the resource is an instance (#11220)
Closes #11148
2022-04-19 09:10:14 +02:00
Pedro Igor
52d205ca91
Allow exposing some initial provider config options via web site (#10572)
* Allow exposing some initial provider config options via web site

Co-authored-by: Stian Thorgersen <stian@redhat.com>

Closes #10571

* Include type to provider options, and hide build-icon column as it's not relevant

Co-authored-by: stianst <stianst@gmail.com>
2022-04-19 08:01:42 +02:00
msvechla
820ab52dce
Add support for filtering by enabled attribute on users count endpoint (#9842)
Resolves #10896
2022-04-13 13:57:22 -03:00
Pedro Igor
7058a123b1 Avoid initializing the OWASP HTML Sanitizer at startup
Closes #11261
2022-04-13 08:21:53 -03:00
bamanuel
7652bbfcd1 Fix unmatched braces in error log formatter
Closes #11252
2022-04-13 08:03:29 -03:00
Giacomo Altiero
3b7243cd47
Support for UserInfo response encrypted (#10519)
Close #10517
2022-04-12 14:01:14 +02:00
mposolda
fb81242658 Script Mapper Performance Issues
Closes #11005
2022-04-08 09:47:43 -03:00
Neon Ngo
f11573eeb2
KEYCLOAK-13828 Allow override of baseUrl and apiUrl in GitHub identity provider (#7021)
Allow override of baseUrl & apiUrl in GitHub identity provider

Closes #11144
2022-04-06 13:45:11 +02:00
Tyler Andor
caebe50d7e
Updates patternfly libs and fixes breaking changes (#10748)
adding nvmrc

CIAM-1048 Device Activity screen PF updates

CIAM-1046: Personal Info sub-header update

Updates SigningInPage to use EmptyState component when there are no credentials.

rearanged some components used in signing in page

Displays ApplicationPage content in description list.

Updates refresh link on ContentPage, updates Resources screen.

CIAM-1049 Linked Accounts screen PF updates

CIAM-1043-General upstream updates

Updates AccountPage to display form errors.

fix: display Set up Authenticator Application link on large viewport

fix(page structure): rearranges page sections

CIAM-1254/Personal info PF4 updates & Sidebar text updates

updating layouts

updating layout on Signing in and Linked acounts

adding patternfly-additions

adding patternfly-addons styles

Updates Application page based on designs feedback.

moving page description

Updates status label on Applications page to be capitalized.

Updates the copy-fonts script for keycloak.v2 to copy all font directories instead of one.

update Personal info screen - set max width of 600px for form input fields

update Personal info - remove required indicator from input fields

General updates (#2)

* removed the extra lines being shown

* tweaked general spacing

* general alignment and spacer application

* refactor to get proper alignments without css globals

* forgot to add the conditional on displaying the set up buttons

* try and adjust the alignments

Co-authored-by: zwitter <zwitter@redhat.com>

resolve merge conflicts

Device activity updates (#4)

* update text to sentence case

* update device info columns to be dynamic across various viewport sizes

* update signed in device layout

* update based on feedback

Co-authored-by: Jon Szeto <jszeto@redhat.com>

Linked accounts update (#3)

* linked accounts screen - updated icons & Linked/Unlinked Login Providers layout & update text to sentence case

Co-authored-by: Jon Szeto <jszeto@redhat.com>

fixing ts errors

cleaning up fonts and messages

final review updates

message update for Back to admin console link

fixing capitalization on 2fa

updating landing page welcome message

fix: reposition Back to... link

adjusting size for confirm modal

updating spacing and alignment issues

updating resources page

removing unused header class

fixes ts issues and updates node version to match the themes install

npm updates

fixing pf addons

adding chokidar to get babel:watch working

fixing issues from pull request feedback

fixing tests

fixes signingin page test

fixing tests

Co-authored-by: Tyler Andor <tandor@highereducation.com>
2022-04-06 13:00:38 +02:00
Stian Thorgersen
7c64f28934
Change admin console to load keycloak.js using a relative URL (#11109)
* Change admin console to load keycloak.js using a relative URL

Closes #11108

* fix tests

Co-authored-by: Dominik Guhr <dguhr@redhat.com>
2022-04-06 09:35:26 +02:00
Pedro Igor
2b5d68d645
Allow resoving theme resources from flat classpath (#10989)
Closes #10951
2022-04-05 09:16:20 +02:00
Douglas Palmer
f57d0dd100
Automated tests for session limits authenticator (browser, direct grant, reset password) (#11046)
Closes #11003
2022-04-01 18:44:38 +02:00
Michal Hajas
44000caaf5 KEYCLOAK-19177 Disable ECP flow by default for all Saml clients; ecp flow creates only transient users sessions 2022-03-31 16:06:44 +02:00
iingawal
6016b461db
Fix for "updatedAt" user attribute in "profile" client scope should use number instead of String (#11020)
Closes #10081


Co-authored-by: Indrajit Ingawale <iingawal@iingawal.pnq.csb>
2022-03-31 14:33:03 +02:00
Marek Posolda
aacae9b9ac
Support for frontchannel_logout_session_required OIDC client parameter (#11009)
* Support for frontchannel_logout_session_required OIDC client parameter
Closes #10137
2022-03-31 14:25:24 +02:00
Marek Posolda
22a16ee899
OIDC RP-Initiated logout endpoint (#10887)
* OIDC RP-Initiated logout endpoint
Closes #10885

Co-Authored-By: Marek Posolda <mposolda@gmail.com>

* Review feedback

Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2022-03-30 11:55:26 +02:00
Marcelo Daniel Silva Sales
2b996b12a1
update javadoc for client secret rotation REST service (#10990)
Closes #10610
2022-03-29 21:46:54 +02:00
Marcelo Daniel Silva Sales
091b1472ce
Introduce client secret rotation dynamic registration (#10952)
Closes #10609
2022-03-28 20:39:11 +02:00
Konstantinos Georgilakis
99fa6275c1 KEYCLOAK-19313 configure the name format in Attribute Importer IdP Mapper 2022-03-25 09:42:22 +01:00
Robin Windey
eaf7c515f2 Fix typo in exception message 2022-03-24 12:43:33 +01:00
Alexander Schwartz
3ebfc91b75 Reduce logging of errors due to the bounded queue
Closes #10588
2022-03-23 15:42:06 +01:00
Takashi Norimatsu
9c01d819cb Client Policies : An executor rejecting all requests
Closes #9097
2022-03-23 12:45:38 +01:00
iingawal
b773857a80
Display email address in login-verify-email.ftl (#10870)
Closes #8873
2022-03-23 12:44:21 +01:00
Marcelo Daniel Silva Sales
6efa45f93e
Update secret rotation when the policy is enabled using jwt (#10853)
Closes #10666
2022-03-23 08:25:58 +01:00
Michal Hajas
99c06d1102
Authorization services refactoring
Closes: #10447 

* Prepare logical layer to distinguish between ResourceServer id and client.id
* Reorder Authz methods: For entities outside of Authz we use RealmModel as first parameter for each method, to be consistent with this we move ResourceServer to the first place for each method in authz
* Prepare Logical (Models/Adapters) layer for returning other models instead of ids
* Replace resourceServerId with resourceServer model in PermissionTicketStore
* Replace resourceServerId with resourceServer model in PolicyStore
* Replace resourceServerId with resourceServer model in ScopeStore
* Replace resourceServerId with resourceServer model in ResourceStore
* Fix PermissionTicketStore bug
* Fix NPEs in caching layer
* Replace primitive int with Integer for pagination parameters
2022-03-22 20:49:40 +01:00
keycloak-bot
c71aa8b711
Set version to 999-SNAPSHOT (#10784) 2022-03-22 09:22:48 +01:00
Joaquim Fellmann
92c4e6d585
KEYCLOAK-16134 Allow webauthn idless login flow (#7860)
Closes #10832
2022-03-21 11:37:33 +01:00
mposolda
9e12587181 Protocol mapper and client scope for 'acr' claim
Closes #10161
2022-03-11 09:23:25 +01:00
Ivan Atanasov
5c6b123aff
Support for the Recovery codes (#8730)
Closes #9540


Co-authored-by: Zachary Witter <torquekma@gmail.com>
Co-authored-by: stelewis-redhat <91681638+stelewis-redhat@users.noreply.github.com>
2022-03-10 15:49:25 +01:00
rmartinc
a7c8aa1dd3
[#10616] Incorrect username logged for federated accounts (#10662)
Closes #10616
2022-03-10 13:21:39 +01:00
Marcelo Daniel Silva Sales
0c25da542c
Update secret rotation when the policy is disabled (#10674)
Closes #10667
2022-03-10 13:03:09 +01:00
Marcelo Daniel Silva Sales
7335abaf08
Keycloak 10489 support for client secret rotation (#10603)
Closes #10602
2022-03-09 00:05:14 +01:00
mposolda
d394e51674 Introduce profile 'feature' for step-up authentication enabled by default
Closes #10315
2022-03-08 14:42:46 +01:00
mposolda
93bba8e338 Replace 'Store LoA in User Session' with 'Max Age'. Refactoring of step-up authentications related to that.
Closes #10205
2022-03-08 10:41:05 +01:00
Martin Bartoš
02d0fe82bc Auth execution 'Condition - User Attribute' missing
Closes #9895
2022-03-08 08:24:48 +01:00
Michal Hajas
f77ce315bb Disable Authz caching for new storage tests
Closes #10500
2022-03-07 10:22:55 -03:00
Takashi Norimatsu
201277b897 Handle OIDC authz request with "response_type" missing and "response_mode=form_post"
Closes #10144
2022-03-04 13:31:40 +01:00
Takashi Norimatsu
92f6c75328 Nonce parameter should be required in authorizationEndpoint only when "id_token" is included in response_type
Closes #10143
2022-03-03 13:26:39 +01:00
Daniel Gozalo
76101e3591 [fixes #9225] - Get scopeIds from the AuthorizationRequestContext instead of session if DYNAMIC_SCOPES are enabled
Add a test to make sure ProtocolMappers run with Dynamic Scopes

Change the way we create the DefaultClientSessionContext with respect to OAuth2 scopes, and standardize the way we obtain them from the parameter
2022-03-01 13:47:58 +01:00
Vlasta Ramik
aa6a131b73
Change String client.id to ClientModel client in ResourceServerStore
Closes #10442
2022-02-24 12:46:26 +01:00
Alexander Volkov
91a51d276f
Realm translations are being added to the account console. (#10329)
For the account console translations are being fetched from the realm translations as well as from the theme properties.

Closes #10328
2022-02-23 08:35:10 -05:00
treydock
b26a1a4803
KEYCLOAK-18334 Fix null pointer exception when viewing flow executions (#8121)
* KEYCLOAK-18334 Fix null pointer exception when viewing flow executions
Closes #10371
2022-02-22 09:31:25 +01:00