The Token Exchange [RFC8693 Section-2.2.2](https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.2) requires
that the error code for invalid requests is `invalid_request`.
Previously, Keycloak used `invalid_token` as the error code.
Fixes#31547
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
- Move ClientData parsing out of SessionCodeChecks ctor
- Respond with a bad request if invalid client data is presented
Closes#32515
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
- org-linked brokers should not be available for login
- prepare the endpoint for search/pagination
Closes#31944
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
Closes#32533
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Closes#10983
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
* added organizations table to account
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
* UI banner, labels and log messages are shown when temporary admin account is used
* added UI tests that check the elements' presence
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
* Upgrade to Quarkus 3.13.2
Closes#31676
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Peter Zaoral <pzaoral@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
- Compute issued_token_type response parameter based on requested_token_type and client configuration
- `issued_token_type` is a required response parameter as per [RFC8693 2.2.1](https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.1)
- Added test to ClientTokenExchangeTest that requests an access-token as requested-token-type
Fixes#31548
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Closes#31726
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
closes: #30658
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
* Disable username prohibited chars validator when email as the username is set
Closes#25339
Signed-off-by: Martin Kanis <mkanis@redhat.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
The assessment response added a new field called accountDefenderAssessment.
This commit adds the new property, and also ensures new properties won't be
problematic next time by ignoring unknown properties on the top level object.
Closes: #30917
Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>
* fix: adding password and service account based bootstrap and recovery
closes: #29324, #30002, #30003
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Fix tests
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Václav Muzikář <vmuzikar@redhat.com>
Previously the scope from the token was not set available in the ClientModelIdentity attributes.
This caused the NPE in `org.keycloak.authorization.policy.provider.clientscope.ClientScopePolicyProvider.hasClientScope`(..)
when calling `identity.getAttributes().getValue("scope")`.
We now pass the provided decoded AccessToken down to the ClientModelIdentity creation
to allow to populate the required scope attribute.
We also ensure backwards compatibility for ClientPermissionManagement API.
Fixes#26435
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
* feat: add Artifact Binding on brokering scenarios when Keycloak is SP
Signed-off-by: tmorin <git@morin.io>
* Adding broker test and minor improvements
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Fixing IdentityProviderTest
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Renaming methods related to idp initiated flows
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Fixing partial_import_test.spec.ts
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
---------
Signed-off-by: tmorin <git@morin.io>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
* change to make authServerUrl the same as authUrl
fixes: #29641
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Remove `authUrl` entirely
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Remove file that is unrelated
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Split out and align environment variables between consoles
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Restore removed variables to preserve backwards compatibility
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Also deprecate the `authUrl` for the Admin Console
Signed-off-by: Jon Koops <jonkoops@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
* OpenJDK 21 support
Closes#28517
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
* x509 SAN UPN other name is not handled in JDK 21 (#904)
closes#29968
Signed-off-by: mposolda <mposolda@gmail.com>
---------
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
closes#25945
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Co-authored-by: Erik Jan de Wit <edewit@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
* initial screen
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* more screens
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added members tab
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added the backend
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added member add / invite models
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* initial version of the identity provider section
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* add link and unlink providers
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* small fix
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* PR comments
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Do not validate broker domain when the domain is an empty string
Closes#29759
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added filter and value
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added first name last name
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* refresh menu when realm organization is changed
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* changed to record
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* changed to form data
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* fixed lint error
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Changing name of invitation parameters
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Chancing name of parameters on the client
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Enable organization at the realm before running tests
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Domain help message
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Handling model validation errors when creating organizations
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Message key for organizationDetails
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Do not change kc.org attribute on group
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* add realm into the context
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* tests
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Changing button in invitation model to use Send instead of Save
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Better message when validating the organization domain
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Fixing compilation error after rebase
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* fixed test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* removed wait as it no longer required and skip flacky test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* skip tests that are flaky
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* stabilize user create test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Previously the reason was omitted in the details because it was set after the event was already submitted.
Fixes#29948
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>