Commit graph

181 commits

Author SHA1 Message Date
Marek Posolda
e2fb8406a3
Fixing the docs about default hashing iterations (#27020)
closes #26816

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-02-15 08:11:44 +01:00
Joshua Sorah
b81233a4af
[docs] Align OAuth 2.0 Security Best Current Practice links (#24706)
Closes keycloak/keycloak#24705

Signed-off-by: Joshua Sorah <jsorah@gmail.com>
2024-02-13 13:53:56 +01:00
Pedro Igor
750bc2c09c Reviewing references to user attribute management and UIs
Closes #26155

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-12 16:01:34 +01:00
mposolda
7af753e166 Documentation for AIA
closes #25569

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-02-12 09:42:34 +01:00
Thomas Darimont
93fc6a6c54 Shorter lifespan for offline session cache entries in memory
Closes #26810

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Martin Kanis <mkanis@redhat.com>

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-02-09 19:44:04 +01:00
Michael Schnitzler
fdfe41bdda fix documentation for resetting OTP in "reset credentials" flow (#26834)
The former version stated that the "Reset OTP" step had to be disabled in the "reset credentials" authentication flow in order to keep the OTP unchanged. This leads to an error. More precisely, the "Reset - Conditional OTP" sub-flow has to be disabled.

Fixex #26834

Signed-off-by: Michael Schnitzler <schnitzler.michael+github@gmail.com>
2024-02-07 11:57:58 -03:00
Tero Saarni
ac1780a54f
Added event for temporary lockout for brute force protector (#26630)
This change adds event for brute force protector when user account is
temporarily disabled.

It also lowers the priority of free-text log for failed login attempts.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-02-07 14:13:33 +00:00
Pedro Igor
4338f44955 Reviewing the user profile documentation
Closes #26154

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-02 17:14:51 +01:00
christian-2
e14b523a8d
Fixes typo in Server Administration guide (#26543)
Signed-off-by: Christian Hörtnagl <christian2@univie.ac.at>
2024-02-01 19:36:32 +01:00
mposolda
56a605fae7 Documentation for SuppressRefreshTokenRotationExecutor
closes #26587

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-02-01 17:18:50 +01:00
Pedro Igor
3a7ce54266 Allow formating numbers when rendering attributes
Closes keycloak#26320

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-01 08:14:58 -03:00
Thomas Darimont
e7363905fa Change password hashing defaults according to OWASP recommendations (#16629)
Changes according to the latest [OWASP cheat sheet for secure Password Storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2):

- Changed default password hashing algorithm from pbkdf2-sha256 to pbkdf2-sha512
- Increased number of hash iterations for pbkdf2-sha1 from 20.000 to 1.300.000
- Increased number of hash iterations for pbkdf2-sha256 from 27.500 to 600.000
- Increased number of hash iterations for pbkdf2-sha512 from 30.000 to 210.000
- Adapt PasswordHashingTest to new defaults
- The test testBenchmarkPasswordHashingConfigurations can be used to compare the different hashing configurations.
- Document changes in changes document with note on performance and how
  to keep the old behaviour.
- Log a warning at the first time when Pbkdf2PasswordHashProviderFactory is used directly

Fixes #16629

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-01-24 18:35:51 +01:00
Stian Thorgersen
fea49765f0
Remove Jetty 9.4 adapters (#26261)
Only removing the distribution of the Jetty adapter for now, and leaving the rest for now. This is due to the complexity of removing all Jetty adapter code due to Spring, OSGI, Fuse, testsuite, etc. and it will be better to leave the rest of the clean-up to after 24 when we are removing most adapters

Closes #26255

Signed-off-by: stianst <stianst@gmail.com>
2024-01-24 11:17:29 +01:00
Alexander Schwartz
b9498b91cb
Deprecating the offline session preloading (#26160)
Closes #25300

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-16 09:29:01 +01:00
AndyMunro
b875acbc20 Change RHDG to Infinispan
Closes #26083

Signed-off-by: AndyMunro <amunro@redhat.com>
2024-01-10 17:18:50 +01:00
Alexander Schwartz
4be4212dca
Remove conditionals about Linux vs. Windows (#26031)
Closes #26028

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-10 16:03:38 +01:00
shigeyuki kabano
8b65e6727b Creating documentation for Lightweight access token(#25743)
Closes keycloak#23725

Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
2024-01-09 09:48:20 +01:00
Pedro Igor
7fad0e805e
Improve brute force documentation around how the effective wait time is calculated
Closes #25915

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-01-09 07:50:17 +00:00
Ben Cresitello-Dittmar
057d8a00ac Implement Authentication Method Reference (AMR) claim from OIDC specification
This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens.

This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note.

The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens.

Closes #19190

Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>
2024-01-03 14:59:05 -03:00
Takashi Norimatsu
59536becec Client policies : executor for enforcing DPoP
closes #25315

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2023-12-18 10:45:18 +01:00
Steven Hawkins
8c3df19722
feature: add option for creating a global truststore (#24473)
closes #24148

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2023-11-30 08:57:17 +01:00
rmartinc
16afecd6b4 Allow automatic download of SAML certificates in the identity provider
Closes https://github.com/keycloak/keycloak/issues/24424

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 18:03:31 +01:00
Tomas Ondrusko
8ac6120274
Social Identity Providers documentation adjustments (#24840)
Closes #24601

Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>
2023-11-20 22:26:11 +01:00
Thomas Darimont
d30d692335 Introduce MaxAuthAge Password policy (#12943)
This policy allows to specify the maximum age of an authentication
with which a password may be changed without re-authentication.

Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible.
A value of 0 will always require reauthentication to update the password.
Add documentation for MaxAuthAgePasswordPolicy to server_admin

Fixes #12943

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2023-11-20 14:48:17 +01:00
rmartinc
5fad76070a Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience
Closes https://github.com/keycloak/keycloak/issues/24659

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 18:22:16 +01:00
Tomas Ondrusko
fe48afc1dc Update Social Identity Providers documentation (#24601)
Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>
2023-11-16 17:58:53 +01:00
andymunro
d4cee15c3a
Correct Securing Apps Guide (#24730)
* Correcting Securing Apps guide

Closes #24729

Signed-off-by: AndyMunro <amunro@redhat.com>

* Update docs/documentation/securing_apps/topics/saml/java/general-config/sp_role_mappings_provider_element.adoc

Co-authored-by: Stian Thorgersen <stian@redhat.com>

---------

Signed-off-by: AndyMunro <amunro@redhat.com>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
2023-11-14 11:04:55 +01:00
AndyMunro
20f5edc708 Addressing Server Admin review comments
Closes #24643

Signed-off-by: AndyMunro <amunro@redhat.com>
2023-11-13 15:48:02 +01:00
Alexander Schwartz
8acb6c1845 Fix broken link to node.js and internal anchor
Closes #24699

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-13 12:20:54 +01:00
andymunro
bf17fcc0be
Fix broken links (#24476) 2023-11-13 09:17:34 +01:00
vramik
593c14cd26 Data too long for column 'DETAILS_JSON'
Closes #17258
2023-11-02 20:29:35 +01:00
AndyMunro
9ef9c944d0 Minor changes to documentation
Closes #24456
2023-11-01 22:14:11 +01:00
Justin Tay
3ff0476cc3 Allow customization of aud claim with JWT Authentication
Closes #21445
2023-10-31 11:33:47 -07:00
rmartinc
ea398c21da Add a property to the User Profile Email Validator for max length of the local part
Closes https://github.com/keycloak/keycloak/issues/24273
2023-10-27 15:09:42 +02:00
Takashi Norimatsu
1c8cddf145 passkeys: documentation
closes #23660
2023-10-24 14:48:13 +02:00
Joshua Sorah
e889d0f12c
[docs] Update Docker Registry links to new locations. (#24193)
Closes keycloak/keycloak#24179
2023-10-23 08:27:36 +02:00
Alexander Schwartz
a3c29b8880
Tidy up documentation around Windows/Linux usage (#23859)
Closes #23856
2023-10-17 10:41:44 +02:00
andymunro
6074cbf311
Limit Admin CLI windows support to upstream
Closes #23946

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-10-13 12:08:11 +02:00
Yoshikazu Nojima
058d00fea8 Rewrite mention to add-user-keycloak since it was already removed 2023-10-05 16:56:31 -03:00
andymunro
1332e53a97
Code certain features as upstream only (#23603)
Closes #23581
2023-10-03 14:50:23 -04:00
Marek Posolda
69466777c0
Clarify transient sessions documentation (#23328)
Closes #23044


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-09-27 15:14:52 +02:00
Marek Posolda
56b94148a0
Remove bearer-only occurences in the documentation when possible. Mak… (#23148)
closes #23066


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-09-12 09:38:19 +02:00
Jon Koops
82bf84eb6b Fix broken redirect in con-advanced-settings.adoc
Closes #23134
2023-09-11 11:46:54 +02:00
rmartinc
8887be7887 Add a new identity provider for LinkedIn based on OIDC
Closes https://github.com/keycloak/keycloak/issues/22383
2023-09-06 16:13:31 +02:00
mposolda
57e51e9dd4 Use an original domain name of Kerberos Principal in UserModel attribute instead of configured value of Kerberos realm in User federation
closes #20045
2023-08-30 13:24:48 +02:00
Marek Posolda
4900165691 Update docs/documentation/server_admin/topics/clients/oidc/con-advanced-settings.adoc
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-08-08 09:47:28 +02:00
mposolda
710f28ce9e DPoP release notes and documentation polishing
closes #21922
2023-08-08 09:47:28 +02:00
Takashi Norimatsu
e46de8afeb DPoP documentation
closes #21917
2023-08-04 09:24:21 +02:00
Marek Posolda
d954dfec5e
Release notes and documentation for FAPI 2 (#22228)
Closes #21945


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-08-04 08:21:27 +02:00
Peter Zaoral
c5d9e222db Update OCP4 Social IdP example setup in the latest docs
* improved openshift.adoc

Closes #22159

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2023-08-03 18:57:08 +02:00
Alexander Schwartz
08dfdffbfb
Fixed updated links for freeipa (#22040)
Closes #22039
2023-07-28 07:31:03 +02:00
David Bister
9420670f14 Update regex password policy to state the specific type of regex to be used.
Closes #21652
2023-07-14 16:32:37 +02:00
Alexander Schwartz
8bdfb8e1b6 Updating performance information on export/import
Closes: #20703
2023-07-07 09:43:59 -03:00
Justin Stephenson
4ece83dd3d
Update freeipa container image to quay.io (#19729) 2023-07-06 14:04:05 +02:00
Ronald Petty
9e68f80377
Update keys.adoc as Field is in prior section (#21012) 2023-07-06 12:50:10 +02:00
Thomas Darimont
637fa741b0
Align naming of OTP policy window setting with actual semantics (#20469) (#21316)
Closes #20469
2023-07-04 12:41:21 +02:00
rmartinc
09e30b3c99 Support for JWE IDToken and UserInfo tokens in OIDC brokers
Closes https://github.com/keycloak/keycloak/issues/21254
2023-07-03 21:25:46 -03:00
Daniele Martinoli
e2ac9487f7
Conditional login through identity provider (#20188)
Closes #20191


Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-06-29 18:44:15 +02:00
Joshua Sorah
e945a056bb [docs] Update saml.xml.org link from http to https
closes keycloak/keycloak#21317
2023-06-29 18:24:14 +02:00
Ricardo Martin
1973d0f0d4 Check the redirect URI is http(s) when used for a form Post (#22)
Closes https://github.com/keycloak/security/issues/22

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Signed-off-by: Peter Skopek <pskopek@redhat.com>
2023-06-28 17:52:48 -03:00
Hynek Mlnarik
b8149d66ca Remove ldapsOnly (console and docs)
Closes: #9313
2023-06-28 08:30:09 +02:00
Hynek Mlnarik
c092c76ae8 Remove ldapsOnly (Java)
In `LDAPConstants.java`, the function to set the Truststore SPI system property was removed, as this is now handled by the `shouldUseTruststoreSpi` method in `LdapUtil`.

Closes: #9313
2023-06-28 08:30:09 +02:00
Joshua Sorah
c28eba6382 Fix failing External Link Checks
Update URLs that are just redirects to another page.
Point to RFC 7517 for JWK draft docs that were hosted on personal site

Closes keycloak/keycloak#21263
2023-06-27 20:58:17 +02:00
rmartinc
20121ee9da Update docs and tooltips for lifespan and idle timeout changes
Closes https://github.com/keycloak/keycloak/issues/20791
2023-06-20 09:01:32 +02:00
Daniele Martinoli
d9b271c22a
Extends the conditional user attribute authenticator to check the attributes of the joined groups (#20189)
Closes #20007
2023-06-19 15:22:35 +02:00
Réda Housni Alaoui
eb9bb281ec Require user to agree to 'terms and conditions' during registration 2023-06-08 10:39:00 -03:00
Takashi Norimatsu
a29c30ccd5 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in PAR request
closes #20623
2023-05-31 14:02:44 +02:00
Stefan Guilhen
27e79fb025 Fix LDAP user synchronization documentation
Closes #16833
2023-05-30 13:36:34 +02:00
Peter Zaoral
72b238fb48
Keystore vault (#19644)
* KeystoreVault SPI

* added KeystoreVault - a Vault SPI implementation (#19281)

Closes #17252

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2023-05-24 16:20:30 +00:00
Hynek Mlnařík
41cf72d57f
Add note about preserving ID in imports
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-05-18 13:23:07 +02:00
rmartinc
fdd5e51dbc SSSD documentation updated for quarkus distribution
Closes https://github.com/keycloak/keycloak/issues/20263
2023-05-16 14:26:04 +02:00
Takashi Norimatsu
7f5e94db87 KEYCLOAK-19539 FAPI 2.0 Baseline : Reject Implicit Grant 2023-05-16 14:17:29 +02:00
Alexander Schwartz
943b8a37d9
Replace guide with a placeholder for downstream docs (#20266)
Closes #20256
2023-05-16 08:59:11 +02:00
andymunro
30ce2d1e5b
Improve key rotation section (#19168)
Co-authored-by: Bruno Oliveira da Silva <bruno@abstractj.com>
2023-04-19 11:04:13 -03:00
mposolda
d89c81fec4 Authentication flows first paragraph seems incomplete
closes #19126
2023-04-12 15:21:03 +02:00
Pedro Hos
142bb30f66
Incorrect documentation around password policies (#19364)
closes #19363


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-03-29 10:09:40 +02:00
Marek Posolda
032ece9f7b
Clarify user session limits documentation and test SSO scenario (#19372)
Closes #17374


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-03-29 10:08:45 +02:00
Thomas Darimont
ad05557321 Revise password blacklist documentation
Closes #19279

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Andy Munro <amunro@redhat.com>
2023-03-28 08:01:39 +02:00
Konstantinos Georgilakis
fd28cd2d4b Service Accounts Client must create the Client ID mapper with Token Claim Name as client_id
closes #16329
2023-03-23 11:45:34 +01:00
mposolda
9ed5e56fd5 Updating name of the provider in the docs
closes #19122
2023-03-23 07:41:57 -03:00
Alexander Schwartz
4dcb819c06 Moving docs to new folder
CIAM-5056
2023-03-20 09:07:58 +01:00