Commit graph

2142 commits

Author SHA1 Message Date
Bill Burke
3ce0c57e17 Merge pull request #3831 from Hitachi/master
KEYCLOAK-2604 Proof Key for Code Exchange by OAuth Public Clients
2017-04-06 15:36:08 -04:00
Bill Burke
0fd11d16ee Merge pull request #3983 from bartoszmajsak/oso_typo_fix
Fixes misspelled config class in Openshift provider
2017-04-06 15:29:44 -04:00
Bill Burke
6ca5b7de03 Merge pull request #3998 from cainj13/fixNullProtocols
Fix null protocols for default clients
2017-04-06 15:29:21 -04:00
Bill Burke
13afc0147e close user/client session later 2017-04-06 15:07:40 -04:00
Bill Burke
201d2c6aac Merge remote-tracking branch 'upstream/master' 2017-04-06 10:44:43 -04:00
Bill Burke
31074c3c8d KEYCLOAK-4727 KEYCLOAK-4652 2017-04-06 10:44:33 -04:00
Stian Thorgersen
af4c74f1d9 Merge pull request #3718 from thomasdarimont/issue/KEYCLOAK-4163-improve-support-for-email-addresses
KEYCLOAK-4163 Improve support for e-mail addresses
2017-04-06 15:34:30 +02:00
Stian Thorgersen
6201257f76 KEYCLOAK-4549 [RH-SSO] EAP 7.1.0 Alpha16 2017-04-05 11:55:21 +02:00
Josh Cain
0482ec40fd Fix null protocols in default realm applications 2017-03-31 16:13:38 -05:00
Pedro Igor
838a045239 [KEYCLOAK-4650] - Adding scope filter and fixing cancel buttons 2017-03-29 12:59:41 -03:00
Takashi Norimatsu
ef3aef9381 Merge branch 'master' into master 2017-03-28 16:21:40 +09:00
Stian Thorgersen
6b21b4d87b KEYCLOAK-4657 Sort out REST API for prod profile 2017-03-27 20:50:13 +02:00
Bartosz Majsak
0197600565 Fixes misspelled config class 2017-03-27 09:38:47 +02:00
Bill Burke
71f0c01d4f Merge pull request #3980 from patriot1burke/master
KEYCLOAK-4664 KEYCLOAK-4665
2017-03-25 20:12:22 -04:00
Bill Burke
8c2e756732 fix 2017-03-25 19:21:50 -04:00
Bill Burke
d8e98d1de6 KEYCLOAK-4665 2017-03-25 12:47:32 -04:00
Bill Burke
dd8a64f30c KEYCLOAK-4664 2017-03-25 11:21:11 -04:00
Bartosz Majsak
63e8e7f842 Alings SimpleHttp API with new version 2017-03-23 13:51:14 +01:00
Bartosz Majsak
210143738e Merge branch 'master' into oso_provider 2017-03-23 13:45:07 +01:00
Peter Nalyvayko
b2f10359c8 KEYCLOAK-4335: x509 client certificate authentication
Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments

x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute

Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received

Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes

Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document

A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README

Changes to the formating of the readme

Added a list of features to readme

Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions

Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master

Removed a superfluous file created when merging x509 and main branches

X509 authentication: removed the PKIX path validation as superflous

Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main

Merge the unit tests from x509 branch

added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured

CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing.

changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail

Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway)

X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them

X509 fixed a compile error caused by the changes to the user model in master

Integration tests to validate X509 client certificate authentication

Minor tweaks to X509 client auth related integration tests

CRLs to support x509 client cert auth integration tests

X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime

X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class

X509 separated the browser and direct grant x509 authenction integration tests

x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator

x509 removed the dependency on mockito

x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests

index.txt.attr is needed by openssl to run a simple OCSP server

x509: minor grammar fixes

Add OCSP stub responder to integration tests

This commit adds OCSP stub responder needed for the integration tests,
and eliminates the need to run external OCSP responder in order to run
the OCSP in X509OCSPResponderTest.

Replace printStackTrece with logging

This commit replaces call to printStackTrace that will end up going to
the stderr with logging statement of WARN severity.

Remove unused imports

Removed unused imports in
org.keycloak.authentication.authenticators.x509 package.

Parameterized Hashtable variable

Removed unused CertificateFactory variable

Declared serialVersionUID for Serializable class

Removed unused CertificateBuilder class

The CertificateBuilder was not used anywhere in the code, removing it to
prevent technical debt.

Removing unused variable declaration

`response` variable is not used in the test, removed it.

Made sure InputStreams are closed

Even though the InputStreams are memory based, added try-with-resources
to make sure that they are closed.

Removed deprecated usage of URLEncoder

Replaced invocation of deprecated method from URLEncoder with Encode
from Keycloak util package.

Made it more clear how to control OCSP stub responder in the tests

X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job

KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests

KEYCLOAK-4335: fixed a few issues after rebasing
2017-03-17 05:24:57 -04:00
Stian Thorgersen
a87ee04024 Bump to 3.1.0.CR1-SNAPSHOT 2017-03-16 14:21:40 +01:00
Bartosz Majsak
a250f08b6c Removes trailing slash from the base url 2017-03-15 22:27:24 +01:00
Stian Thorgersen
feeac69197 Merge pull request #3888 from daklassen/KEYCLOAK-4421
KEYCLOAK-4421 Change any http maven urls to https to reduce build-time MITM vulnerability
2017-03-15 09:54:21 +01:00
Stian Thorgersen
2aa93d7d55 Merge pull request #3924 from daklassen/KEYCLOAK-2486
KEYCLOAK-2486: Update SimpleHTTP to use Apache HTTP Client
2017-03-15 09:50:06 +01:00
Thomas Darimont
b782892769 KEYCLOAK-4163 Improve support for e-mail addresses
Added support for user friendly email addresses as well as dedicated
reply-to addresses for emails being sent by Keycloak.
Both can be customized via the email settings per realm in
the admin-console.
User friendly email addresses use the format:
"Friendly Name"<email@example.org> and provide way to add a meaning
full name to an e-mail address.

We also allow to specify an optional envelope from bounce address.
If a mail sent to a user could not be delivered the email-provider
will sent a notification to that address.

See: https://en.wikipedia.org/wiki/Bounce_address

Add test for proper email headers in sent messages
2017-03-14 18:22:54 +01:00
Bill Burke
6d51862057 Merge pull request #3897 from anderius/feature/KEYCLOAK-4504-redirect-logout
[WIP] Saml broker: Option to specify logout request binding
2017-03-14 11:32:26 -04:00
David Klassen
32d3f760ec KEYCLOAK-4421: Change http url to https
Change any http maven urls to https to reduce build-time MITM vulnerability
2017-03-14 10:18:40 +01:00
Pedro Igor
9d1d22565c Merge pull request #3938 from pedroigor/authz-fixes
AuthZ Services Fixes
2017-03-13 15:20:41 -03:00
Pedro Igor
e7e6314146 [KEYCLOAK-4555] - Fixes and improvements to evaluation code 2017-03-13 14:08:54 -03:00
Alexey Kazakov
063f5303dd KEYCLOAK-4568 Identity broker service may fail to validate client session if there is more then one active session 2017-03-11 12:59:25 -08:00
Mark Pardijs
c78c0b73d3 KEYCLOAK-4360: Add OneTimeUse condition to SAMLResponse
Add OneTimeUse Condition to SAMLResponse when configured in client settings
2017-03-09 13:01:05 +01:00
David Klassen
7029ef80f8 KEYCLOAK-2486: Update SimpleHTTP to use Apache HTTP Client
Update SimpleHTTP to use Apache HTTP client under the covers.
2017-03-09 09:23:09 +01:00
Thomas Darimont
1dea38bdbb KEYCLOAK-4205 Allow to return json arrays in Client and Realm Role Mappers
Previously the ClientRoleMapper and RealmRoleMapper returned
roles as a comma delimited String in OIDC tokens which
needed to be parsed by client applications.
We now support to generate the role information as JSON
arrays by setting "multi valued" to "true" in the
client role mapper or realm role mappers respectively
which makes it easier for clients to consume.

The default setting for "multi valued" is "false" to
remain backwards compatible.

An example AccessToken that shows the two modes can be found here:
https://gist.github.com/thomasdarimont/dff0cd691cd6e0b5e33c2eb4c76ae5e8
2017-03-08 20:56:56 +01:00
Bill Burke
efffcc5f41 Merge pull request #3915 from TeliaSoneraNorge/KEYCLOAK-4524
KEYCLOAK-4524
2017-03-08 10:08:04 -05:00
Bill Burke
c6dc59f63e Merge remote-tracking branch 'upstream/master' 2017-03-03 11:00:32 -05:00
Martin Hardselius
a0a85f62c6 KEYCLOAK-4524 possible to add identity prover mappers with same name into single identity provider
- unique name enforcement working
- test added
2017-03-03 16:40:49 +01:00
Bill Burke
3bb29e033b KEYCLOAK-4501, KEYCLOAK-4511, KEYCLOAK-4513 2017-03-03 09:48:52 -05:00
Bartosz Majsak
1a6bb2fedb Adds Openshift Identity Provider as part of social brokers 2017-03-02 15:14:57 +01:00
Marek Posolda
cfb8d25ff2 Merge pull request #3900 from KillerDiller/wellknownprovider-four-oh-four
KEYCLOAK-4519: Avoid NPE for unknown paths under .../.well-known/.
2017-03-02 12:22:35 +01:00
Marek Posolda
4f4ae44a16 Merge pull request #3896 from thomasdarimont/issue/KEYCLOAK-4505-expose-clientSession-binding-to-ScriptBasedAuthenticator
KEYCLOAK-4505 Expose current clientSession binding to ScriptBasedAuthenticator
2017-03-01 12:17:29 +01:00
mposolda
091b376624 KEYCLOAK-1590 Realm import per test class 2017-03-01 09:38:44 +01:00
Anders Båtstrand
8d82390843 KEYCLOAK-4504 New configuration option for SAML Broker:
* postBindingLogout: Indicates if POST or redirect should be used for the logout requests.

This applies to both IdP-initiated logout, and Keycloak-initiated logout. If unset (for example when upgrading Keycloak), the setting is initially set to the same as postBindingResponse.

The flag is also set when importing IdP metadata.
2017-02-28 12:08:22 +01:00
Bill Burke
0765b01189 Merge remote-tracking branch 'upstream/master' 2017-02-27 18:46:09 -05:00
Bill Burke
b4f625e1ce KEYCLOAK-4501 2017-02-27 18:46:00 -05:00
Stefan Paletta
bcbde3fdf0 Avoid NPE for unknown paths under .../.well-known/. 2017-02-27 02:42:02 +01:00
Anders Båtstrand
89c6cda2ac Two new configuration options for the Saml broker:
* wantAssertionsSigned: This will toggle the flag in the SP Metadata Descriptor, and validate the signature if and only if "Validate signature" is selected.
 * wantAssertionsEncrypted: This will simply require that the assertion is encrypted.

 Default behavior is unchanged. The signature validation uses the original XML, and supports therefore an IdP that adds whitespace and line breaks between tags (for example OpenAM).
2017-02-24 15:08:57 +01:00
Thomas Darimont
18a8ed3e95 KEYCLOAK-4505 Expose current clientSession binding to ScriptBasedAuthenticator.
Previously the ScriptBasedAuthenticator did not expose the current
clientSession from the AuthenticationFlowContext.
In order to implement client specific authentications with javascript
one needs information about the current client.
2017-02-24 14:01:10 +01:00
Stian Thorgersen
e2b1c97e26 KEYCLOAK-943 Added initial implementation for update profile 2017-02-24 13:19:29 +01:00
Stian Thorgersen
faf0e98665 Merge pull request #3736 from guusdk/api-documentation
Improving the generated REST API documentation
2017-02-20 15:30:32 +01:00
Stian Thorgersen
3653d7ed9a Merge pull request #3762 from sldab/hide-providers
KEYCLOAK-4224 Allow hiding identity providers on login page
2017-02-17 12:04:35 +01:00
Bill Burke
c3e72b11db KEYCLOAK-4382 2017-02-13 10:51:10 -05:00
Bill Burke
d9633dc20c Merge remote-tracking branch 'upstream/master' 2017-02-09 09:13:00 -05:00
Stian Thorgersen
44180a68e6 Merge pull request #3845 from frelibert/KEYCLOAK-4378
KEYCLOAK-4378 New user attribute is not added after first login from …
2017-02-09 10:02:09 +01:00
Bill Burke
cf5e2a1d20 unlink/remoteimported 2017-02-08 19:48:22 -05:00
Frederik Libert
f3a552ac9d KEYCLOAK-4378 New user attribute is not added after first login from broker 2017-02-07 15:37:16 +01:00
mposolda
8a16ab52a9 KEYCLOAK-4371 Offline Tokens still useless When SSO Session Max is Reached and normal userSession expired 2017-02-03 11:55:58 +01:00
Takashi Norimatsu
88bfa563df KEYCLOAK-2604 Proof Key for Code Exchange by OAuth Public Clients - RFC
7636 - Server Side Implementation
2017-02-03 10:38:54 +09:00
Bill Burke
1d04d56bdb Merge pull request #3816 from patriot1burke/master
KEYCLOAK-4218
2017-02-01 08:55:10 -05:00
Bill Burke
0d308e2b69 KEYCLOAK-4218 2017-01-31 15:15:49 -05:00
Pedro Igor
57c74e3f39 [KEYCLOAK-4341] - Resources are not properly exported when exporting authorization settings 2017-01-31 13:10:25 -02:00
Stian Thorgersen
6f22f88d85 Bump version to 3.0.0.CR1 2017-01-26 06:18:11 +01:00
Stian Thorgersen
d1e491d57d KEYCLOAK-4286 Add deprecated support for old keycloak.js 2017-01-25 15:59:43 +01:00
mposolda
2de2df3a41 KEYCLOAK-4282 Fix authorization import in DirImportProvider 2017-01-24 21:57:35 +01:00
mposolda
194a63cc71 KEYCLOAK-4282 Import authorization after users are imported 2017-01-24 17:32:34 +01:00
Stian Thorgersen
94ffeda62a Merge pull request #3773 from hmlnarik/KEYCLOAK-4181-SAML-Response-without-any-assertion-leads-to-an-exception
KEYCLOAK-4181 Fix handling of SAML error code in broker
2017-01-24 10:33:05 +01:00
Marek Posolda
29c0fe564c Merge pull request #3752 from mposolda/master
KEYCLOAK-4024 Migration of old offline tokens
2017-01-23 16:25:35 +01:00
Stian Thorgersen
15d0a116ac Merge pull request #3769 from hmlnarik/KEYCLOAK-4167-Unable-to-validate-access-token-for-OIDC-External-IDP-using-configured-public-key
KEYCLOAK-4167 Always use preset key for verification if key ID not set
2017-01-23 13:59:35 +01:00
Hynek Mlnarik
5da491c270 KEYCLOAK-4181 Fix handling of SAML error code in broker 2017-01-19 16:30:06 +01:00
Hynek Mlnarik
f289b281a0 KEYCLOAK-4262 2017-01-19 16:00:03 +01:00
Stian Thorgersen
536b88790e Merge pull request #3757 from mstruk/KEYCLOAK-4150
KEYCLOAK-4150 Unresolved variable ${cliane_security-admin-console} in admin web client
2017-01-19 13:55:36 +01:00
Bill Burke
73d3e8afd9 Merge pull request #3770 from patriot1burke/master
KEYCLOAK-4077
2017-01-19 07:35:10 -05:00
Hynek Mlnarik
df4f1e7129 KEYCLOAK-4167 Always use preset key for verification if key ID not set 2017-01-18 10:29:06 +01:00
Stian Thorgersen
5a0504b5d9 Merge pull request #3753 from hmlnarik/KEYCLOAK-4216-mod-auth-mellon-logout-failed-when-using-SSO
KEYCLOAK-4216 Fix NPE and logout binding choice
2017-01-18 08:40:02 +01:00
Stian Thorgersen
e364680792 Merge pull request #3721 from hmlnarik/KEYCLOAK-3399-End-session-endpoint-returns-error-when-keycloak-session-is-expired
KEYCLOAK-3399 Ignore user session expiration on OIDC logout
2017-01-18 08:38:53 +01:00
mposolda
843b4b470b KEYCLOAK-2333 LDAP/MSAD password policies are not used when user changes password 2017-01-17 21:06:09 +01:00
Bill Burke
dcf6da2a51 KEYCLOAK-4077 2017-01-17 09:20:44 -05:00
Slawomir Dabek
9bb65ba9b7 KEYCLOAK-4224 Allow hiding identity providers on login page 2017-01-17 14:32:59 +01:00
Stian Thorgersen
1913f801b9 Merge pull request #3739 from hmlnarik/KEYCLOAK-2847-Unexpected-error-when-trying-to-update-clientTemplate-to-already-existing-name
KEYCLOAK-2847 Fix for client template duplicate name
2017-01-16 09:45:39 +01:00
Stian Thorgersen
5842f7c837 Merge pull request #3751 from stianst/KEYCLOAK-4192
KEYCLOAK-4192 Added missing produces annotations for update methods
2017-01-16 09:41:29 +01:00
Stian Thorgersen
178625d3f2 Merge pull request #3745 from velias/master
KEYCLOAK-4202 - Attribute importer of Social Identity providers doesn't handle JSON 'null' values correctly
2017-01-16 08:22:04 +01:00
Marko Strukelj
d68f6bbc42 KEYCLOAK-4150 Unresolved variable ${cliane_security-admin-console} in admin web client 2017-01-13 17:48:21 +01:00
Bill Burke
ffb688b393 Merge remote-tracking branch 'upstream/master' 2017-01-13 11:45:55 -05:00
Bill Burke
6aee6b0c46 KEYCLOAK-4220 2017-01-13 11:45:48 -05:00
Hynek Mlnarik
02eda8943c KEYCLOAK-4216 Fix NPE and logout binding choice 2017-01-13 14:30:32 +01:00
mposolda
9ad14d991c KEYCLOAK-4140 Migration of old offline tokens 2017-01-13 11:35:19 +01:00
Stian Thorgersen
ac9268bd48 KEYCLOAK-4192 Added missing produces annotations for update methods 2017-01-13 09:56:20 +01:00
Hynek Mlnarik
0b58bebc90 KEYCLOAK-2847 Fix for client template duplicate name 2017-01-13 09:32:28 +01:00
mposolda
93157e49d5 KEYCLOAK-4201 Offline tokens become useless when accessing admin REST API 2017-01-13 09:06:53 +01:00
Vlastimil Elias
f13deab812 KEYCLOAK-4202 - Attribute importer of Social Identity providers doesn't
handle JSON 'null' values correctly
2017-01-12 14:14:09 +01:00
Hynek Mlnarik
e11957ecf3 KEYCLOAK-4167 Make OIDC identity provider key ID configurable 2017-01-11 18:24:22 +01:00
Guus der Kinderen
ba73ab1c2a API documentation: Overview to left-hand side 2017-01-10 17:08:32 +01:00
Guus der Kinderen
45f5fa6a74 API documentation: Introduce and group by tags.
This commit introduces grouping of the documented REST resources. The grouping is based
on a free-form name of a resource (a 'tag' in Swagger terminology), which is introduced
by adding a @resource javadoc tag to every Resource class.
2017-01-10 17:08:27 +01:00
Guus der Kinderen
50b7dbe7b2 API documentation: Update dependencies. 2017-01-10 17:08:14 +01:00
Marek Posolda
227900f288 Merge pull request #3731 from mposolda/master
KEYCLOAK-4175 Provide a way to set the connect and read timeout for l…
2017-01-10 09:49:18 +01:00
Stian Thorgersen
7eeebff874 Merge pull request #3720 from hmlnarik/KEYCLOAK-4091-Possible-NullPointerExceptions-with-disabled-cache
KEYCLOAK-4091 Prevent NPE with disabled cache
2017-01-10 06:23:10 +01:00
Bill Burke
452611242c Merge remote-tracking branch 'upstream/master' 2017-01-09 17:14:34 -05:00
Bill Burke
d075172fd2 KEYCLOAK-3617 KEYCLOAK-4117 KEYCLOAK-4118 2017-01-09 17:14:20 -05:00
mposolda
c32620b718 KEYCLOAK-4175 Provide a way to set the connect and read timeout for ldap connections 2017-01-09 21:35:58 +01:00
Pedro Igor
0b5b27ea3a [KEYCLOAK-4166] - Export/Import clients functionality not working as expected 2017-01-06 16:07:10 -02:00
Hynek Mlnarik
9fb3201c8b KEYCLOAK-3399 Ignore user session expiration on OIDC logout 2017-01-06 15:15:46 +01:00