Commit graph

308 commits

Author SHA1 Message Date
EbenZhang
fa97c2419e Remove the deprecated from readString(InputStream, Charset)
I believe it was copied from the previous overload.
2017-04-13 15:42:23 +08:00
Peter Nalyvayko
b2f10359c8 KEYCLOAK-4335: x509 client certificate authentication
Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments

x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute

Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received

Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes

Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document

A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README

Changes to the formating of the readme

Added a list of features to readme

Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions

Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master

Removed a superfluous file created when merging x509 and main branches

X509 authentication: removed the PKIX path validation as superflous

Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main

Merge the unit tests from x509 branch

added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured

CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing.

changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail

Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway)

X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them

X509 fixed a compile error caused by the changes to the user model in master

Integration tests to validate X509 client certificate authentication

Minor tweaks to X509 client auth related integration tests

CRLs to support x509 client cert auth integration tests

X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime

X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class

X509 separated the browser and direct grant x509 authenction integration tests

x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator

x509 removed the dependency on mockito

x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests

index.txt.attr is needed by openssl to run a simple OCSP server

x509: minor grammar fixes

Add OCSP stub responder to integration tests

This commit adds OCSP stub responder needed for the integration tests,
and eliminates the need to run external OCSP responder in order to run
the OCSP in X509OCSPResponderTest.

Replace printStackTrece with logging

This commit replaces call to printStackTrace that will end up going to
the stderr with logging statement of WARN severity.

Remove unused imports

Removed unused imports in
org.keycloak.authentication.authenticators.x509 package.

Parameterized Hashtable variable

Removed unused CertificateFactory variable

Declared serialVersionUID for Serializable class

Removed unused CertificateBuilder class

The CertificateBuilder was not used anywhere in the code, removing it to
prevent technical debt.

Removing unused variable declaration

`response` variable is not used in the test, removed it.

Made sure InputStreams are closed

Even though the InputStreams are memory based, added try-with-resources
to make sure that they are closed.

Removed deprecated usage of URLEncoder

Replaced invocation of deprecated method from URLEncoder with Encode
from Keycloak util package.

Made it more clear how to control OCSP stub responder in the tests

X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job

KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests

KEYCLOAK-4335: fixed a few issues after rebasing
2017-03-17 05:24:57 -04:00
Stian Thorgersen
a87ee04024 Bump to 3.1.0.CR1-SNAPSHOT 2017-03-16 14:21:40 +01:00
Bill Burke
b4f625e1ce KEYCLOAK-4501 2017-02-27 18:46:00 -05:00
Stian Thorgersen
6f22f88d85 Bump version to 3.0.0.CR1 2017-01-26 06:18:11 +01:00
Stian Thorgersen
e805ffd945 Bump version to 2.5.1.Final-SNAPSHOT 2016-12-22 08:22:18 +01:00
Stian Thorgersen
eb7ad07e31 KEYCLOAK-4109 Ability to disable impersonation 2016-12-20 08:46:21 +01:00
Stian Thorgersen
f29bb7d501 KEYCLOAK-4092 key provider for HMAC signatures 2016-12-19 10:50:43 +01:00
Hynek Mlnarik
7d51df4eed KEYCLOAK-3971 Explicitly set encoding for SAML message processing 2016-12-15 14:04:34 +01:00
Bill Burke
ce50b0ed29 Merge remote-tracking branch 'upstream/master' 2016-12-02 19:26:34 -05:00
Bill Burke
e88af874ca finish 2016-12-02 19:25:17 -05:00
Stian Thorgersen
b771b84f56 Bump to 2.5.0.Final-SNAPSHOT 2016-11-30 15:44:51 +01:00
Stian Thorgersen
6ec82865d3 Bump version to 2.4.1.Final-SNAPSHOT 2016-11-22 14:56:21 +01:00
Hynek Mlnarik
10deac0b06 KEYCLOAK-1881 KeyLocator implementation for SAML descriptor 2016-11-04 21:53:43 +01:00
Hynek Mlnarik
d5c3bde0af KEYCLOAK-1881 Make SAML descriptor endpoint return all certificates 2016-11-04 21:53:43 +01:00
Stian Thorgersen
4d47f758fc Merge pull request #3405 from stianst/master
Bump version
2016-10-21 10:11:59 +02:00
Stian Thorgersen
c615674cbb Bump version 2016-10-21 07:03:15 +02:00
Stian Thorgersen
5a00aaefa8 KEYCLOAK-2594
bind credential being leaked in admin tool JSON response

KEYCLOAK-2972
Keycloak leaks configuration passwords in Admin Event logs
2016-10-20 19:30:59 +02:00
Stian Thorgersen
d2cae0f8c3 KEYCLOAK-905
Realm key rotation for OIDC
2016-10-13 11:19:52 +02:00
Bill Burke
d4c3fae546 merge conflicts 2016-09-30 19:19:12 -04:00
mposolda
f9a0abcfc4 KEYCLOAK-3493 KEYCLOAK-3532 Added KeyStorageProvider. Support key rotation for OIDC clients and identity providers with JWKS url. 2016-09-30 21:28:23 +02:00
Bill Burke
8967ca4066 refactor mongo entities, optimize imports 2016-09-28 15:25:39 -04:00
Bill Burke
ecc104719d bump pom version 2016-09-26 11:01:18 -04:00
Stian Thorgersen
992268a8e6 KEYCLOAK-3579 Add ability to define profiles 2016-09-20 08:41:23 +02:00
Bill Burke
3b9a6b32e1 Revert "Revert "KEYCLOAK-3440""
This reverts commit 01e48dc4b8.
2016-09-07 23:41:32 -04:00
Bill Burke
01e48dc4b8 Revert "KEYCLOAK-3440" 2016-09-07 23:17:35 -04:00
Bill Burke
6714c1a136 cred refactor 2016-09-06 08:55:47 -04:00
mposolda
d52e043322 Set version to 2.2.0-SNAPSHOT 2016-08-10 08:57:18 +02:00
Bill Burke
72d134748c user fed spi querying tests 2016-07-22 11:42:07 -04:00
Bill Burke
b224917fc5 bump version 2016-06-30 17:17:53 -04:00
mposolda
c7335fa242 KEYCLOAK-2903 Fix WelcomeResource to not allow requests forwarded from proxy/loadbalancer 2016-04-26 12:03:43 +02:00
Stian Thorgersen
0fc4ca0d12 KEYCLOAK-2590 Add custom rest endpoint to set time offset 2016-04-06 11:14:37 +02:00
mposolda
65dc7ddb44 KEYCLOAK-2623 Remove auth-server-url-for-backend-requests from adapters 2016-04-05 11:43:41 +02:00
Stian Thorgersen
134c9b11c0 KEYCLOAK-2608
Timestamp resolution of 1s for Event.time is inappropriate for use with tests
2016-04-04 08:30:01 +02:00
mposolda
4193856fbb KEYCLOAK-2687 ZIPException during import big number of users 2016-03-22 07:04:54 +01:00
Stian Thorgersen
28fe13a800 Next is 2.0.0.CR1 2016-03-10 08:13:00 +01:00
Stian Thorgersen
d722e53108 Next is 1.9.2.Final 2016-03-10 07:28:27 +01:00
mposolda
e2558ca827 KEYCLOAK-1928 Fix Saml with IBM JDK 2016-02-29 17:32:33 +01:00
mposolda
94b3e85513 KEYCLOAK-1928 Fix kerberos with adapter on JDK7 2016-02-26 10:49:10 +01:00
mposolda
7f32ce810a KEYCLOAK-1928 Kerberos working with IBM JDK 2016-02-26 09:16:39 +01:00
Stian Thorgersen
a1d9753ec2 Next is 1.9.1.Final-SNAPSHOT 2016-02-23 08:48:26 +01:00
Stian Thorgersen
4fd97091ff Version bump to 2.0.0.CR1-SNAPSHOT 2016-02-22 11:36:56 +01:00
mposolda
0f21b6f6d9 KEYCLOAK-2479 Avoid ZIPException during bigger load 2016-02-18 19:28:20 +01:00
Stian Thorgersen
5bc3ee0e8c KEYCLOAK-2493
Set default theme based on product name
2016-02-16 18:05:06 +01:00
Stian Thorgersen
cc7f755fe9 KEYCLOAK-2425
Replacing SNAPSHOT with timestamp in /auth/resources/<VERSION> path doesn't work well with load balancing
2016-02-09 09:03:25 +01:00
Stian Thorgersen
579ab56a5a Bump version to 1.9.0.Final-SNAPSHOT 2016-02-04 15:55:11 +01:00
Stian Thorgersen
c7a8742a36 KEYCLOAK-1524
Source code headers
2016-02-03 11:20:22 +01:00
George Kankava
92a494359d squid:S1125 - Literal boolean values should not be used in condition expressions 2016-01-29 00:22:47 +04:00
Stian Thorgersen
0193c696ab Version bump 2016-01-13 09:20:38 +01:00
Stian Thorgersen
606e6fa479 KEYCLOAK-1934
Add display-name and display-name-html to realm
2015-12-21 12:15:13 +01:00
Stian Thorgersen
ff806eae08 Version bump 2015-12-01 19:54:28 +01:00
mposolda
ec327c99f4 KEYCLOAK-2152 KEYCLOAK-2061 Client switches changes. Support for response_types and grant_types in OIDC Client registration 2015-11-30 15:31:38 +01:00
mposolda
ef80b64d1c KEYCLOAK-1129 Implicit flow and Hybrid flow support 2015-11-27 22:28:38 +01:00
mposolda
ce4a865579 KEYCLOAK-1750 First broker login - tests 2015-11-13 09:32:46 +01:00
mposolda
adbf2b22ad KEYCLOAK-1750 Improve first time login with social. Added 'first broker login' flow 2015-11-09 10:34:55 +01:00
Stian Thorgersen
3f8312427a Version bump 2015-10-19 16:15:29 +02:00
mposolda
4587fd23b6 KEYCLOAK-1929 Change package names. Fix Fuse demo 2015-10-16 16:30:42 +02:00
Bill Burke
75343986b0 keycloak-common 2015-10-01 14:27:51 -04:00