* Adding additional non-applicable client fields to the default service-account client type configuration.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Creating TypedClientAttribute which maps clientmodel fields to standard client type configurations.
Adding overrides for fields in TypeAwareClientModelDelegate required for
service-account client type.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Splitting client type attribute enum into 3 separate enums, representing
the top level ClientModel fields, the extended attributes through the
client_attributes table, and the composable fields on
ClientRepresentation.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Removing reflection use for client types.
Validation will be done in the RepresentationToModel methods that are responsible for the ClientRepresentation -> ClientModel create and update static methods.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
More updates
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Update client utilzes type aware client property update method.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* If user inputted representation object does not contain non-null value, try to get property value from the client. Type aware client model will return non-applicable or default value to keep fields consistent.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Cleaning up RepresentationToModel
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issue when updating client secret.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issue where created clients would not have fullscope allowed, because getter is a boolean and so cannot be null.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Need to be able to clear out client attributes on update as was allowed before and causing failures in integration tests.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issues with redirectUri and weborigins defaults in type aware clients.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Need to allow client attributes the ability to clear out values during update.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Renaming interface based on PR feedback.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Shall be able to override URI sets with an empty set.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Comments around fields that are primitive and may cause problems determining whether to set sane default on create.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
---------
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
Before this fix console uris (including the client redirect uris) did not contain the url encoded realm name and therefore were invalid.
closes#25807
Signed-off-by: Philip Sanetra <code@psanetra.de>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Philip Sanetra <code@psanetra.de>
Co-authored-by: rmartinc <rmartinc@redhat.com>
- prevents pre-loading all groups; instead use the stream from the JPA adapter to load subgroups one by one and then filter based on the user permissions.
Closes#28935
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
Closes#47
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Conflicts:
core/src/main/java/org/keycloak/util/TokenUtil.java
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: vibrown <vibrown@redhat.com>
More updates
Signed-off-by: vibrown <vibrown@redhat.com>
Added client type logic from Marek's prototype
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
Testing to see if skipRestart was cause of test failures in MR
When sync mode value is missing in the config of newly created identity
provider, the provider does not store any. When no value is
found, the identity provider behaves as if `LEGACY` was used (#6705).
This PR ensures the correct sync mode is returned from the REST endpoint,
regardless of whether it has been stored in the database or not.
Fixes: #26019
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
In the login theme, user profile attributes that
are not assigned to an attribute group should
appear before all other attributes. This aligns
the login theme (registration, verify profile,
etc.) with the account and admin console.
Fixes#27981
Signed-off-by: René Zeidler <rene.zeidler@gmx.de>
* no result to parse on success
fixes: #27245
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* translate error message
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.
Closes#26113
Signed-off-by: graziang <g.graziano94@gmail.com>
The role is encoded to avoid template resolution by the URIBuilder. This fix avoids the exception when creating roles with names containing {patterns}.
Closes#27514
Signed-off-by: graziang <g.graziano94@gmail.com>
Force consent for device verification flow when there are no client scopes to approve by adding a default client scope to approve
Closes#26100
Signed-off-by: graziang <g.graziano94@gmail.com>
List Google Authenticator as supported when
- hash algorithm is SHA256 or SHA512
- number of digits is 8
- OTP type is hotp
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation.
Add updateClientScopes method to set client scopes in Client Update Request in DCR.
Closes#24361
Signed-off-by: graziang <g.graziano94@gmail.com>
Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute.
The attribute value is used to enable or disable the lightweight access token.
Closes#27238
Signed-off-by: graziang <g.graziano94@gmail.com>
Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload
Closes#26052
Signed-off-by: graziang <g.graziano94@gmail.com>
Closes#23539
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* chore: expose display name and locales when user has view-realm
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: supportedlocales are available as stream
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: tests
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: remove unnecessarily added ignore
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
---------
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
Using variables instead of otherClaims map for claims in action tokens to avoid duplicate claims in the jwt payload
Closes#24980
Signed-off-by: graziang <g.graziano94@gmail.com>
`UpdatePassword.evaluateTriggers` adds the required-action to the user by evaluating the expiration password policy. Added a check that skips the evaluation if no password used during auth flow. This check uses the value of an auth note set in the `validatePassword` method of the `AbstractUsernameFormAuthenticator`.
Manually adding UPDATED_PASSWORD required-action to the user continues to trigger the action regardless of the authentication method.
Closes#17155
Signed-off-by: graziang <g.graziano94@gmail.com>
* fix: add an info message, and converts info to debug on non-pem files
closes: #26929
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Update services/src/main/java/org/keycloak/truststore/TruststoreBuilder.java
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Grabbed the SPIs for ClientType and ClientTypeManager from Marek's Client Type prototype.
Closes#26431
Signed-off-by: vibrown <vibrown@redhat.com>
Cleaned up TODOs
Signed-off-by: vibrown <vibrown@redhat.com>
Added isSupported methods
Signed-off-by: vibrown <vibrown@redhat.com>
This change adds event for brute force protector when user account is
temporarily disabled.
It also lowers the priority of free-text log for failed login attempts.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
This PR introduces a String getTaskName() default method to
the ScheduledTask interface and adjusts call sites to use the
implementation derived task name where possible.
Previously, ScheduledTask names were passed around separately, which
lead to unhelpful debug messages.
We now give ScheduledTask implementations control over their task-name
which allows for more flexible naming.
Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database.
Ensure that Realm is already committed before updating sync via UserStorageSyncManager
Align Sync task name generation for cancellation to support SyncFederationTest
Only log a message if sync task was actually canceled.
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Closes#13368
These changes introduce a new error handler for building error based on the media type.
- It should create error form response when it is valid HTML request
- It could create error response with JSON if content type matches
Signed-off-by: Lex Cao <lexcao@foxmail.com>
We now use INVALID_SAML_RESPONSE insteadof INVALID_LOGOUT_RESPONSE.
Added proposed test case.
Closes#11178
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Chris Dolphy <cdolphy@redhat.com>
The ResetCredentialsActionTokenHandler depends upon the `EXISTING_USER_INFO` through `AbstractIdpAuthenticator.getExistingUser` solely to log the username. However, if the first broker login flow does not include a `IdpCreateUserIfUniqueAuthenticator` or `IdpDetectExistingBrokerUserAuthenticator`, the `EXISTING_USER_INFO` is never set.
This commit does not attempt to fetch the existing user if we don't have this info set.
Closes#26323
Signed-off-by: Chris Tanaskoski <chris@devristo.com>
* Allow selecting attributes from user profile when managing token mappers
closes#24250
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
* moved login screen to patternfly 5
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added Feature flag to enable login v2
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* removed the old css and only include logo and background styles
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* changed to experimental
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added login2
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added windows help texts
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* implement oid4vci service interfaces
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* add oid4vc to the disabled features test
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* fix test and add doc
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* add the new preview feature
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* add class-level doc
remove wildcard imports
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* add license headers
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* fix year
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* fix teste
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* two additional test fixes
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* make the feature experimental
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* remove clock
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* remove usage of var
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* fix tests
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
---------
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>