libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions
24224 commits 4 branches 9 tags 483 MiB
Commit graph

4410 commits

Author SHA1 Message Date
Steven Hawkins
8d9439913c
fix: removal of resteasy-core (#27032) 
* fix: partial removal of resteasy-core

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* fix: fully removing resteasy-core

closes: #26315

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-02-29 11:43:13 +00:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm 
Closes #25823

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2024-02-28 16:17:51 +01:00
Pedro Igor
788d146bf2 Use the target client when processing scopes for internal exchanges 
Closes #19183

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-02-28 15:18:43 +01:00
graziang
16a854c91b Add option to clients to use lightweight access token 
Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute.
The attribute value is used to enable or disable the lightweight access token.
Closes #27238

Signed-off-by: graziang <g.graziano94@gmail.com>
 2024-02-28 10:18:26 +01:00
Pedro Igor
0c91fceaad Allow setting if both 'client_id' and 'id_token_hint' params should be sent in logout requests 
Closes #27281

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-02-27 20:37:27 +09:00
Dmitry Telegin
c18c4bbeb8 Remove setContext() + minor cleanup 
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
 2024-02-27 19:11:32 +09:00
Dmitry Telegin
87c2df0ea4 Fix UMA 2024-02-27 19:11:32 +09:00
Dmitry Telegin
be3d0b6202 Split OAuth2GrantType and OAuth2GrantTypeFactory 2024-02-27 19:11:32 +09:00
Dmitry Telegin
c73516ba5b Revert dynamic grant type resolution 2024-02-27 19:11:32 +09:00
Dmitry Telegin
5f04ce310a simplify OAuth2GrantType.Context creation 2024-02-27 19:11:32 +09:00
Dmitry Telegin
b81bf85a06 rebase 2024-02-27 19:11:32 +09:00
Dmitry Telegin
854ec17fd3 - rework grant type resolution to use supports() in addition to grant type 
- replace initialize() with setContext()
- use EnvironmentDependentProviderFactory instead of runtime checks
- move OAuth2GrantTypeManager to server-spi-private
- javadocs, imports, minor fixes

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
 2024-02-27 19:11:32 +09:00
Dmitry Telegin
cc9c8fe78a Use EnvironmentDependentProviderFactory for DeviceGrantType 2024-02-27 19:11:32 +09:00
Dmitry Telegin
983680ce0e OAuth 2.0 Grant Type SPI 
Closes: #26250

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
 2024-02-27 19:11:32 +09:00
rmartinc
562decde35 Perform internal introspect for the access token in the account app 
Closes #27243

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-02-27 09:19:20 +01:00
kaustubh-rh
03f6cda85a
Prevent user from removing built-in client scopes (#27134) 
Closes #26937

Signed-off-by: Kaustubh B <kbawanka@redhat.com>
 2024-02-26 11:16:23 +01:00
Gilvan Filho
83af01c4c0 Add failedLoginNotBefore to AttackDetectionResource 
Closes #17574

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
 2024-02-26 09:35:51 +01:00
graziang
cecce40aa5 Avoid regenerating the totpSecret on every reload of the OTP configuration page 
Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload

Closes #26052

Signed-off-by: graziang <g.graziano94@gmail.com>
 2024-02-22 19:09:09 +01:00
Pedro Igor
604274fb76 Allow setting an attribute as multivalued 
Closes #23539

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2024-02-22 12:56:44 +01:00
Takashi Norimatsu
1e12b15890 Supporting OAuth 2.1 for public clients 
closes #25316

Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-02-22 10:57:29 +01:00
Douglas Palmer
b0ef746f39 Permanently lock users out after X temporary lockouts during a brute force attack 
Closes #26172

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-02-22 09:34:51 +01:00
Takashi Norimatsu
9ea679ff35 Supporting OAuth 2.1 for confidential clients 
closes #25314

Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-02-22 08:34:21 +01:00
Sebastian Schuster
5e34769ee0 27031 ReadOnlyAttributeUnchangedValidator logs validation errors on debug not warning 
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
 2024-02-22 08:24:08 +09:00
Peter Keuter
01d66a662b
Expose display name and locales when user has ANY admin role (#27160) 
* chore: expose display name and locales when user has view-realm

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

* fix: supportedlocales are available as stream

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

* fix: tests

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

* fix: remove unnecessarily added ignore

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

---------

Signed-off-by: Peter Keuter <github@peterkeuter.nl>
 2024-02-21 13:30:31 -05:00
graziang
d13dc57a29 Removing duplicate claims in action tokens 
Using variables instead of otherClaims map for claims in action tokens to avoid duplicate claims in the jwt payload

Closes #24980

Signed-off-by: graziang <g.graziano94@gmail.com>
 2024-02-21 11:30:49 +01:00
Takashi Norimatsu
1bdbaa2ca5 Client policies: executor for validate and match a redirect URI 
closes #25637

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-02-20 08:37:33 +01:00
Stefan Wiedemann
aa6b102e3d
Support EC Key-Imports for the JavaKeystoreKeyProvider #26936 (#27030) 
closes #26936

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
 2024-02-19 17:41:40 +01:00
Pedro Hos
6b3fa8b7a7
Invalid redirect uri when identity provider alias has spaces (#22840) 
closes #22836


Co-authored-by: Marek Posolda <mposolda@gmail.com>
 2024-02-19 14:40:42 +01:00
Takashi Norimatsu
2f35d0e346 Add EdDSA/Ed25519 to WebAuthn Signature algorithms 
closes #15000

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-02-19 14:08:04 +01:00
graziang
1f57fc141c UPDATED_PASSWORD required-action triggered only when login using password 
`UpdatePassword.evaluateTriggers` adds the required-action to the user by evaluating the expiration password policy. Added a check that skips the evaluation if no password used during auth flow. This check uses the value of an auth note set in the `validatePassword` method of the `AbstractUsernameFormAuthenticator`.
Manually adding UPDATED_PASSWORD required-action to the user continues to trigger the action regardless of the authentication method.

Closes #17155

Signed-off-by: graziang <g.graziano94@gmail.com>
 2024-02-16 18:16:36 +01:00
Marek Posolda
c94f9f5716
Remove random redirect after password reset (#27076) 
closes #20867

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
 2024-02-16 18:13:27 +01:00
mposolda
eff6c3af78 During password reset, the baseURL is not shown on the info page after browser restart 
closes #21127

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-02-15 18:48:53 +01:00
Michal Hajas
e55ba5dcdc Make sure pagination is used even when first is null for getGroups endpoint 
Closes #25731

Signed-off-by: Michal Hajas <mhajas@redhat.com>
 2024-02-15 19:46:04 +09:00
rmartinc
4ff4c3f897 Increase internal algorithm security using HS512 and 128 byte hmac keys 
Closes #13080

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-02-15 08:16:45 +01:00
Steven Hawkins
df38081fe8
fix: add an info message, and converts info to debug on non-pem files (#26939) 
* fix: add an info message, and converts info to debug on non-pem files

closes: #26929

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update services/src/main/java/org/keycloak/truststore/TruststoreBuilder.java

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
 2024-02-14 19:55:53 +01:00
rmartinc
bc82929e3a Cors modifications for UserInfo endpoint 
Closes #26782

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-02-14 18:24:06 +01:00
vibrown
161d03efd2 Added SPIs for ClientType and ClientTypeManager 
Grabbed the SPIs for ClientType and ClientTypeManager from Marek's Client Type prototype.

Closes #26431

Signed-off-by: vibrown <vibrown@redhat.com>

Cleaned up TODOs

Signed-off-by: vibrown <vibrown@redhat.com>

Added isSupported methods

Signed-off-by: vibrown <vibrown@redhat.com>
 2024-02-13 19:26:19 +01:00
rmartinc
bb12f3fb82 Do not require non-builtin attributes for service accounts 
Closes #26716

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-02-13 17:42:59 +01:00
Steven Hawkins
6bbf8358b4
task: addressing build warnings (#26877) 
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-02-13 17:04:43 +01:00
Steven Hawkins
3a04acab51
fix: adds pfx as a recognized extension (#26876) 
closes #24661

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-02-13 15:38:12 +01:00
Pedro Igor
e50642ac32 Allow setting a default user profile configuration 
Closes #26489

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-02-12 11:16:48 +01:00
Réda Housni Alaoui
67718c653a UPDATE_EMAIL action token handling should allow the user to resume its navigation to the redirect uri 
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
 2024-02-08 18:32:38 -03:00
Michal Hajas
de598577b1 Fix confusing SAML NameId mapper format tooltip 
Closes #26051
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
 2024-02-08 11:21:11 +01:00
Tero Saarni
ac1780a54f
Added event for temporary lockout for brute force protector (#26630) 
This change adds event for brute force protector when user account is
temporarily disabled.

It also lowers the priority of free-text log for failed login attempts.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2024-02-07 14:13:33 +00:00
Kamontat Chantrachirathumrong
516bfbe896
Support custom common path (#22717) 
Signed-off-by: Kamontat Chantrachirathumrong <14089557+kamontat@users.noreply.github.com>
 2024-02-06 20:41:39 -05:00
Dmitry Telegin
da69beed4d CORS SPI - code review 
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
 2024-02-06 15:27:53 -03:00
Dmitry Telegin
b0403e2268 CORS SPI 
Closes #25446

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
 2024-02-06 15:27:53 -03:00
mposolda
f468885fdd Empty error message when validation issue due the PersonNameProhibitedValidator validation 
closes #26750

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-02-06 12:56:50 -03:00
Stian Thorgersen
c4b1fd092a
Use code from RestEasy to create and set cookies (#26558) 
Closes #26557

Signed-off-by: stianst <stianst@gmail.com>
 2024-02-06 15:14:04 +01:00
rmartinc
720c5c6576 PKCE should return error if code_verifier sent but no code_challenge in the authorization request 
Closes #26430

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-02-06 08:31:56 -03:00