Commit graph

562 commits

Author SHA1 Message Date
mhajas
5b47df8979 KEYCLOAK-10013 Do not reject tokens with issuedAt == notBefore 2019-04-11 21:57:11 +02:00
Hynek Mlnarik
a63efd872d KEYCLOAK-9822 Fix deadlock in OIDC adapter upon logout 2019-04-09 21:03:02 +02:00
Pedro Igor
ad9f59f9f7 [KEYCLOAK-9353] - Avoids initialization of the policy enforcer during deployment 2019-04-05 16:02:53 -03:00
mposolda
a516a795a2 KEYCLOAK-9836 Deprecate keycloak-servlet-oauth-clien 2019-04-02 10:52:18 -03:00
Martin Ball
21e2fa8784 KEYCLOAK-4249 - Make IDP URL in keycloak-saml.xml configurable
Added the metadata url as an attribute on the IDP in the keycloak saml configuration which then propagates through to the DefaultSamlDeployment where it is used on the construction of the SamlDescriptorPublicKeyLocator thereby allowing support for ADFS or other IDP which uses a path that is different to the Keycloak IDP.

To make this work when testing with ADFS a change was made to SamlDescriptorIDPKeysExtractor because it would not extract keys from metadata which contained the EntityDescriptor as the root element. The solution was to change the xpath expression in SamlDescriptorIDPKeysExtractor so that it does not require a wrapping EntitiesDescriptor but instead loads all EntityDescriptors located in the document. This allows it to handle a single EntityDescriptor or multiple descriptors wrapped in an EntitiesDescriptor in the same xpath expression. A unit test SamlDescriptorIDPKeysExtractorTest has been added which validates that keys can be loaded in both scenarios.
2019-03-27 08:04:53 +01:00
Pedro Igor
20376c9111 [KEYCLOAK-9353] - Quarkus integration 2019-03-21 11:45:35 -03:00
Grzegorz Grzybek
e01562d7cf [KEYCLOAK-9646] Increase import range for javax.servlet API to cover EAP 7.2, servlet-api 4.0
[KEYCLOAK-9646] Update HOW-TO-RUN.md for Fuse 7.1+ instructions
2019-03-12 15:14:34 +01:00
keycloak-bot
e843d84f6e Set version to 6.0.0-SNAPSHOT 2019-03-06 15:54:08 +01:00
mhajas
8a750c7fca KEYCLOAK-6750 Adapt Tomcat adapter tests to new structure 2019-03-06 08:57:46 +01:00
Sebastian Laskawiec
406097a508 KEYCLOAK-6749 Jetty App Server 2019-03-05 15:21:48 +01:00
mposolda
d5b28013d1 KEYCLOAK-8523 Remove jaxrs package from old testsuite and deprecate jaxrs filter 2019-03-04 10:25:01 +01:00
Pedro Igor
75d9847672 [KEYCLOAK-9478] - Support multiple CIP providers in the policy enforcer configuration 2019-02-27 19:08:57 -03:00
sakanaou
007c364027 Store rewritten redirect URL in adapter-core 2019-02-27 15:39:32 -03:00
Philipp Nowak
39828b2c94 [KEYCLOAK-9539] Race condition SecurityContextHolder.setAuthentication()
This is an issue with the Spring Security Keycloak Adapter relating to
 the way the Authentication is stored in the SecurityContext, causing a
 race condition in application code using that. It does not seem to
 affect actual Spring Security operation.

We had a pretty strange race condition in our application. When many
 requests were incoming at the same time, occasionally the old
 unauthenticated Authentication provided to
 KeycloakAuthenticationProvider for performing the actual authentication
 would stay the current authentication, as returned by
 SecurityContextHolder.getContext().getAuthentication(). That resulted
 in authenticated users' JavaScript requests occasionally (~1/50 given a
 large request volume) returning a 403 because the 'old' token was still
 in the context, causing Spring Security to see them as unauthenticated.

This PR resolves this issue by replacing the whole context, as suggested
 by a Spring Security contributor in jzheaux/spring-security-oauth2-resource-server#48. By default,
 SecurityContextHolder keeps the actual context object in a ThreadLocal,
 which should be safe from race-conditions. The actual Authentication
 object, however, is kept in a mere field, hence the reason for this PR.

JIRA issue: https://issues.jboss.org/browse/KEYCLOAK-9539
2019-02-27 14:58:10 -03:00
Pedro Igor
4d5dff1d64 [KEYCLOAK-9474] - Public endpoints are returning 403 with body when enforcement mode is disabled 2019-02-21 16:27:07 -03:00
stianst
e06c705ca8 Set version 5.0.0 2019-02-21 09:35:14 +01:00
Sebastian Laskawiec
ee41a0450f KEYCLOAK-8349 KEYCLOAK-8659 Use TLS for all tests in the suite 2019-02-08 08:57:48 -02:00
stianst
7c9f15778a Set version to 4.8.3.Final 2019-01-09 20:39:30 +01:00
stianst
7c4890152c Set version to 4.8.2 2019-01-03 14:43:22 +01:00
Charles Jourdan
68873c29b7 Fix on type for KeycloakInstance.realmAccess and KeycloakInstance.ressourceAccess 2018-12-13 19:03:47 +01:00
Stephane Nicoll
f739e2e2d8 KEYCLOAK-8155 Use Spring Boot autoconfigure-processor to optimize auto-configurations 2018-12-13 09:01:21 +01:00
Boudewijn van Klingeren
5354e88f60 KEYCLOAK-8243 Change error logging to debug for normal flow outcomes 2018-12-13 08:39:54 +01:00
sebastienblanc
aa89ae96a9 update and align Spring Boot versions 2018-12-11 15:34:47 +01:00
Pedro Igor
8204509b0c [KEYCLOAK-8980] - ElytronAccount not serializable 2018-12-10 08:55:00 +01:00
Hynek Mlnarik
27f145969f KEYCLOAK-7936 Prevent registration of the same node
The root cause is that NodesRegistrationManagement.tryRegister can be
called from multiple threads on the same node, so it can require
registration of the same node multiple times. Hence once it turns to
tasks that invoke sendRegistrationEvent (called sequentially), the same
check has been added to that method to prevent multiple invocations on
server side, or invocation upon undeployment/termination.
2018-12-05 12:34:17 +01:00
stianst
b674c0d4d9 Prepare for 4.8.0.Final 2018-12-04 13:54:25 +01:00
Hynek Mlnarik
c9cd060417 KEYCLOAK-8824 Fix servlet filter versions 2018-11-22 14:20:46 +01:00
stianst
ecd476fb10 Prepare for 4.7.0.Final 2018-11-14 20:10:59 +01:00
Hynek Mlnarik
7703d81389 KEYCLOAK-7421 Support SAML cluster logout for Elytron SAML adapter 2018-11-09 21:06:50 +01:00
stianst
1ee6fd7130 KEYCLOAK-8619 Fix check-sso when there is no cookie 2018-11-09 10:36:31 -02:00
vramik
560d76b7ee KEYCLOAK-6748 undertow saml adapter tests 2018-11-06 21:17:07 +01:00
Stefan Guilhen
3be2c35561 KEYCLOAK-8528 Change getRelativePath to include the servlet path followed by the path info 2018-11-06 13:43:50 +01:00
scranen
5880efe775 KEYCLOAK-4342 Make naming consistent 2018-11-06 10:28:06 -02:00
scranen
e6b9364c39 KEYCLOAK-4342 PR comments 2018-11-06 10:28:06 -02:00
scranen
0c6b20e862 [KEYCLOAK-4342] Make adapter state cookie path configurable 2018-11-06 10:28:06 -02:00
Pedro Igor
234b7a06a1 [KEYCLOAK-7798] - Spring security adapter does not renew expired tokens 2018-11-06 10:26:40 -02:00
BaHwan Han
91c4bfa81c The Keycloak JS adapter should not mutate browser history state 2018-10-29 20:08:32 +01:00
mposolda
c36b577566 KEYCLOAK-8483 Remove application from the aud claim of accessToken and refreshToken 2018-10-23 13:52:09 +02:00
Pedro Igor
6f8f8e6a28 [KEYCLOAK-8449] - Option to automatically map HTTP verbs to scopes when configuring the policy enforcer 2018-10-23 08:40:54 -03:00
vramik
7a96911a83 KEYCLOAK-8300 KEYCLOAK-8301 Wildfly 14 upgrade
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2018-10-17 20:01:07 +02:00
vramik
623d985e7f KEYCLOAK-8454 KeycloakHttpServerAuthenticationMechanism uses wrong status code when logout page not set 2018-10-17 19:03:24 +02:00
mposolda
4483677cdd KEYCLOAK-8529 Fix most of adapter tests on EAP6 2018-10-12 12:01:33 +02:00
Tobias Gippert
c71f6e2188 The Keycloak JS adapter should not create a new browser history entry,
when it is redirecting the user, unless the user is in the admin console.
2018-10-12 09:42:26 +02:00
stianst
aaa33ad883 KEYCLOAK-8509 Improvements to session iframe 2018-10-10 21:01:05 +02:00
stianst
9be8bef575 KEYCLOAK-7920 Changes to native promises in JS adapter. Native promises have to be explicitly enabled and when they are old success/error functions are no longer supported. Internally we don't use native promises. 2018-10-10 21:00:19 +02:00
Frank Schmager
6b59c2f44c try to register node during authentication attempt in filter
* PreAuthActionsFilter registers deployment during authentication attempt to enable, well,
  node registration if filter is used by itself (if no securityConstraints when using spring boot and spring security)
* deregistering node during clean shutdown
* added unit test
2018-10-09 10:30:37 -03:00
sebastienblanc
fd0ab4a626 removing spring factories from core module 2018-10-09 14:17:33 +02:00
Pedro Igor
6fd4a02f95 [KEYCLOAK-8444] - Error when producing KeycloakSpringBootConfigResolver from spring security configuration 2018-10-08 09:29:59 -03:00
Hynek Mlnarik
211774ccbc KEYCLOAK-7810 Fix NPE in Elytron SAML adapter 2018-10-04 14:38:45 +02:00
Pedro Igor
2da758ac86 [KEYCLOAK-6928] - Selecting first bearer if multiple values exists in authorization header 2018-10-01 09:36:10 -03:00