Commit graph

724 commits

Author SHA1 Message Date
Douglas Palmer
33863ba161 KEYCLOAK-10162 Usage of ObjectInputStream without checking the object types
Co-authored-by: mposolda <mposolda@gmail.com>
2020-06-08 13:12:08 +02:00
spurreiter
6332ed42c0 KEYCLOAK-13940 remove duplicated urlsafe decoding 2020-05-08 15:18:56 +02:00
Hynek Mlnarik
32f13016fa KEYCLOAK-12874 Align Destination field existence check with spec 2020-05-04 09:19:44 +02:00
keycloak-bot
ae20b7d3cd Set version to 11.0.0-SNAPSHOT 2020-04-29 12:57:55 +02:00
Pedro Igor
2e54ebda76 [KEYCLOAK-13579] - Ignore exceptions when shutting down loopback server 2020-04-29 12:33:35 +02:00
Stefan Guilhen
fd9c4e9228 [KEYCLOAK-12097] Fix NPE when trying to obtain the cache container name from jboss-web.xml
- check if the cache name as configured in jboss-web.xml is composite - i.e. has a 'parent.child' structure
2020-04-27 10:13:25 +02:00
Luke Nadur
74c379c3df [KEYCLOAK-13586] Fix typos related to QueryParamterTokenRequestAuthenticator 2020-04-21 21:14:03 +02:00
Jon Koops
9f3b847817 KEYCLOAK-13714 Add missing type definition for logout options 2020-04-21 11:31:16 +02:00
keycloak-bot
33314ae3ca Set version to 10.0.0-SNAPSHOT 2020-04-21 09:19:32 +02:00
Pedro Igor
acfbdf6b0e [KEYCLOAK-13187] - Concurrency issue when refreshing tokens and updating security context state 2020-04-16 12:25:42 +02:00
stianst
1f02f87a6e KEYCLOAK-13565 Add support for kc_action to keycloak.js
Co-authored-by mhajas <mhajas@redhat.com>
2020-04-14 19:23:56 +02:00
mhajas
10d92a01a6 KEYCLOAK-13577 Remove property from child class since parents class contains it 2020-03-26 09:55:52 -03:00
keycloak-bot
f6a592b15a Set version to 9.0.4-SNAPSHOT 2020-03-24 08:31:18 +01:00
Pedro Igor
84d099e48f [KEYCLOAK-11282] - Properly resolve config resolver
Co-authored-by: mhajas <mhajas@redhat.com>
2020-03-17 15:49:00 +01:00
Laure-Emmanuelle Issler
967ff939ec KEYCLOAK-13026 Set path of OAuth_Token_Request_State cookie to / 2020-03-05 16:21:24 +01:00
Pedro Igor
30b07a1ff5 [KEYCLOAK-13175] - Setting the enforcement mode when fetching lazily fetching resources 2020-03-05 13:31:21 +01:00
Hynek Mlnarik
0cf0955318 KEYCLOAK-13181 Fix NPE in EAP 6 adapter 2020-03-04 10:19:43 +01:00
Jon Koops
c1bf183998 KEYCLOAK-9346 Add new KeycloakPromise to support native promises
Co-authored-by: mhajas <mhajas@redhat.com>
2020-03-04 08:53:35 +01:00
Thomas Kuestermann
8ed355a5fe KEYCLOAK-12749 single worker/IO thread, use OAUTH2 constants 2020-03-03 12:39:19 -03:00
Thomas Kuestermann
22555371d8 KEYCLOAK-12749 fix "invalid state" error due to IE requesting favicon
Internet Explorer occasionally requests a favicon before doing the
actual redirect to localhost. This commit adds Undertow to properly
handle those unwanted requests.
2020-03-03 12:39:19 -03:00
mhajas
8061aa5217 KEYCLOAK-13161 Use iterator instead of for-each loop in ClientCredentialsProviderUtils 2020-02-28 16:22:03 +01:00
Erik Jan de Wit
8297c0c878 KEYCLOAK-11155 split on first '=' instead of all 2020-02-27 09:12:51 +01:00
keycloak-bot
d352d3fa8e Set version to 9.0.1-SNAPSHOT 2020-02-17 20:38:54 +01:00
stianst
42773592ca KEYCLOAK-9632 Improve handling of user locale 2020-02-14 08:32:20 +01:00
Pedro Igor
da0e2aaa12 [KEYCLOAK-12897] - Policy enforcer should just deny when beare is invalid 2020-02-07 15:04:45 +01:00
Stefan Guilhen
d943b8a9e3 [KEYCLOAK-12873] Fix differences between keycloak-saml.xml (adapter) and the keycloak-saml subsystem 2020-02-07 12:06:28 +01:00
Sebastian Laskawiec
9b2e7f6e2c KEYCLOAK-12650 Fix NullPointerException when creating HttpClient 2020-02-05 15:52:33 +01:00
mhajas
fc7b769b6e KEYCLOAK-6817 Ignore SniSSLSocketFactory exception for IBM jdk 2020-01-31 09:08:44 +01:00
Pedro Igor
2a82ed6eea [KEYCLOAK-9402] - 401 response when enforcement mode is DISABLED 2020-01-30 11:09:32 +01:00
Takashi Norimatsu
993ba3179c KEYCLOAK-12615 HS384 and HS512 support for Client Authentication by Client Secret Signed JWT (#6633) 2020-01-28 14:55:48 +01:00
vmuzikar
03306b87e8 KEYCLOAK-12125 Introduce SameSite attribute in cookies
Co-authored-by: mhajas <mhajas@redhat.com>
Co-authored-by: Peter Skopek <pskopek@redhat.com>
2020-01-17 08:36:53 -03:00
root
4cbe478129 Fix KEYCLOAK-10838, use bytesRead to make sure the output stream does not get padded with null bytes. 2020-01-14 13:20:10 +01:00
vramik
3b1bdb216a KEYCLOAK-11486 Add support for system property or env variable in AllowedClockSkew in keycloak-saml subsystem 2020-01-14 13:17:13 +01:00
mhajas
a79d6289de KEYCLOAK-11416 Fix nil AttributeValue handling 2020-01-10 12:47:09 +01:00
Pedro Igor
c596647241 [KEYCLOAK-11712] - Request body not buffered when using body CIP in Undertow 2020-01-09 10:02:18 +01:00
Michael Thirion
44ab3f46b7 [KEYCLOAK-6008] - Spring Boot does not honour wildcard auth-role (#6579) 2019-12-24 19:06:55 -03:00
Asbjørn Dyhrberg Thegler
1162455f32 KEYCLOAK-10894 Adds a ready indicating promise
This is non-intrusive and backwards compatible. With this change it is possible
to `await keycloakAuthorization.ready` to make sure the component has been
properly initialized.
2019-12-24 18:33:20 -03:00
Pedro Igor
e316e2a2f0 [KEYCLOAK-8616] - Process requests only if a deployment can be resolved 2019-12-20 13:33:12 +01:00
Pedro Igor
3bd193acd7 [KEYCLOAK-12412] - Policy enforcer should consider charset when comparing the content-type of the request 2019-12-19 14:14:33 +01:00
keycloak-bot
76aa199fee Set version to 9.0.0-SNAPSHOT 2019-11-15 20:43:21 +01:00
scranen
2d3f771b70 Cookie token store not working in Spring Security adapter
Co-authored-by: scranen <scranen@gmail.com>
Co-authored-by: rainerfrey <frey.rainer@gmail.com>
Co-authored-by: pedroigor <pigor.craveiro@gmail.com>
2019-11-13 16:54:45 +01:00
Andrei Arlou
df5cdea1e8 KEYCLOAK-12006 Use diamond operator in module adapters/oidc/as7-eap6 2019-11-13 09:54:10 +01:00
Andrei Arlou
dca8835fbc KEYCLOAK-12008 Fix minor warnings in module adapters/oidc/installed 2019-11-13 09:35:49 +01:00
Andrei Arlou
7f1de02ca0 KEYCLOAK-11994 Fix minor warnings in module in adapters/oidc/adapter-core 2019-11-11 09:49:13 +01:00
Andrei Arlou
066cdb7dec KEYCLOAK-11993 Remove unused import and use diamond operator for collection in module adapters/oidc/adapter-core 2019-11-11 09:42:12 +01:00
Leonid Rozenblyum
a4edb083c3 KEYCLOAK-6752, KEYCLOAK-6565
Fixed missing deployment after deserialization.
Other adapters already have logic for filling in deployment when it's
missing in the context, Spring Security adapter lacked that feature.

The solution is based on an attachment
https://issues.jboss.org/secure/attachment/12431091/FixKeycloakSecurityContextRequestFilter.java
from https://issues.jboss.org/browse/KEYCLOAK-6565
2019-11-08 11:51:27 -03:00
Jon Koops
5281a38cf7 [KEYCLOAK-11771] Add missing type definitions for config 2019-11-08 10:36:04 -03:00
Jon Koops
913056b2b2 [KEYCLOAK-11971] Remove credentials option from configuration 2019-11-08 11:36:18 +01:00
sebastienblanc
263a64ef0a add a legacy shaded adapters jar for spring boot 1 2019-11-07 13:58:20 +01:00
Stian Thorgersen
f14f92ab0b KEYCLOAK-6073 Make adapters use discovery endpoint for URLs instead of hardcoding (#6412) 2019-11-06 10:34:35 +01:00
Peter Skopek
d0386dab85 KEYCLOAK-8785 remove k_version endpoint (#6428) 2019-11-05 11:35:55 +01:00
Douglas Palmer
a32c8c5190 [KEYCLOAK-11185] Fixed build with JDK 11 2019-11-04 10:56:07 -03:00
Leonid Rozenblyum
61561968ed KEYCLOAK-10266 Allows proper handling of Single Sign Out events.
It was incorrectly relying on web application listeners on session
destruction.
While it's used as a Spring Bean (declared in
KeycloakWebSecurityConfigurerAdapter) so it has to use Spring-based
facility.
See also https://lists.jboss.org/pipermail/keycloak-user/2016-March/005479.html
2019-10-30 15:47:45 +01:00
Benjamin Bentmann
d6f56e58c1 KEYCLOAK-11806 Fix SAML adapter to not fail upon receiving a login response without the optional Destination attribute 2019-10-29 23:12:15 +01:00
Peter Sönder
68fa37b4cd [KEYCLOAK-11765] Changed to jdk7 compliant code 2019-10-29 13:35:22 +01:00
Peter Sönder
6c83b36360 Do not log when failure.getError is blank/empty
Sometimes the error message is blank, which results in an empty error line getting logged. 
Since the catch always logs "failed to turn code into token" and "status from server: " + failure.getStatus() (on separate lines) this extra blank line is simply noise in the log.
2019-10-29 13:35:22 +01:00
Denis Richtárik
6bf1e8a9a7 KEYCLOAK-9979 Remove keycloak-servlet-oauth-client (#6423) 2019-10-24 17:28:41 +02:00
mhajas
ac71ee9633 KEYCLOAK-11081 Include jetty94 adapter to product build 2019-10-23 15:53:37 +02:00
Martin Reinhardt
21a62a2670 [KEYCLOAK-6376] Reorganize imports and revert pom changes 2019-10-21 10:41:04 +02:00
Martin Reinhardt
eed4449f8d [KEYCLOAK-6376] Fixing Conditional OTP by reusing existing API for role checks 2019-10-21 10:41:04 +02:00
Phil Brown
85ead8b38a KEYCLOAK-11740:
Fix debug message that does not properly handle single quotes
according to java.text.MessageFormat, which in turn causes the
replacement to not be handled.

Signed-off-by: Phil Brown <brownp@stellarscience.com>
2019-10-17 13:02:03 +02:00
stianst
ceeb087dbd KEYCLOAK-8938 TypeError: kc.login(...).success is not a function 2019-10-16 17:57:18 +02:00
Martin Kanis
4d872d0c2c KEYCLOAK-11527 Override version of jboss-as-subsystem-test for product profile 2019-10-10 21:09:22 +02:00
stianst
7866a6cff3 Playing with Travis 2019-10-09 10:10:20 +02:00
Martin Kanis
9200a33346 KEYCLOAK-11527 Change type of jboss-as-subsystem-test artifact to pom for product 2019-10-07 13:12:16 +02:00
Jon Koops
bc5b4de79e [KEYCLOAK-11435] Log deprecation warning for usage of non-native Promises 2019-10-03 10:55:22 -04:00
rmartinc
6283c7add3 KEYCLOAK-10975: Clock skew configuration in keycloak-saml.xml can't be found in the keycloak-saml subsystem 2019-09-27 09:35:03 +02:00
Jon Koops
ff77b549ec [KEYCLOAK-11193] Change 'disableLogging' to 'enableLogging' and default to false 2019-09-24 10:31:02 -03:00
Stefan Guilhen
b833ce9dd3 [KEYCLOAK-11485] Add test case for the as7-eap6 SAML subsystem 2019-09-19 13:39:24 +02:00
Jon Koops
0b9c6192a3 KEYCLOAK-11193 Allow JavaScript logging to be disabled 2019-09-19 07:09:32 -03:00
rmartinc
7f54a57271 KEYCLOAK-10757: Replaying assertion with signature in SAML adapters 2019-09-18 16:49:00 +02:00
Karel Hala
f8e4ccd57a KEYCLOAK-11195 Add module loading to dependencies
Use window global libraries for AMD
2019-09-13 14:47:45 -03:00
Stefan Guilhen
60205845a8 [KEYCLOAK-7264] Add a RoleMappingsProvider SPI to allow for the configuration of custom role mappers in the SAML adapters.
- Provides a default implementation based on mappings loaded from a properties file.
 - Role mappers can also be configured in the keycloak-saml susbsytem.
2019-09-09 05:24:25 -03:00
jferrer
97fccd6d50 KEYCLOAK-10910 login function now uses promise type specified in init 2019-09-06 15:24:31 -04:00
Jon Koops
c902896ab6 KEYCLOAK-11196 Document the type for the useNonce option 2019-08-30 14:34:20 -04:00
Jon Koops
2d465df94d KEYCLOAK-11194 Remove dead code from JavaScript adapter 2019-08-30 14:32:54 -04:00
Niko Köbler
49e9cd759b KEYCLOAK-10734 Let the check-sso feature do the check in hidden iframe 2019-08-20 15:41:09 -03:00
Martin Kanis
75d2ec8ff6 KEYCLOAK-11012 Unable to install EAP6 adapter 2019-08-16 12:44:50 +02:00
Valeran86
b0d0d3e579 [KEYCLOAK-10849] - KeycloakRole equals only with itself
I use Keycloak Spring Adapter (KSA) to secure existing application. Today I realized that some functions didn't work anymore because of security checking like this:
```
GrantedAuthority adminRole = new MySpecialGrantedAuthority( "superadmin" );
for ( GrantedAuthority role : userRoles ) {
        if ( role.equals( adminRole ) ) {
          return true;
        }
      }
```
In this example, when I use KSA authorization fails.
I believe, that more preferable in `KeycloakRole` use this implementation of `equals` method.
2019-08-16 05:20:03 -03:00
Takashi Norimatsu
8225157a1c KEYCLOAK-6768 Signed and Encrypted ID Token Support 2019-08-15 15:57:35 +02:00
mhajas
4b18c6a117 KEYCLOAK-7207 Check session expiration for SAML session 2019-07-24 13:35:07 +02:00
keycloak-bot
17e9832dc6 Set version to 8.0.0-SNAPSHOT 2019-07-19 19:05:03 +02:00
Hynek Mlnarik
67f8622d13 KEYCLOAK-8318 Workaround Elytron's double encoding of the query parameters
Co-Authored-By: mhajas <mhajas@redhat.com>
2019-07-19 14:37:38 +02:00
Stefan Guilhen
ceaae7a254 [KEYCLOAK-10384] Add equals and hashCode to KeycloakUndertowAccount, SamlPrincipal and SamlSession to avoid cache misses in the PicketBox JAAS auth manager 2019-07-18 21:08:22 +02:00
kuan
1c5f7c1420 Update KeycloakTokenParsed definition.
To match KeycloakInstance's realm access and resources access.
2019-07-17 15:29:34 -04:00
Hynek Mlnarik
67eb0c3079 KEYCLOAK-8318 Workaround ELY-1525 similarly to OIDC adapter 2019-07-17 09:33:20 +02:00
Hynek Mlnarik
3d4283fac9 KEYCLOAK-9987 Upgrade to Wildfly17
Co-Authored-By: hmlnarik <hmlnarik@redhat.com>
2019-07-16 08:05:46 +02:00
Steeve Beroard
fc9a0e1766 [KEYCLOAK-8104] Keycloak SAML Adapter does not support clockSkew configuration
Co-Authored-By: vramik <vramik@redhat.com>
2019-07-15 13:08:52 +02:00
Pedro Igor
9215957bd0 Revert "KeycloakRole equals only with itself"
This reverts commit 2899375614.
2019-07-09 09:05:20 -03:00
Valeran86
2899375614 KeycloakRole equals only with itself
I use Keycloak Spring Adapter (KSA) to secure existing application. Today I realized that some functions didn't work anymore because of security checking like this:
```
GrantedAuthority adminRole = new MySpecialGrantedAuthority( "superadmin" );
for ( GrantedAuthority role : userRoles ) {
        if ( role.equals( adminRole ) ) {
          return true;
        }
      }
```
In this example, when I use KSA authorization fails.
I believe, that more preferable in `KeycloakRole` use this implementation of `equals` method.
2019-07-08 14:33:03 -03:00
Hynek Mlnarik
ca4e14fbfa KEYCLOAK-7852 Use original NameId value in logout requests 2019-07-04 19:30:21 +02:00
Vlasta Ramik
cc8cfd4269 KEYCLOAK-10751 Fix SAML undertow adapter not sending challenge
Co-Authored-By: mhajas <mhajas@redhat.com>
Co-Authored-By: Hynek Mlnarik <hmlnarik@redhat.com>
2019-07-04 10:04:51 +02:00
Thomas Darimont
53d0db80c3 KEYCLOAK-10313 Only use PKCE if enable-pkce is configured for KeycloakInstalled adapter
Users who want to use PKCE support with the KeycloakInstalled adapter need to set the property
``"enable-pkce": true` in the adapter configuration / `keycloak.json`.
2019-07-03 08:49:55 +02:00
Thomas Darimont
8bd48391ca KEYCLOAK-10313 Add PKCE support to KeycloakInstalled Adpater
This adds PKCE support for Desktop Apps as
a followup to KEYCLOAK-1033 #6047.
2019-07-03 08:49:55 +02:00
vramik
d245287320 KEYCLOAK-9598 Apache Tomcat adapter 2019-06-14 10:09:13 +02:00
mhajas
12d351ae97 KEYCLOAK-10595 Make KeycloakSpringBootConfigResolver Spring bean 2019-06-14 09:41:56 +02:00
Sebastian Laskawiec
e739344556 KEYCLOAK-9640 Unify surefire versions 2019-06-13 13:26:49 +02:00
Nils Christian Ehmke
a58a0e7678 [KEYCLOAK-10334] Keycloak Spring Boot Adapter shares configuration in static field
Signed-off-by: Nils Christian Ehmke <nils-christian.ehmke@bmiag.de>
2019-06-04 07:13:13 -03:00
Pedro Igor
803e44dcb1 [KEYCLOAK-10422] - Code challenge only sent when options object argument is passed to login method 2019-05-29 15:09:01 -03:00
Thomas Darimont
2825619243 KEYCLOAK-1033 Add PKCE support for JS Adapter
This adds support for the "S256" code_challenge_method to the JS Adapter.
Note that the method "plain" was deliberately left out as is not recommended
to be used in new applications.

Note that this PR includes two libraries:
- [base64-js]{@link https://github.com/beatgammit/base64-js}
- [js-sha256]{@link https://github.com/emn178/js-sha256}

`base64-js` is needed for cross-browser support for decoding the
Uint8ArrayBuffer returned by `crypto.getRandomValues` to a PKCE
compatible base64 string.

`js-sha256` library is required because the `crypto.subtle.digest`
support is not available for all browsers.

The PKCE codeVerifier is stored in the callbackStore of the JS Adapter.

Note: This PR is based on #5255 which got messed up during a rebase.
2019-05-29 15:40:16 +02:00