Markus Till
72f73f153a
UserProfile M1
2020-10-05 09:59:44 -03:00
Pedro Igor
0d99e01b98
[KEYCLOAK-15807] - Wrong parsing of Cookie header
2020-10-02 08:19:24 -03:00
Michito Okai
eac3341241
KEYCLOAK-15779 Authorization Server Metadata for the URL of the
...
authorization server's JWK Set [JWK] document
2020-10-02 11:18:31 +02:00
Thomas Darimont
12576e339d
KEYCLOAK-15146 Add support for searching users by emailVerified status
...
We now allow to search for users by their emailVerified status.
This enables users to easily find users and deal with incomplete user accounts.
2020-09-29 08:28:59 -03:00
Takashi Norimatsu
6596811d5d
KEYCLOAK-14204 FAPI-RW Client Policy - Executor : Enforce Request Object satisfying high security level
2020-09-25 08:31:14 +02:00
Pedro Igor
76dede0f1e
[KEYCLOAK-14221] - Allow to map subject to userinfo response
2020-09-23 14:33:14 +02:00
Frode Ingebrigtsen
0a0b7da53e
KEYCLOAK-15429 Add CORS origin on permission request with invalid access token
2020-09-22 08:56:21 -03:00
Denis
50210c4d9b
KEYCLOAK-14161 Regression on custom registration process
2020-09-21 20:23:39 +02:00
mhajas
12bc84322a
KEYCLOAK-14974 Map group storage provider
2020-09-21 15:56:32 +02:00
testn
2cd03569d6
KEYCLOAK-15238: Fix potential resource leak from not closing Stream/Reader
2020-09-21 13:05:03 +02:00
Takashi Norimatsu
bd3840c606
KEYCLOAK-15559 Client Policy - Executor : Missing Help Text of SecureResponseTypeExecutor
2020-09-21 12:40:25 +02:00
vmuzikar
790b549cf9
KEYCLOAK-15262 Logout all sessions after password change
2020-09-18 20:09:40 -03:00
mhajas
b75ad2fbd8
KEYCLOAK-15259 Avoid using "null" Origin header as a valid value
2020-09-17 23:21:49 -07:00
mhajas
f7e0af438d
KEYCLOAK-14232 Add Referrer-Policy: no-referrer to each response from Keycloak
...
(cherry picked from commit 0b49640231abc6e465542bd2608e1c908c079ced)
2020-09-17 23:21:49 -07:00
Luca Leonardo Scorcia
10077b1efe
KEYCLOAK-15485 Add option to enable SAML SP metadata signature
2020-09-16 16:40:45 +02:00
Mark Wolfe
3723d78e3c
KEYCLOAK-15460 Fix missing event types in SAML endpoint
...
A change was done in 32f13016fa
which isn't setting the type for events and causing an internal error.
2020-09-16 16:36:19 +02:00
Martin Kanis
5d5e56dde3
KEYCLOAK-15199 Complement methods for accessing roles with Stream variants
2020-09-16 16:29:51 +02:00
Benjamin Weimer
f874e9a43c
KEYCLOAK-9874 include realm and client roles in user info response
2020-09-16 10:01:02 +02:00
Takashi Norimatsu
b670734eec
KEYCLOAK-14205 FAPI-RW Client Policy - Executor : Enforce Response Type of OIDC Hybrid Flow
2020-09-14 20:58:25 +02:00
Hynek Mlnarik
a05066d567
KEYCLOAK-15477 Fix permission evaluation logic
2020-09-14 20:53:46 +02:00
mposolda
4123b7a91e
KEYCLOAK-11678 Remove dummy resource. Adding keycloak-services and liquibase to jandex indexing
2020-09-14 09:27:34 -03:00
vmuzikar
a9a719b88c
KEYCLOAK-15270 Account REST API doesn't verify audience
2020-09-14 08:43:09 -03:00
mhajas
3186f1b5a9
KEYCLOAK-15514 Update AbstractStorageManager to check capability interface types
2020-09-11 14:42:48 +02:00
Miquel Simon
2572b1464b
KEYCLOAK-15395. Removed totp/remove (DELETE) and credentials/password (GET, POST) endpoints.
2020-09-10 18:03:03 -03:00
Takashi Norimatsu
af2f18449b
KEYCLOAK-14195 FAPI-RW Client Policy - Condition : Client - Client Role
2020-09-10 18:34:19 +02:00
Clement Cureau
b19fe5c01b
Finegrain admin as fallback and added some tests
2020-09-10 12:26:55 -03:00
Clement Cureau
73378df52e
[KEYCLOAK-11621] Allow user creation via group permissions (Admin API)
...
Problem:
Using fine-grained admin permissions on groups, it is not permitted to create new users
within a group.
Cause:
The POST /{realm}/users API does not check permission for each group part of the new
user representation
Solution:
- Change access logic for POST /{realm}/users to require MANAGE_MEMBERS and
MANAGE_MEMBERSHIP permissions on each of the incoming groups
Tests:
Manual API testing performed:
1. admin user from master realm:
- POST /{realm}/users without groups => HTTP 201 user created
- POST /{realm}/users with groups => HTTP 201 user created
2. user with MANAGE_MEMBERS & MANAGE_MEMBERSHIP permissions on group1
- POST /{realm}/users without groups => HTTP 403 user NOT created
- POST /{realm}/users with group1 => HTTP 201 user created
- POST /{realm}/users with group1 & group2 => HTTP 403 user NOT created
- POST /{realm}/users with group1 & wrong group path => HTTP 400 user NOT created
3. user with MANAGE_MEMBERS permission on group1
- POST /{realm}/users without groups => HTTP 403 user NOT created
- POST /{realm}/users with group1 => HTTP 403 user NOT created
- POST /{realm}/users with group1 & group2 => HTTP 403 user NOT created
- POST /{realm}/users with group1 & wrong group path => HTTP 400 user NOT created
2020-09-10 12:26:55 -03:00
Sebastian Laskawiec
e01159a943
KEYCLOAK-14767 OpenShift Review Endpoint audience fix
2020-09-09 11:57:24 -03:00
Takashi Norimatsu
cbb79f0430
KEYCLOAK-15448 FAPI-RW : Error Response on OIDC private_key_jwt Client Authentication Error (400 error=invalid_client)
2020-09-09 11:14:21 +02:00
Benjamin Weimer
b2934e8dd0
KEYCLOAK-15327 backchannel logout invalidate offline session even if there is no corresponding active session found
2020-09-08 11:17:20 -03:00
Martin Kanis
4e9bdd44f3
KEYCLOAK-14901 Replace deprecated ClientProvider related methods across Keycloak
2020-09-07 13:11:55 +02:00
stianst
76f7fbb984
KEYCLOAK-14548 Add support for cached gzip encoding of resources
2020-09-07 00:58:47 -07:00
Martin Bartos
e34ff6cd9c
[KEYCLOAK-14326] Identity Provider force sync is not working
2020-09-07 09:42:40 +02:00
Takashi Norimatsu
1d8230d438
KEYCLOAK-14190 Client Policy - Condition : The way of creating/updating a client
2020-09-04 09:54:55 +02:00
Luca Leonardo Scorcia
67b2d5ffdd
KEYCLOAK-14961 SAML Client: Add ability to request specific AuthnContexts to remote IdPs
2020-09-03 21:25:36 +02:00
Konstantinos Georgilakis
1fa93db1b4
KEYCLOAK-14304 Enhance SAML Identity Provider Metadata processing
2020-09-02 20:43:09 +02:00
Takashi Norimatsu
b93a6ed19f
KEYCLOAK-14919 Dynamic registration - Scope ignored
2020-09-02 13:59:22 +02:00
Takashi Norimatsu
107a429238
KEYCLOAK-15236 FAPI-RW : Error Response on OAuth 2.0 Mutual TLS Client Authentication Error (400 error=invalid_client)
2020-09-02 09:31:20 +02:00
mhajas
3928a49c77
KEYCLOAK-14816 Reset brute-force-detection data for the user after a successful password grant type flow
2020-09-01 21:45:17 +02:00
Hynek Mlnarik
583fa07bc4
KEYCLOAK-11029 Support modification of broker username / ID for identity provider linking
2020-09-01 20:40:38 +02:00
mhajas
bdccfef513
KEYCLOAK-14973 Create GroupStorageManager
2020-09-01 10:21:39 +02:00
Martin Bartos
9c847ab176
[KEYCLOAK-14432] Unhandled NPE in identity broker auth response
2020-08-31 14:14:42 +02:00
Martin Kanis
d59a74c364
KEYCLOAK-15102 Complement methods for accessing groups with Stream variants
2020-08-28 20:56:10 +02:00
Stan Silvert
35931d60eb
KEYCLOAK-15137: Move PF4 css files to keycloak/common
2020-08-20 08:46:28 -04:00
Pratik Somanagoudar
f486e97c18
KEYCLOAK-15087 : Reduce get client and get roles calls in realm create
2020-08-20 08:49:51 -03:00
mhajas
ae39760a62
KEYCLOAK-14972 Add independent GroupProvider interface
2020-08-13 21:13:12 +02:00
Benjamin Weimer
fdcfa6e13e
KEYCLOAK-15156 backchannel logout offline session handling
2020-08-13 08:09:59 -03:00
David Hellwig
ddc2c25951
KEYCLOAK-2940 - draft - Backchannel Logout ( #7272 )
...
* KEYCLOAK-2940 Backchannel Logout
Co-authored-by: Benjamin Weimer <external.Benjamin.Weimer@bosch-si.com>
Co-authored-by: David Hellwig <hed4be@bosch.com>
2020-08-12 09:07:58 -03:00
Sebastian Paetzold
4ff34c1be9
KEYCLOAK-14890 Improve null handling in case of missing NameId
2020-08-06 10:45:22 -03:00
Dmitry Telegin
70ee36224c
KEYCLOAK-14944 - Unit test failure in keycloak-services on Java 11
2020-08-05 10:41:43 -03:00
vmuzikar
b68d06f91c
KEYCLOAK-13127 Update Account Console to Account REST API v1
2020-08-04 18:43:23 -03:00
zak905
8597edba8e
KEYCLOAK-14851: make AIA max auth age configurable per AIA
2020-08-04 13:30:37 -04:00
vramik
6b00633c47
KEYCLOAK-14812 Create RoleStorageManager
2020-07-31 15:11:25 -03:00
vramik
bfa21c912c
KEYCLOAK-14811 Create RoleProvider and make it independent of ClientProvider and RealmProvider
2020-07-31 15:11:25 -03:00
Dillon Sellars
25bb2e3ba2
KEYCLOAK-14529 Signed and Encrypted ID Token Support : RSA-OAEP-256 Key Management Algorithm
2020-07-30 15:20:51 +02:00
Yoshiyuki Tabata
cd76ed0d74
KEYCLOAK-14289 OAuth Authorization Server Metadata for Token Revocation
2020-07-29 11:41:56 +02:00
Martin Idel
97400827d2
KEYCLOAK-14870: Fix bug where user is incorrectly imported
...
Bug: SerializedBrokeredIdentityContext was changed to mirror
UserModel changes. However, when creating the user in LDAP,
the username must be provided first (everything else can
be handled via attributes).
2020-07-29 11:33:41 +02:00
Takashi Norimatsu
0191f91850
KEYCLOAK-14380 Support Requesting Claims using the claims Request Parameter
2020-07-29 09:53:28 +02:00
Martin Idel
330a3d8ff5
KEYCLOAK-14904 Fix AccountRestService
...
- custom attributes in UserModel are removed during update
- this can break caching (doesn't break if user is written
to database)
- also ensure that we don't accidentally change username
and/or firstName/lastName through attributes
2020-07-28 10:03:14 +02:00
Martin Kanis
feef5b4db2
KEYCLOAK-14220 Complement methods for accessing clients with Stream variants
2020-07-27 10:38:39 +02:00
Luca Leonardo Scorcia
da6530471b
KEYCLOAK-14742 SAML2NameIDPolicyBuilder: add AllowCreate and SPNameQualifier properties
2020-07-25 10:16:57 +02:00
Lorent Lempereur
0d5b5abb4d
KEYCLOAK-13962 SAML2 Identity Provider - During login phase, SamlAuthenticationPreprocessors are not taken into account to produce an appropriate destination url
2020-07-25 00:10:43 +02:00
Lorent Lempereur
e82fe7d9e3
KEYCLOAK-13950 SAML2 Identity Provider - Send Subject in SAML requests
2020-07-24 21:41:57 +02:00
Hynek Mlnarik
c566b46e8f
KEYCLOAK-14549 Make ClientProvider independent of RealmProvider
...
Co-Authored-By: vramik <vramik@redhat.com>
2020-07-22 00:08:15 +02:00
Pedro Igor
7501e42969
[KEYCLOAK-14646] - Improving permission resolution and evaluation
2020-07-21 14:22:09 +02:00
Luca Leonardo Scorcia
9204402514
KEYCLOAK-14820 Import the NameIDPolicyFormat attribute from SAML IDP metadata descriptors
2020-07-21 12:23:25 +02:00
Takashi Norimatsu
e0fbfa722e
KEYCLOAK-14189 Client Policy : Basics
2020-07-21 07:50:08 +02:00
Douglas Palmer
6d5495141d
[KEYCLOAK-14611] Incorrect error message shown on duplicated email registration
2020-07-20 18:17:54 -03:00
Thomas Vitale
4cd5ace800
KEYCLOAK-9321 Remove invalid token_introspection_endpoint
...
The discovery document is advertizing both token_introspection_endpoint
and introspection_endpoint. The former has been removed as it is not
defined by OAuth2/OIDC.
2020-07-17 11:41:28 +02:00
Pedro Igor
582046bbfe
[KEYCLOAK-13141] - Fixing filter
2020-07-15 11:00:55 -03:00
Luca Leonardo Scorcia
f8a4f66d6c
KEYCLOAK-13698 - SAML Client - Add certificate info to signature
...
Adds the X509Data tag to the XML Document signature in AuthnRequests
2020-07-10 23:06:37 +02:00
vmuzikar
7087c081f0
KEYCLOAK-14023 Instagram User Endpoint change
...
Co-authored-by: Jean-Baptiste PIN <jibet.pin@gmail.com>
2020-07-10 17:36:51 -03:00
Pedro Igor
1db1deb066
[KEYCLOAK-13141] - Supporting re-augmentation
2020-07-10 11:04:46 -03:00
Luca Leonardo Scorcia
d6934c64fd
Refactor SAML metadata generation to use the SAMLMetadataWriter class
2020-07-09 09:39:35 +02:00
slayne
e22fdabc02
KEYCLOAK-14146 : null check on subject nameId
2020-07-09 09:34:50 +02:00
Pete Cracknell
2ec572e9b5
KEYCLOAK-14655 Check issuer config exists
2020-07-07 22:47:56 +02:00
Pedro Igor
9c4da9b3ce
[KEYCLOAK-14147] - Request filter refactoring
...
Co-authored-by: Stian Thorgersen <stian@redhat.com>
Co-authored-by: Martin Kanis <mkanis@redhat.com>
2020-07-07 11:26:12 -03:00
kurisumakise2011
738f24aa38
[KEYCLOAK-14570] Resolve nullpointer issue in controller
...
Some ProviderFactory returns null as properties instead of
Collections.emptyList() and it leads to NPE.
Fix it with using Optional.ofNullable(...).orElse(Collections.emptyList())
2020-07-07 07:46:26 +02:00
Douglas Palmer
9369c7cf4d
Add filter by name to applications endpoint
2020-07-03 15:35:38 -03:00
Martin Idel
8fe25948f7
KEYCLOAK-13959 Add AdvancedAttribute mapper for SAML to allow regexes
2020-07-03 18:19:35 +02:00
Plamen Kostov
f639cc82b7
[KEYCLOAK-14282] Fix missing flag for enabled and exact flag
2020-07-03 09:07:42 -03:00
Plamen Kostov
914b226d11
[KEYCLOAK-14282] Create additional filtering for GET /users endpoint for enabled/disabled users
2020-07-03 09:07:42 -03:00
Axel Messinese
f30395d535
KEYCLOAK-12687 Add briefRepresentation queryParams to get roles 'composite' endpoints
2020-07-03 09:41:53 +02:00
Oleksandr Shevchuk
10cdc581f9
KEYCLOAK-11683 Reduce unnecessary load on work cache
2020-07-03 09:38:42 +02:00
Bartosz Siemieńczuk
e2040f5d13
KEYCLOAK-14006 Allow administrator to add additional fields to be fetched with Facebook profile request
2020-07-01 18:27:04 -03:00
Eric Rodrigues Pires
de9a0a0a4a
[KEYCLOAK-13044] Fix owner name representations of UMA tickets for client-owned resources
2020-07-01 18:15:22 -03:00
vmuzikar
001fe9eb11
KEYCLOAK-13206 Session Status iframe cannot access cookies when 3rd party cookies are blocked
...
Co-authored-by: mhajas <mhajas@redhat.com>
2020-06-30 17:11:20 -03:00
Stan Silvert
25e8210066
KEYCLOAK-14584: Clients that have empty string as Base URL are displayed
...
in Account Console
2020-06-29 09:41:55 -03:00
Douglas Palmer
5e44bb781b
[KEYCLOAK-14344] Cannot revoke offline access for an app if the app doesn't require consent
2020-06-26 14:56:08 -04:00
Martin Idel
05b6ef8327
KEYCLOAK-14536 Migrate UserModel fields to attributes
...
- In order to make lastName/firstName/email/username field
configurable in profile
we need to store it as an attribute
- Keep database as is for now (no impact on performance, schema)
- Keep field names and getters and setters (no impact on FTL files)
Fix tests with logic changes
- PolicyEvaluationTest: We need to take new user attributes into account
- UserTest: We need to take into account new user attributes
Potential impact on users:
- When subclassing UserModel, consistency issues may occur since one can
now set e.g. username via setSingleAttribute also
- When using PolicyEvaluations, the number of attributes has changed
2020-06-25 14:50:57 +02:00
Douglas Palmer
1434f14663
[KEYCLOAK-14346] Base URL for applications is broken
2020-06-23 15:26:07 -03:00
ynojima
420968cc53
Update WebAuthn4J to 0.12.0.RELEASE
2020-06-23 10:53:08 +02:00
Erik Jan de Wit
55291bad76
KEYCLOAK-14531 Welcome cards should be driven by content.json
...
`content.js` is now `content.json` it's used in freemarker to create the cards
2020-06-22 11:29:20 -04:00
Hiroyuki Wada
f73b51818b
KEYCLOAK-14113 Support for exchanging to SAML 2.0 token
2020-06-19 22:08:42 +02:00
Dirk Weinhardt
08dca9e89f
KEYCLOAK-13205 Apply locale resolution strategy to admin console.
2020-06-19 10:27:13 -04:00
Dmitry Telegin
219d2b9a7c
KEYCLOAK-14156 - Passive authentication emits incomplete LOGIN event
2020-06-19 11:14:32 +02:00
Martin Bartos
ec9bf6206e
[KEYCLOAK-13202] Reset password redirects to account client
2020-06-18 13:08:36 +02:00
Erik Jan de Wit
c20766f2d7
KEYCLOAK-14140 added more test cases
...
Co-authored-by: vmuzikar <vmuzikar@redhat.com>
2020-06-17 13:56:11 -04:00
Thomas Darimont
92ab9c08ae
KEYCLOAK-8100 Expose sub claim in OIDC IdentityBroker Mappers
...
We now expose the claims "sub" for use in Identity Broker mappers.
Previously claims directly mapped to `JsonWebToken` fields were not
accessible for mappings.
2020-06-17 12:56:08 -03:00
Pedro Igor
d331091c5e
[KEYCLOAK-11330] - Quarkus tests
2020-06-17 17:20:55 +02:00
Martin Kanis
8f18cf1646
KEYCLOAK-14132 DefaultSecurityHeadersProvider should support 307 as redirect code
2020-06-17 11:55:40 +02:00
Tero Saarni
3c82f523ff
[KEYCLOAK-14343] Truststore SPI support for LDAP with StartTLS
...
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Co-authored-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-06-11 18:07:53 +02:00
Pedro Igor
e16f30d31f
[KEYCLOAK-2343] - Allow exact user search by user attributes
...
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
2020-06-10 12:02:50 -03:00
Erik Jan de Wit
8b0760a6d1
KEYCLOAK-14158 Polished the My Resource page
...
empty state
change case
added dropdown menu instead of buttons
now on edit you can add and remove permissions
changed how the actions work
updated success messages
use live region alerts toast alerts
username or email search
labels for the buttons
margin between accecpt and deny button
fixed test and types
changed to bigger distance with split component
changed to use seperate empty state component
2020-06-08 09:05:30 -04:00
Yoshiyuki Tabata
f03ee2ec98
KEYCLOAK-14145 OIDC support for Client "offline" session lifespan
2020-06-04 14:24:52 +02:00
Denis
8d6f8d0465
EYCLOAK-12741 Add name and description edit functionality to Authentication and Execution Flows
2020-06-04 08:08:52 +02:00
Pedro Igor
e8dc10b4a1
[KEYCLOAK-11330] - Properly handling POST formdata and UriInfo
2020-06-02 09:36:40 +02:00
stianst
90b29b0e31
KEYCLOAK-14107 Admin page content blocked on v10.0.0 due to content security policy
2020-05-29 13:57:38 +02:00
Benjamin Weimer
4265fdcab2
KEYCLOAK-14318 Client Empty Root URL and relative Base URL is valid
2020-05-29 11:21:28 +02:00
vmuzikar
f8dce7fc3e
KEYCLOAK-13819 SAML brokering with POST binding is broken by new SameSite policies
2020-05-28 13:37:56 +02:00
Youssef El Houti
086bdd1700
add optional field at_hash to idToken when using Authorization Code flow since it improves performance and allows to follow the recommandation in RFC for clients to use hash for access_token validation
2020-05-27 07:34:05 +02:00
Pedro Igor
bc901d0025
[KEYCLOAK-14299] - Do not create keys during startup but on-demand
2020-05-26 15:13:26 -03:00
Pedro Igor
f15821fe69
[KEYCLOAK-11679] - Server startup on Quarkus
2020-05-26 08:34:07 -03:00
Hynek Mlnarik
7deb89caab
KEYCLOAK-10729 Do not serialize SAML signature
2020-05-25 15:38:17 +02:00
cachescrubber
3382682115
KEYCLOAK-10927 - Implement LDAPv3 Password Modify Extended Operation … ( #6962 )
...
* KEYCLOAK-10927 - Implement LDAPv3 Password Modify Extended Operation (RFC-3062).
* KEYCLOAK-10927 - Introduce getLDAPSupportedExtensions(). Use result instead of configuration.
Co-authored-by: Lars Uffmann <lars.uffmann@vitroconnect.de>
Co-authored-by: Kevin Kappen <kevin.kappen@vitroconnect.de>
Co-authored-by: mposolda <mposolda@gmail.com>
2020-05-20 21:04:45 +02:00
Stan Silvert
13d0491ff3
KEYCLOAK-14038: Re-allow special characters for Roles only
2020-05-20 07:53:23 -04:00
Takashi Norimatsu
c057b994e7
KEYCLOAK-13104 Signed and Encrypted ID Token Support : AES 192bit and 256bit key support
2020-05-20 09:01:59 +02:00
Takashi Norimatsu
be0ba79daa
KEYCLOAK-7997 Implement Client Registration Metadata based on Mutual TLS
2020-05-19 17:00:41 +02:00
mposolda
12d965abf3
KEYCLOAK-13047 LDAP no-import fixes. Avoid lost updates - dont allow update attributes, which are not mapped to LDAP
2020-05-19 16:58:25 +02:00
Martin Kanis
6f43b58ccf
KEYCLOAK-14074 filterIdentityProviders compares providerId instead of alias
2020-05-19 09:46:21 +02:00
Thomas Darimont
6211fa90e0
KEYCLOAK-10932 Honor given_name and family_name in OIDC brokering
...
Previously firstname and lastname were derived from the name claim.
We now use direct mappings to extract firstname and lastname from
given_name and family_name claims.
Added test to KcOidcFirstBrokerLoginTest
Marked org.keycloak.broker.provider.BrokeredIdentityContext#setName
as deprecated to avoid breaking existing integrations.
2020-05-19 09:10:43 +02:00
stianst
d99d65eb92
KEYCLOAK-14163 Common resources are not loaded from common path
2020-05-18 15:08:34 +02:00
Pedro Igor
bae802bcfa
[KEYCLOAK-11784] - Using Hibernate Extension
2020-05-14 11:10:46 +02:00
stianst
b04932ede5
KEYCLOAK-12414 Remove the need to specify defaults in config file
2020-05-13 09:02:29 -03:00
Pedro Igor
35f622f48e
[KEYCLOAK-11719] - Remove need for servlets/undertow from Quarkus dist
...
Co-authored-by: MatthewC <matthewc@backbase.com>
2020-05-13 09:28:58 +02:00
Sven-Torben Janus
fcb0e450a0
KEYCLOAK-13817 Return local user from LDAPStorageProvider
2020-05-12 20:50:18 +02:00
Yoshiyuki Tabata
f7d00fc2e9
KEYCLOAK-13844 "exp" claim should not be "0" when using offline token
2020-05-12 16:14:37 +02:00
stianst
49db2c13a5
KEYCLOAK-8141 Fix issue where attribute values are duplicated if updates to user are done in parallell
2020-05-12 09:06:44 +02:00
Pedro Igor
44c49d69a7
[KEYCLOAK-13071] - AuthorizationTokenService swallows Exceptions thrown by KeycloakIdentity
2020-05-08 09:21:37 +02:00
Takashi Norimatsu
3716bd96ad
KEYCLOAK-14093 Specify Signature Algorithm in Signed JWT with Client Secret
2020-05-07 11:28:39 +02:00
Agniswar Mandal
8646d0668a
KEYCLOAK-14072 docker-compose.yaml file generated creates an invalid urls
...
* Updated Invalid URLs
The docker-compose.yaml file generated creates an invalid url for REGISTRY_AUTH_TOKEN_REALM and REGISTRY_AUTH_TOKEN_ISSUER. Fixed
* KEYCLOAK-14072 JIRA#14072
Test coverage fix for the the JIRA#14072
2020-05-07 08:40:52 +02:00
stianst
2be61246f4
KEYCLOAK-14057 Fix resource not found error when creating policy
2020-05-06 11:08:29 +02:00
Takashi Norimatsu
0d0617d44a
KEYCLOAK-13720 Specify Signature Algorithm in Signed JWT Client Authentication
2020-05-05 17:43:00 +02:00
rmartinc
f0852fd362
KEYCLOAK-13823: "Dir" Full export/import: On import, service account roles and authorization info are not imported
2020-05-05 17:05:56 +02:00
Vanrar68
85feda3beb
KEYCLOAK-13998 ConditionalRoleAuthenticator doesn't work with composite roles
2020-05-05 08:39:04 +02:00
Michael Riedmann
b3a88d6509
[KEYCLOAK-13995] fixed ClientMappers update capabilities of Admin REST API endpoint.
2020-05-04 17:13:57 +02:00
stianst
48b1b2b7de
KEYCLOAK-14043 Fixes for authz due to security header spi changes
2020-05-04 14:11:01 +02:00
Erik Jan de Wit
435815249b
KEYCLOAK-12783 changed to base account url for new console
2020-05-04 07:16:15 -04:00
Hynek Mlnarik
32f13016fa
KEYCLOAK-12874 Align Destination field existence check with spec
2020-05-04 09:19:44 +02:00
cc
8876294a72
[KEYCLOAK-13964] exported realm should include keycloak version, not Project/product version
...
The exported realm json file includes a field named "KeycloakVersion", which is assigned
Version.Version. In community edition, Version.Version is identical to Version.KeycloakVersion.
If we rebrand product based on keycloak project, Version.Version will be Product version, while
keycloak codes expect exported realm file including KeycloakVersion for normal migrating.
For RHSSO product, there are somes codes in class MigrationModelManager for converting the right
KeycloakVersion.
From semantic point, a field named "KeycloakVersion" should be assigned variable named "KeycloakVersion".
2020-04-30 12:41:40 +02:00
Martin Kanis
aa309b96a8
KEYCLOAK-13682 NPE when refreshing token after enabling consent
2020-04-30 08:46:21 +02:00
stianst
a77c35ea8f
KEYCLOAK-14009 Add fix for token revocation endpoint
2020-04-29 17:22:25 +02:00
Pedro Igor
601bf8d63e
[KEYCLOAK-12735] - Improving queries and cache for authz
2020-04-29 03:58:03 +02:00
Yoshiyuki Tabata
874642fe9e
KEYCLOAK-12406 Add "Client Session Max" and "Client Session Idle" for OIDC
2020-04-28 15:34:25 +02:00
stianst
5b017e930d
KEYCLOAK-13128 Security Headers SPI and response filter
2020-04-28 15:28:24 +02:00
Yoshiyuki Tabata
b40c12c712
KEYCLOAK-5325 Provide OAuth token revocation capability
2020-04-28 15:25:22 +02:00
Erik Jan de Wit
e093fa218d
Fixed console for test
2020-04-27 09:09:31 -04:00
Erik Jan de Wit
7580be8708
KEYCLOAK-13121 added the basic functionality
2020-04-27 09:09:31 -04:00
Stefan Guilhen
da1138a8d2
[KEYCLOAK-13005] Make sure the master URL is used if the consumer POST or REDIRECT URL is an empty string
...
- Fixes issue where admin console sets an empty string when the consumer POST or REDIRECT URL is deleted
2020-04-27 14:25:03 +02:00
Pedro Igor
44b489b571
[KEYCLOAK-13656] - Deny request if requested scope is not associated to resource or any typed resources
2020-04-27 08:39:38 +02:00
Martin Idel
7e8018c7ca
KEYCLOAK-11862 Add Sync mode option
...
- Store in config map in database and model
- Expose the field in the OIDC-IDP
- Write logic for import, force and legacy mode
- Show how mappers can be updated keeping correct legacy mode
- Show how mappers that work correctly don't have to be modified
- Log an error if sync mode is not supported
Fix updateBrokeredUser method for all mappers
- Allow updating of username (UsernameTemplateMapper)
- Delete UserAttributeStatementMapper: mapper isn't even registered
Was actually rejected but never cleaned up: https://github.com/keycloak/keycloak/pull/4513
The mapper won't work as specified and it's not easy to tests here
- Fixup json mapper
- Fix ExternalKeycloakRoleToRoleMapper:
Bug: delete cannot work - just delete it. Don't fix it in legacy mode
Rework mapper tests
- Fix old tests for Identity Broker:
Old tests did not work at all:
They tested that if you take a realm and assign the role,
this role is then assigned to the user in that realm,
which has nothing to do with identity brokering
Simplify logic in OidcClaimToRoleMapperTests
- Add SyncMode tests to most mappers
Added tests for UsernameTemplateMapper
Added tests to all RoleMappers
Add test for json attribute mapper (Github as example)
- Extract common test setup(s)
- Extend admin console tests for sync mode
Signed-off-by: Martin Idel <external.Martin.Idel@bosch.io>
2020-04-24 15:54:32 +02:00
Pedro Igor
8f5e58234e
[KEYCLOAK-11317] - IDP review profile allows empty username
2020-04-24 10:52:59 -03:00
Martin Kanis
a04c70531a
KEYCLOAK-9623 Disabling logged in user will not allow other user to login after he is thrown out of his session
2020-04-23 14:40:25 +02:00
Takashi Norimatsu
8513760e25
KEYCLOAK-12176 WebAuthn: show the attestation statement format in the admin console
2020-04-23 10:01:19 +02:00
Thomas Darimont
12e53e6f11
KEYCLOAK-11003 Remove UPDATE_PASSWORD RequiredAction on non-temporary password reset
...
We now remove a potentially existing UPDATE_PASSWORD action when
explicitly assigning a non-temporary password.
Adapted tests to use a temporary password when UpdatePassword required actions
were used.
2020-04-22 10:59:49 +02:00
Thomas Darimont
f9f71039ae
KEYCLOAK-13566 ValidateUsername should raise USER_NOT_FOUND event if the user lookup fails
2020-04-21 21:11:11 +02:00
Pedro Igor
cbab159aa8
[KEYCLOAK-8071] - Properly validating requested scopes
2020-04-21 12:23:59 +02:00
mposolda
821405e175
KEYCLOAK-10852 Inconsistency when using 'forgot password' after changing email directly in LDAP
2020-04-16 12:28:41 +02:00
Pedro Igor
21597b1ff2
[KEYCLOAK-13581] - Fixing client pagination when permission is enabled
2020-04-14 16:57:27 -03:00
stianst
97b5654690
KEYCLOAK-13285 Enable check identity for email
2020-04-14 19:22:57 +02:00
Pedro Igor
b60b85ab65
[KEYCLOAK-7450] - Match subject when validating id_token returned from external OP
2020-04-06 13:43:19 +02:00
mduchrow
75acc27706
KEYCLOAK-13339 NPE when removing credentials and user cache is disabled
2020-03-31 17:14:34 +02:00
mposolda
6f62c0ed98
KEYCLOAK-13442 Backwards compatibility in users searching. searchForUser(String, RealmModel, int, int) is no longer called when searching users from the admin console
2020-03-27 13:29:55 +01:00
Pedro Igor
b812159193
[KEYCLOAK-10675] - Deleting an Identity Provider doesn't remove the associated IdP Mapper for that user
2020-03-26 11:41:17 +01:00
Pedro Igor
1b8369c7d5
[KEYCLOAK-13385] - Better message when saving a provider with invalid URLs
2020-03-26 08:46:44 +01:00
mposolda
5ddd605ee9
KEYCLOAK-13259
2020-03-24 05:32:41 +01:00
mposolda
9474dd6208
KEYCLOAK-12986 BruteForceProtector does not log failures when login failure in PostBroker flow
2020-03-24 05:32:10 +01:00
Martin Kanis
e6e0e6945d
KEYCLOAK-12156 LogoutEndpoint does not verify token type of id_token_hint
...
Co-authored-by: Martin Kanis <mkanis@redhat.com>
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2020-03-24 05:31:36 +01:00
mposolda
3e82473a90
KEYCLOAK-13369 Not possible to move groups in admin console
2020-03-23 10:17:23 +01:00
Dmitry Telegin
3b24465141
KEYCLOAK-12870 - Allow to pick arbitrary user for IdP linking ( #6828 )
...
* KEYCLOAK-12870 - Allow to pick arbitrary user for IdP linking
* KEYCLOAK-12870: always allow to choose user if password reset is called from first broker login flow
* KEYCLOAK-12870: remove "already authenticated as different user" check and message
* KEYCLOAK-12870: translations
* KEYCLOAK-12870: fix tests
2020-03-20 07:41:35 +01:00
rmartinc
a8e74196d1
KEYCLOAK-4923: Client Service Account Roles are not exported
2020-03-19 11:38:33 -03:00
Takashi Norimatsu
fc58af1365
KEYCLOAK-12696 Upgrade to webauthn4j 0.10.2.RELEASE
2020-03-18 10:56:51 +01:00
Stan Silvert
fff8571cfd
KEYCLOAK-12768: Prevent reserved characters in URLs
2020-03-18 07:40:24 +01:00
stianst
aece5d1b4c
KEYCLOAK-5162 Add index to even table
2020-03-17 17:05:21 +01:00
mposolda
56d1ab19a8
KEYCLOAK-11412 Display more nice error message when creating top level group with same name
2020-03-16 21:03:46 +01:00
mposolda
d7688f6b12
KEYCLOAK-12869 REST sends credential type when no credential exists and credential disabled
2020-03-16 21:02:40 +01:00
Stan Silvert
1f1ed36b71
KEYCLOAK-9782: Do not allow duplicate group name when updating
2020-03-13 10:13:45 -04:00
Sebastian Laskawiec
8774a0f4ba
KEYCLOAK-12881 KEYCLOAK-13099 Update FederatedIdentities and Groups on POST
2020-03-12 14:57:02 +01:00
mposolda
72e4690248
KEYCLOAK-13174 Not possible to delegate creating or deleting OTP credential to userStorage
2020-03-11 12:51:56 +01:00
rmartinc
ad3b9fc389
KEYCLOAK-12579: LDAP groups duplicated during UI listing of user groups
2020-03-11 06:14:29 +01:00
mposolda
bc1146ac2f
KEYCLOAK-10029 Offline token migration fix. Always test offline-token migration when run MigrationTest
2020-03-10 20:38:16 +01:00
Pedro Igor
b7a395a3ef
[KEYCLOAK-11345] - Test basic features of Keycloak.X with current tetsuite
2020-03-10 15:59:35 +01:00
Phy
2b35321b7c
KEYCLOAK-13253 read rpId from policy in WebAuthnAuthenticator
...
A new method, getRpID, is created.
2020-03-09 17:04:26 +01:00
Sebastian Schuster
99aba33980
KEYCLOAK-13163 Fixed searching for user with fine-grained permissions
2020-03-09 09:56:13 -03:00
mabartos
a1bbab9eb2
KEYCLOAK-12799 Missing Cancel button on The WebAuthn setup screen when using AIA
2020-03-05 15:04:38 +01:00
stianst
b84160786b
KEYCLOAK-12885 Make sure empty protocol in client scope doesn't result in NPE in well-known endpoint
2020-03-05 13:43:46 +01:00
Pedro Igor
23b4aee445
[KEYCLOAK-13056] - Searching clients with reduced permissions results in 403
2020-03-05 13:39:25 +01:00
stianst
75a772f52b
KEYCLOAK-10967 Add JSON body methods for test ldap and smtp connections. Deprecate old form based methods.
2020-03-05 10:07:58 +01:00
stianst
b39b84c5dc
KEYCLOAK-13102 Remove error log message on invalid response_type
2020-03-05 08:47:12 +01:00
Pedro Igor
2f489a41eb
[KEYCLOAK-12192] - Missing Input Validation in IDP Authorization URLs
2020-03-05 06:32:35 +01:00
stianst
bcb542d9cc
KEYCLOAK-13116 Fix backwards compatilbity changes in LocaleSelectorSPI
2020-03-04 06:39:24 +01:00
Douglas Palmer
dfb67c3aa4
[KEYCLOAK-12980] Username not updated when "Email as username" is enabled
2020-03-03 10:26:35 +01:00
Pedro Igor
49b1dbba68
[KEYCLOAK-11804] - Block service accounts to authenticate or manage credentials
2020-03-03 06:48:02 +01:00
Stefan Guilhen
3fa8a5aa88
[KEYCLOAK-12612][KEYCLOAK-12944] Fix validation of SAML destination URLs
...
- no longer compare them to the server absolutePath; instead use the base URI to build the validation URL
2020-03-03 06:48:02 +01:00
Hynek Mlnarik
f45f882f0c
KEYCLOAK-11903 Test for XSW attacks
2020-03-02 21:26:13 +01:00
vramik
7c91e36e43
KEYCLOAK-10898 WildFly Adapter CLI based installation scripts
2020-03-02 10:08:45 +01:00
Hynek Mlnarik
aecfe251e4
KEYCLOAK-12816 Fix representation to model conversion
2020-02-27 21:11:24 +01:00
Douglas Palmer
85d7216228
[KEYCLOAK-12640] Client authorizationSettings.decisionStrategy value lost on realm import
2020-02-27 09:45:48 -03:00
Stian Thorgersen
26c166d965
Update OIDCIdentityProvider.java
2020-02-27 09:13:29 +01:00
Pedro Igor
a830818a84
[KEYCLOAK-12794] - Missing id token checks in oidc broker
2020-02-27 09:13:29 +01:00
Thomas Darimont
469bca624b
KEYCLOAK-10953 Avoid NPE when Updating Clients via Admin REST API
2020-02-27 09:09:32 +01:00
Thomas Darimont
f426ed6de6
KEYCLOAK-7961 Avoid sending back-channel logout requests to disabled clients
2020-02-27 09:08:09 +01:00
Pedro Igor
1c71eb93db
[KEYCLOAK-11576] - Properly handling redirect_uri parser errors
2020-02-27 08:29:06 +01:00
stianst
950eae090f
KEYCLOAK-13054 Unblock temporarily disabled user on password reset, and remove invalid error message
2020-02-27 08:05:46 +01:00
Martin Bartoš
eaaff6e555
KEYCLOAK-12958 Preview feature profile for WebAuthn ( #6780 )
...
* KEYCLOAK-12958 Preview feature profile for WebAuthn
* KEYCLOAK-12958 Ability to enable features having EnvironmentDependent providers without restart server
* KEYCLOAK-12958 WebAuthn profile product/project
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2020-02-26 08:45:26 +01:00
Peter Skopek
5db98a58d3
KEYCLOAK-12826 WebAuthn fails to login user when their security key supports "user handle"
2020-02-20 09:19:09 +01:00
stianst
9e47022116
KEYCLOAK-8044 Clear theme caches on hot-deploy
2020-02-20 08:50:10 +01:00
stianst
d8d81ee162
KEYCLOAK-12268 Show page not found for /account/log if events are disabled for the realm
2020-02-20 08:49:30 +01:00
stianst
06576a44c9
KEYCLOAK-13032 Add no cache headers to account form service
2020-02-19 15:47:18 +01:00
stianst
536824beb6
KEYCLOAK-12960 Use Long for time based values in JsonWebToken
2020-02-19 15:46:05 +01:00
Stefan Guilhen
7a3998870c
[KEYCLOAK-12612][KEYCLOAK-12944] Fix validation of SAML destination URLs
...
- no longer compare them to the server absolutePath; instead use the base URI to build the validation URL
2020-02-18 16:38:19 -03:00
mposolda
eeeaafb5e7
KEYCLOAK-12858 Authenticator is sometimes required even when configured as alternative
2020-02-18 09:05:59 +01:00
Thomas Darimont
67ddd3b0eb
KEYCLOAK-12926 Improve Locale based message lookup
...
We now consider intermediate Locales when performing a Locale based
ResourceBundle lookup, before using an Locale.ENGLISH fallback.
Co-authored-by: stianst <stianst@gmail.com>
2020-02-18 08:43:46 +01:00
mposolda
a76c496c23
KEYCLOAK-12860 KEYCLOAK-12875 Fix for Account REST Credentials to work with LDAP and social users
2020-02-14 20:24:42 +01:00
stianst
f0e3122792
KEYCLOAK-12953 Ignore empty realm frontendUrl
2020-02-14 11:33:07 +01:00
stianst
42773592ca
KEYCLOAK-9632 Improve handling of user locale
2020-02-14 08:32:20 +01:00
stianst
4b09a4a2af
KEYCLOAK-12993 AuthorizationBean invokes ResolveRelative.resolveRelativeUri with null as the value for KeycloakSession
2020-02-13 16:45:06 +01:00
Pedro Igor
7efaf9869a
[KEYCLOAK-12864] - OIDCIdentityProvider with Reverse Proxy
2020-02-13 15:01:10 +01:00
Peter Zaoral
b0ffea699e
KEYCLOAK-12186 Improve the OTP login form
...
-created and implemented login form design, where OTP device can be selected
-implemented selectable-card-view logic in jQuery
-edited related css and ftl theme resources
-fixed affected BrowserFlow tests
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2020-02-12 11:25:02 +01:00
Peter Skopek
622a97bd1c
KEYCLOAK-12228 Sensitive Data Exposure
...
from patch of hiba haddad haddadhiba0@gmail.com
2020-02-12 09:57:31 +01:00
stianst
3c0cf8463a
KEYCLOAK-12821 Check if action is disabled in realm before executing
2020-02-12 09:04:43 +01:00
stianst
0b8adc7874
KEYCLOAK-12921 Fix NPE in client validation on startup
2020-02-12 08:23:25 +01:00
stianst
dda829710e
KEYCLOAK-12829 Require PKCE for admin and account console
2020-02-12 08:22:20 +01:00
Thomas Darimont
7969aed8e0
KEYCLOAK-10931 Trigger UPDATE_PASSWORD event on password update via AccountCredentialResource
2020-02-11 19:51:58 +01:00
Martin Kanis
1d54f2ade3
KEYCLOAK-9563 Improve access token checks for userinfo endpoint
2020-02-11 15:09:21 +01:00
stianst
ecec20ad59
KEYCLOAK-12193 Internal error message returned in error response
2020-02-07 18:10:41 +01:00
mabartos
a5d02d62c1
KEYCLOAK-12908 TOTP not accepted in request for Access token
2020-02-07 13:17:05 +01:00
stianst
7545749632
KEYCLOAK-12190 Add validation for client root and base URLs
2020-02-07 09:09:40 +01:00
Pedro Igor
fc514aa256
[KEYCLOAK-12792] - Invalid nonce handling in OIDC identity brokering
2020-02-06 13:16:01 +01:00
Dmitry Telegin
b6c5acef25
KEYCLOAK-7969 - SAML users should not be identified by SAML:NameID
2020-02-06 08:53:31 +01:00
Martin Bartoš
7dec314ed0
KEYCLOAK-12900 NullPointerException during WebAuthn Registration ( #6732 )
2020-02-05 17:01:36 +01:00
Axel Messinese
b73553e305
Keycloak-11526 search and pagination for roles
2020-02-05 15:28:25 +01:00
rmartinc
d39dfd8688
KEYCLOAK-12654: Data to sign is incorrect in redirect binding when URI has parameters
2020-02-05 11:30:28 +01:00
Martin Bartoš
b0c4913587
KEYCLOAK-12177 KEYCLOAK-12178 WebAuthn: Improve usability ( #6710 )
2020-02-05 08:35:47 +01:00
Thomas Darimont
42fdc12bdc
KEYCLOAK-8573 Invalid client credentials should return Unauthorized status ( #6725 )
2020-02-05 08:27:15 +01:00
Thomas Darimont
d417639cb8
KEYCLOAK-11033 Avoid NPE in password endpoint of AccountCredentialResource ( #6721 )
...
Added additional null guard since some credentials provide might not
maintain a "CreatedDate" for a password credentials.
2020-02-04 16:01:27 +01:00
rmartinc
5b9eb0fe19
KEYCLOAK-10884: Need clock skew for SAML identity provider
2020-02-03 22:00:44 +01:00
Jan Lieskovsky
b532570747
[KEYCLOAK-12168] Various setup TOTP screen usability improvements ( #6709 )
...
On both the TOTP account and TOTP login screens perform the following:
* Make the "Device name" label optional if user registers the first
TOTP credential. Make it mandatory otherwise,
* Denote the "Authenticator code" with asterisk, so it's clear it's
required field (always),
* Add sentence to Step 3 of configuring TOTP credential explaining
the user to provide device name label,
Also perform other CSS & locale / messages file changes, so the UX is
identical when creating OTP credentials on both of these pages
Add a corresponding testcase
Also address issues pointed out by mposolda's review. Thanks, Marek!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-02-03 19:34:28 +01:00
Marek Posolda
154bce5693
KEYCLOAK-12340 KEYCLOAK-12386 Regression in credential handling when … ( #6668 )
2020-02-03 19:23:30 +01:00
Leon Graser
01a42f417f
Search and Filter for the count endpoint
2020-02-03 09:36:30 +01:00
Pedro Igor
ed2d392a3d
[KEYCLOAK-9666] - Entitlement request with service account results in server error
2020-02-03 08:57:56 +01:00
Pedro Igor
658a083a0c
[KEYCLOAK-9600] - Find by name in authz client returning wrong resource
2020-02-03 08:57:20 +01:00
rmartinc
1989483401
KEYCLOAK-12001: Audience support for SAML clients
2020-01-31 15:56:40 +01:00
Marek Posolda
d8e450719b
KEYCLOAK-12469 KEYCLOAK-12185 Implement nice design to the screen wit… ( #6690 )
...
* KEYCLOAK-12469 KEYCLOAK-12185 Add CredentialTypeMetadata. Implement the screen with authentication mechanisms and implement Account REST Credentials API by use the credential type metadata
2020-01-31 14:28:23 +01:00
Stan Silvert
6ac5a2a17e
[KEYCLOAK-12744] rh-sso-preview theme for product build
...
* change logo for RH-SSO
* Small fixes to rh-sso-preview theme
* rh-sso-preview theme
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2020-01-31 08:16:52 -03:00
Pedro Igor
c37ca235ab
[KEYCLOAK-11352] - Can't request permissions by name by a non-owner resource service, although the audience is set
2020-01-30 11:36:21 +01:00
stianst
2916af351a
KEYCLOAK-12712 Add thread-safety for provider hot-deployment
2020-01-29 14:06:11 +01:00
stianst
a3e5f9d547
KEYCLOAK-12736 Set time for admin events in milliseconds, instead of converted seconds
2020-01-29 14:05:22 +01:00
Marek Posolda
d46620569a
KEYCLOAK-12174 WebAuthn: create authenticator, requiredAction and policy for passwordless ( #6649 )
2020-01-29 09:33:45 +01:00
Takashi Norimatsu
993ba3179c
KEYCLOAK-12615 HS384 and HS512 support for Client Authentication by Client Secret Signed JWT ( #6633 )
2020-01-28 14:55:48 +01:00
Stian Thorgersen
87cab778eb
KEYCLOAK-11996 Authorization Endpoint does not return an error when a request includes a parameter more than once ( #6696 )
...
Co-authored-by: stianst <stianst@gmail.com>
Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2020-01-24 12:10:56 +01:00
Thomas Darimont
303861f7e8
KEYCLOAK-10003 Fix handling of request parameters for SMTP Connection Test
...
We now transfer the SMTP connection configuration via HTTP POST
request body parameters instead of URL parameters.
The improves handling of SMTP connection configuration values with
special characters. As a side effect sensitive information like SMTP
credentials are now longer exposed via URL parameters.
Previously the SMTP connection test send the connection parameters
as encoded URL parameters in combination with parameters in the request body.
However the server side endpoint did only look at the URL parameters.
Certain values, e.g. passwords with + or ; could lead to broken URL parameters.
2020-01-23 13:19:31 -06:00
Leon Graser
f1ddd5016f
KEYCLOAK-11821 Add account api roles to the client on creation
...
Co-authored-by: stianst <stianst@gmail.com>
2020-01-23 13:10:04 -06:00
Benjamin Weimer
dd9ad305ca
KEYCLOAK-12757 New Identity Provider Mapper "Advanced Claim to Role Mapper" with
...
following features
* Regex support for claim values.
* Support for multiple claims.
2020-01-23 07:17:22 -06:00
Stan Silvert
210fd92d23
KEYCLOAK-11550: Signing In page
2020-01-23 07:35:09 -05:00
Domenico Briganti
812b69af13
KEYCLOAK-9837 Not hide exception in email templating - clean code
2020-01-23 05:45:25 -06:00
Domenico Briganti
f07e08ef28
KEYCLOAK-9837 Not hide exception in email templating - Throws always an Exception
2020-01-23 05:45:25 -06:00
Domenico Briganti
476da4f276
KEYCLOAK-9837 Not hide exception in email templating
2020-01-23 05:45:25 -06:00
Captain-P-Goldfish
b90a0307ea
Add certificate timestamp validation ( #6330 )
...
KEYCLOAK-11818 Add certificate timestamp validation
2020-01-22 20:53:06 +01:00
vmuzikar
03306b87e8
KEYCLOAK-12125 Introduce SameSite attribute in cookies
...
Co-authored-by: mhajas <mhajas@redhat.com>
Co-authored-by: Peter Skopek <pskopek@redhat.com>
2020-01-17 08:36:53 -03:00
Martin Bartos RH
d3f6937a23
[KEYCLOAK-12426] Add username to the login form + ability to reset login
2020-01-17 09:40:13 +01:00
mposolda
85dc1b3653
KEYCLOAK-12426 Add username to the login form + ability to reset login - NOT DESIGN YET
2020-01-17 09:40:13 +01:00
Tomas Kyjovsky
05c428f6e7
KEYCLOAK-12295 After password reset, the new password has low priority ( #6653 )
2020-01-16 09:11:25 +01:00
k-tamura
562dc3ff8c
KEYCLOAK-10659 Proxy authentication support for proxy-mappings
2020-01-15 13:29:54 +01:00
Martin Bartoš
5aab03d915
[KEYCLOAK-12184] Remove BACK button from login forms ( #6657 )
2020-01-15 12:25:37 +01:00
Axel Messinese
789e8c70ce
KEYCLOAK-12630 full representation param for get groups by user endpoint
2020-01-15 10:14:52 +01:00
Axel Messinese
72aff51fca
KEYCLOAK-12670 inconsistent param name full to briefRepresentation
2020-01-15 08:32:57 +01:00
Marek Posolda
8d49409de1
KEYCLOAK-12183 Refactor login screens. Introduce try-another-way link. Not show many credentials of same type in credential selector ( #6591 )
2020-01-14 21:54:45 +01:00
k-tamura
221aad9877
KEYCLOAK-11511 Improve exception handling of REST user creation
2020-01-14 13:34:34 +01:00
mhajas
a79d6289de
KEYCLOAK-11416 Fix nil AttributeValue handling
2020-01-10 12:47:09 +01:00
Viswa Teja Nariboina
5082ed2fcb
[ KEYCLOAK-12606 ] Passing email in login_hint query parameter during Identity brokering fails when an account already exists
2020-01-09 10:40:42 +01:00
Pedro Igor
03bbf77b35
[KEYCLOAK-12511] - Mapper not visible in client's mapper list
2020-01-09 10:25:06 +01:00
Thomas Darimont
062cbf4e0a
KEYCLOAK-9925 Use Client WebOrigins in UserInfoEndpoint
...
We now use the allowed WebOrigins configured for the client
for which the user info is requested.
Previously, Web Origins defined on the Client were not being recognized
by the /userinfo endpoint unless you apply the "Allowed Web Origins"
protocol mapper.
This was an inconsistency with how the Web Origins work compared
with the /token endpoint.
2020-01-09 10:10:59 +01:00
Pedro Igor
709cbfd4b7
[KEYCLOAK-10705] - Return full resource representation when querying policies by id
2020-01-09 10:00:24 +01:00
Pedro Igor
9fd7ab81f0
[KEYCLOAK-10407] - Avoiding redundant calls on identity.getid
2020-01-09 09:56:48 +01:00
Manfred Duchrow
f926529767
KEYCLOAK-12616 Vault unit test always failes on Windows
2020-01-07 20:55:50 +01:00
Hynek Mlnarik
f7379086e0
KEYCLOAK-12619 Improve mapped byte buffer cleanup
2020-01-07 16:07:43 +01:00
Thomas Darimont
54b69bd1dc
KEYCLOAK-10190 Fix NPE on missing clientSession in TokenEndpoint.codeToToken
...
In certain scenarios, e.g. when an auth code from another realm login is
used to perform the code to token exchange, it can happen that the
ClientSession is null which triggered an NPE when the userSession field is accessed.
Added null check for clientSession in TokenEndpoint.codeToToken to prevent an NPE.
2020-01-06 14:45:20 +01:00
Thomas Darimont
1a7aeb9b20
KEYCLOAK-8249 Improve extraction of Bearer tokens from Authorization headers ( #6624 )
...
We now provide a simple way to extract the Bearer token string from
Authorization header with a null fallback.
This allows us to have more fine grained error handling for the
various endpoints.
2020-01-06 13:58:52 +01:00
rmartinc
401d36b446
KEYCLOAK-8779: Partial export and import to an existing realm is breaking clients with service accounts
2019-12-27 15:59:38 -03:00
Thomas Darimont
0219d62f09
KEYCLOAK-6867 UserInfoEndpoint should return WWW-Authenticate header for Invalid tokens
...
As required by the OIDC spec (1) we now return a proper WWW-Authenticate
response header if the given token is invalid.
1) https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
2019-12-23 07:42:06 -03:00
Andrei Arlou
eed4847469
KEYCLOAK-12311 Fix minor warnings with collections in packages: forms, keys, partialimport, protocol from module "services"
2019-12-20 13:31:38 +01:00
Peter Skopek
7a14661fce
KEYCLOAK-6115 Login fails if federated user is read-only and has selected a locale on the login screen
2019-12-19 14:36:50 +01:00
Andrei Arlou
aceb123242
KEYCLOAK-12417 Fix minor warnings in tests from module "services"
2019-12-19 10:51:37 +01:00
Andrei Arlou
697eaa4f36
KEYCLOAK-12309 Fix warnings with collections in packages:
...
authentification, authorization, broker, email, events, exportimport from module "services"
2019-12-18 14:02:27 +01:00
Andrei Arlou
bb156fb2fd
KEYCLOAK-12317 Fix minor warnings with modificators in packages: authentication, authorization, keys, partialimport, protocol from module "services"
2019-12-18 13:26:27 +01:00
Andrei Arlou
c61cc1a493
KEYCLOAK-12316 Simplify conditions in packages: authentication, broker, credential, protocol from module "services"
2019-12-18 13:22:36 +01:00
Stefan Guilhen
9f69386a53
[KEYCLOAK-11707] Add support for Elytron credential store vault
...
- Adds the elytron-cs-keystore provider that reads secrets from a keystore-backed elytron credential store
- Introduces an abstract provider and factory that unifies code that is common to the existing implementations
- Introduces a VaultKeyResolver interface to allow the creation of different algorithms to combine the realm
and key names when constructing the vault entry id
- Introduces a keyResolvers property to the existing implementation via superclass that allows for the
configuration of one or more VaultKeyResolvers, creating a fallback mechanism in which different key formats
are tried in the order they were declared when retrieving a secret from the vault
- Adds more tests for the files-plaintext provider using the new key resolvers
- Adds a VaultTestExecutionDecider to skip the elytron-cs-keystore tests when running in Undertow. This is
needed because the new provider is available only as a Wildfly extension
2019-12-18 11:54:06 +01:00
harture
26458125cb
[KEYCLOAK-12254] Fix re-evaluation of conditional flow ( #6558 )
2019-12-18 08:45:11 +01:00
Douglas Palmer
106e6e15a9
[KEYCLOAK-11859] Added option to always display a client in the accounts console
2019-12-17 17:12:49 -03:00
jacac
3ae508e1b9
KEYCLOAK-12425 Encode userid with Base64Url. ( #6585 )
2019-12-16 20:40:27 +01:00
Douglas Palmer
af0594b58d
[KEYCLOAK-12463] Fixed missing consents
2019-12-12 17:27:54 -03:00
Douglas Palmer
f9fa5b551d
[KEYCLOAK-5628] Added application endpoint
2019-12-11 13:06:04 -03:00
Martin Bartoš
2cf6483cdf
[KEYCLOAK-12044] Fix messages in the UsernameForm ( #6548 )
2019-12-11 10:59:46 +01:00
Dmitry Telegin
56aa14ffab
KEYCLOAK-11347 - MicroProfile-Config
2019-12-10 12:08:22 +01:00
Denis Richtárik
48bddc37ae
KEYCLOAK-12011 Remove cancel button from OTP form ( #6511 )
...
* KEYCLOAK-12011 Remove cancel button from OTP form
* Remove back button
2019-12-09 19:23:26 +01:00
Dmitry Telegin
e2144d6aec
KEYCLOAK-12175 - Platform SPI
2019-12-09 09:55:04 +01:00
Yoshiyuki Tabata
b2664c7ef9
KEYCLOAK-12094 "client-session-stats" not search null client information ( #6554 )
2019-12-06 10:37:25 +01:00
Martin Bartoš
e405ce6e97
[KEYCLOAK-11824] Fix bug with only one value of the authentication model execution requirement ( #6570 )
2019-12-05 18:28:00 +01:00
Andrei Arlou
fb421d3086
KEYCLOAK-12262 Remove unused imports from packages "authorization" and "authentification" in module "services" ( #6547 )
2019-12-05 14:39:03 +01:00
Andrei Arlou
da7e0ba403
KEYCLOAK-12310 Remove unused imports from packages: exportimport, forms, jose, partialimport, protocol in module "services" ( #6560 )
2019-12-05 14:28:47 +01:00
Cristian Schuszter
5c7ce775cf
KEYCLOAK-11472 Pagination support for clients
...
Co-authored-by: stianst <stianst@gmail.com>
2019-12-05 08:17:17 +01:00
vmuzikar
072cd9f93f
KEYCLOAK-12329 Fix linking accounts in the new Account Console
2019-12-03 18:49:40 -03:00
Martin Kanis
73d1a26040
KEYCLOAK-11773 Front-channel logout with identity brokering does not work after browser restart
2019-12-03 08:17:54 +01:00
harture
129c689855
[KEYCLOAK-12253] Fix conditional authenticators are evaluated even if they are disabled ( #6553 )
2019-11-28 09:30:31 +01:00
Stan Silvert
de6f90b43b
KEYCLOAK-11550: Single page for credentials (initial commit)
2019-11-27 07:32:13 -03:00
rmartinc
82ef5b7927
KEYCLOAK-12000: Allow overriding time lifespans on a SAML client
2019-11-26 10:02:34 +01:00
Dmitry Telegin
79074aa380
KEYCLOAK-12162 Modularize config backends ( #6499 )
...
* KEYCLOAK-12162 - Modularize configuration backends
* - Use JsonSerialization
- simplify backend selection (no fallbacks)
* Remove unused org.wildfly.core:wildfly-controller dependency
2019-11-22 15:23:04 +01:00
Yoshiyuki Tabata
0a9d058b81
KEYCLOAK-12150 change error response from invalid_request to unsupported_grant_type
2019-11-22 11:11:07 +01:00
Yoshiyuki Tabata
a36cfee84b
KEYCLOAK-12149 change error response from invalid_grant to unauthorized_client
2019-11-22 11:10:16 +01:00
Yoshiyuki Tabata
4117710379
KEYCLOAK-12019 change error response from unsupported_response_type to unauthorized_client
2019-11-22 11:03:02 +01:00
Vidhyadharan Deivamani
9e366f0453
KEYCLOAK-8162 review comment adopted
2019-11-22 10:37:50 +01:00
Vidhyadharan Deivamani
318b290f55
KEYCLOAK-8162 Added resourcesPath
2019-11-22 10:37:50 +01:00
Fuxin Hao
ff4c94506f
use reCAPTCHA globally
2019-11-22 10:22:15 +01:00
Stan Silvert
ea268af511
KEYCLOAK-12159: AIA and Logout broken in new acct console
2019-11-21 09:35:46 -03:00
stianst
3731e36ece
KEYCLOAK-12069 Add account-console client for new account console
2019-11-20 08:48:40 -05:00
Stefan Guilhen
9a7c1a91a5
KEYCLOAK-10780 Stop creating placeholder e-mails for service accounts ( #228 )
2019-11-15 15:08:29 +01:00
k-tamura
43e2370f21
KEYCLOAK-11772 Fix temporary credential property to work correctly
2019-11-15 08:48:12 +01:00
AlistairDoswald
4553234f64
KEYCLOAK-11745 Multi-factor authentication ( #6459 )
...
Co-authored-by: Christophe Frattino <christophe.frattino@elca.ch>
Co-authored-by: Francis PEROT <francis.perot@elca.ch>
Co-authored-by: rpo <harture414@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-authored-by: Denis <drichtar@redhat.com>
Co-authored-by: Tomas Kyjovsky <tkyjovsk@redhat.com>
2019-11-14 14:45:05 +01:00
Stan Silvert
d439f4181a
KEYCLOAK-6503: Linked Accounts Page
2019-11-14 07:39:43 -03:00
Martin Kanis
25511d4dbf
KEYCLOAK-9651 Wrong ECDSA signature R and S encoding
2019-11-13 15:32:51 +01:00
stianst
b8881b8ea0
KEYCLOAK-11728 New default hostname provider
...
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2019-11-11 12:25:44 +01:00
stianst
062841a059
KEYCLOAK-11898 Refactor AIA implementation
2019-11-08 16:03:07 -03:00
stianst
63abebd993
KEYCLOAK-11627 Require users to re-authenticate before invoking AIA
2019-11-08 16:03:07 -03:00
stianst
bc5113053d
KEYCLOAK-11897 Change kc_action parameter to proper built-in parameter
2019-11-08 16:03:07 -03:00
stianst
1e66660fd0
KEYCLOAK-11896 Remove initiate-action role
2019-11-08 16:03:07 -03:00
Takashi Norimatsu
4574d37d8d
KEYCLOAK-11372 Support for attestation statement verification ( #6449 )
2019-11-08 09:15:28 +01:00
Stian Thorgersen
f14f92ab0b
KEYCLOAK-6073 Make adapters use discovery endpoint for URLs instead of hardcoding ( #6412 )
2019-11-06 10:34:35 +01:00
Stan Silvert
041229f9ca
KEYCLOAK-7429: Linked Accounts REST API
2019-11-05 16:03:21 -05:00
Takashi Norimatsu
ecae2c5772
KEYCLOAK-11743 Update to webauthn4j 0.9.14.RELEASE and add apache-kerby-asn1:2.0.0 dependency ( #6401 )
2019-11-05 09:23:09 +01:00
Miguel Paulos Nunes
aa44579a02
KEYCLOAK-9553 Performance optimization on role mappings retrieval.
2019-11-05 08:59:53 +01:00
Dmitry Telegin
203646627f
Use global bootstrap flag
2019-11-01 10:56:06 +01:00
Dmitry Telegin
b68e8323ed
KEYCLOAK-11785 - Support for deferred initialization
2019-11-01 10:56:06 +01:00
Gideon Caranzo
e07fd9ffa3
KEYCLOAK-9936 Added optional hooks for preprocessing SAML authentication
...
Co-Authored-By: Hynek Mlnarik <hmlnarik@redhat.com>
2019-10-29 13:06:59 +01:00
Helge Olav Aarstein
d7a0597b1d
KEYCLOAK-9091 Fix for claims with dots from userInfo ( #6312 )
...
* KEYCLOAK-9091 Unable to map claim attributes with dots (.) in them when claims are retrieved from userInfo endpoint
2019-10-24 21:41:38 +02:00
pkokush
ff551c5545
KEYCLOAK-10307: check password history length in password verification ( #6058 )
2019-10-24 21:33:21 +02:00
Takashi Norimatsu
1905260eac
KEYCLOAK-11251 ES256 or PS256 support for Client Authentication by Signed JWT ( #6414 )
2019-10-24 17:58:54 +02:00
Pedro Igor
bb4ff55229
[KEYCLOAK-10868] - Deploy JavaScript code directly to Keycloak server
...
Conflicts:
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractPhotozExampleAdapterTest.java
(cherry picked from commit 338fe2ae47a1494e786030eb39f908c964ea76c4)
2019-10-22 10:34:24 +02:00
Pedro Igor
bad9e29c15
[KEYCLOAK-10870] - Deprecate support for JavaScript policy support from UMA policy endpoint
...
Conflicts:
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
(cherry picked from commit 13923a7683cb666d2842bc61429c23409c1493b6)
2019-10-22 10:34:24 +02:00
Martin Kanis
0e0177136c
KEYCLOAK-9984 Remove org.apache.commons.* usages from the code
2019-10-22 09:48:15 +02:00
Martin Reinhardt
28748ebf3f
[KEYCLOAK-6376] Fix NPE and test setup
2019-10-21 10:41:04 +02:00
Martin Reinhardt
f18c8b9da5
[KEYCLOAK-6376] Switching to arquillian end2end tests
2019-10-21 10:41:04 +02:00
Martin Reinhardt
eed4449f8d
[KEYCLOAK-6376] Fixing Conditional OTP by reusing existing API for role checks
2019-10-21 10:41:04 +02:00
Kohei Tamura
59ba874e1d
KEYCLOAK-10945 Avoid lockout when clicking login twice
2019-10-21 10:36:16 +02:00
Pedro Igor
17785dac08
[KEYCLOAK-10714] - Add filtering support in My Resources endpoint by name
2019-10-16 16:26:55 +02:00
Sebastian Laskawiec
b6b7c11517
KEYCLOAK-11725 Removed VaultRealmModel from tests
2019-10-15 10:59:05 +02:00
stianst
c16cfe9696
Fixes for Quarkus
2019-10-15 10:57:54 +02:00
Sebastian Laskawiec
ea1b22daa7
KEYCLOAK-11227 Removed enabled/disabled flag from FileTruststoreProvider
2019-10-15 05:24:28 +02:00
stianst
52085da520
KEYCLOAK-11702 Remove RestEasy 4 dependencies from core codebase
2019-10-11 15:03:34 +02:00
mhajas
2f44c58a0d
KEYCLOAK-11495 Change name of PlaintextVaultProvider to FilesPlaintextVaultProvider
2019-10-09 14:48:00 +02:00
Pedro Igor
f0fb48fb76
[KEYCLOAK-11326] - Refactoring to support different versions of resteasy
2019-10-09 12:01:34 +02:00
Pedro Igor
a2e98b57f4
[KEYCLOAK-11326] - Refactoring to use types from JAX-RS API
2019-10-09 12:01:34 +02:00
Hisanobu Okuda
75a44696a2
KEYCLOAK-10636 Large Login timeout causes login failure
...
KEYCLOAK-10637 Large Login Action timeout causes login failure
2019-10-07 13:27:20 +02:00
vmuzikar
434ea0965c
KEYCLOAK-11632 Don't cache server info endpoint
2019-10-07 10:29:52 +02:00
Axel Messinese
f3607fd74d
KEYCLOAK-10712 get groups full representation endpoint
2019-10-03 11:26:30 +02:00
Takashi Norimatsu
66de87a211
KEYCLOAK-11253 Advertise acr claim in claims_supported Server Metadata
2019-10-03 11:25:45 +02:00
Niko Köbler
d0324d8098
KEYCLOAK-11566 add attribute resourceType to log output of admin events
2019-10-02 13:18:30 +02:00
Vincent Letarouilly
6b36e57593
KEYCLOAK-6698 - Add substitution of system properties and environment variables in theme.properties file
2019-10-01 16:34:54 +02:00
Takashi Norimatsu
6c9cf346c6
KEYCLOAK-11252 Implement Server Metadata of OAuth 2.0 Mutual TLS Client Authentication
2019-10-01 15:27:59 +02:00
Takashi Norimatsu
7c75546eac
KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - 1st impl phase
...
* KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - 1st impl phase
2019-10-01 15:17:38 +02:00
Jess Thrysoee
3b58692d7c
KEYCLOAK-11596 Enable template cache when cacheTemplates attribute is true
2019-10-01 14:37:48 +02:00
David Festal
d73a2b821c
Fix a NPE when using token-exchange
...
When using the preview token-exchange feature with the `openshit-v3` identity provider, a NPE is triggered, because it tries to extract the `metadata` field twice from the user profile:
```
13:17:13,667 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:357)
at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:61)
at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractIdentityFromProfile(OpenshiftV3IdentityProvider.java:87)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.validateExternalTokenThroughUserInfo(AbstractOAuth2IdentityProvider.java:489)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalUserInfoValidationOnly(AbstractOAuth2IdentityProvider.java:548)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalImpl(AbstractOAuth2IdentityProvider.java:528)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternal(AbstractOAuth2IdentityProvider.java:519)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:917)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:696)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:194)
.....
13:17:28,916 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:357)
at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:61)
at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractIdentityFromProfile(OpenshiftV3IdentityProvider.java:87)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.validateExternalTokenThroughUserInfo(AbstractOAuth2IdentityProvider.java:489)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalUserInfoValidationOnly(AbstractOAuth2IdentityProvider.java:548)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalImpl(AbstractOAuth2IdentityProvider.java:528)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternal(AbstractOAuth2IdentityProvider.java:519)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:917)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:696)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:194)
......
13:17:53,492 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:357)
at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:61)
at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractIdentityFromProfile(OpenshiftV3IdentityProvider.java:87)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.validateExternalTokenThroughUserInfo(AbstractOAuth2IdentityProvider.java:489)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalUserInfoValidationOnly(AbstractOAuth2IdentityProvider.java:548)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalImpl(AbstractOAuth2IdentityProvider.java:528)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternal(AbstractOAuth2IdentityProvider.java:519)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:917)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:696)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:194)
```
2019-10-01 14:23:46 +02:00
Mathieu CLAUDEL
2fb507e170
KEYCLOAK-10802 add support of SAMLv2 ForceAuthn
2019-09-27 09:55:54 +02:00
Yaroslav Kvasetskiy
622d049207
KEYCLOAK-10837 Add possibility to disable certificate verification for outgoing https connections
2019-09-26 08:12:09 -03:00
madgaet
0d12b8dd5a
[KEYCLOAK-11497] OIDC Idp authentication with private_key_jwt may not always work ( #6337 )
2019-09-25 23:10:07 +02:00
Hisanobu Okuda
da49dbce2b
KEYCLOAK-10770 user-storage/{id}/sync should return 400 instead of 404
2019-09-20 11:17:09 +02:00
mhajas
37b7b595a5
KEYCLOAK-11410 Do not throw exception in PlaintextVaultProvider if unconfigured
2019-09-19 14:56:19 +02:00
rradillen
b71198af9f
[KEYCLOAK-8575] oidc idp basic auth ( #6268 )
...
* [KEYCLOAK-8575] Allow to choose between basic auth and form auth for oidc idp
* uncomment ui and add tests
* move basic auth to abstract identity provider (except for getting refresh tokens)
* removed duplications
2019-09-19 14:36:16 +02:00
rmartinc
7f54a57271
KEYCLOAK-10757: Replaying assertion with signature in SAML adapters
2019-09-18 16:49:00 +02:00
farmersmurf
515727c944
fix: as discussed changed to NOT_ACCEPTABLE rather than OK to prevent INTERNAL SERVER ERROR on validation
2019-09-17 16:35:42 +02:00
farmersmurf
ae74335760
KEYCLOAK-10944 Fix 500 Error Code on Update Password
2019-09-17 16:35:42 +02:00
farmersmurf
b443c8186d
KEYCLOAK-10944 Fix 500 Error Code on Update Password
2019-09-17 16:35:42 +02:00
madgaet
c35718cb87
[KEYCLOAK-9809] Support private_key_jwt authentication for external IdP
2019-09-17 16:04:23 +02:00
Kohei Tamura
09671aa480
KEYCLOAK-11178 Suppress incorrect warnings
2019-09-13 10:21:20 +02:00
Shiva Prasad Thagadur Prakash
ff8b790549
KEYCLOAK-10022 Fixing few admin events not raised bug
2019-09-11 18:01:10 -03:00
Cédric Couralet
9c37da0ee9
KEYCLOAK-8818 Support message bundle in theme resources
2019-09-11 08:03:16 +02:00
mhajas
2703388946
KEYCLOAK-11245 Adapt LDAPConnectionTestManager to use newly introduced LDAPContextManager
2019-09-10 22:51:19 +02:00
mhajas
9c2525ec1a
KEYCLOAK-11245 Use transcription object for LDAP bindCredential
2019-09-09 19:39:53 +02:00
Martin Kanis
4235422798
KEYCLOAK-11246 Use the transcription object for SMTP password
2019-09-09 13:27:11 +02:00
Hynek Mlnarik
9eb2e1d845
KEYCLOAK-11028 Use pessimistic locks to prevent DB deadlock when deleting objects
2019-09-09 10:57:49 +02:00
rmartinc
a726e625e9
KEYCLOAK-10782: Credentials tab on clients can only be displayed with view-realm
2019-09-06 16:45:08 -03:00
Martin Kanis
b1be6c2bdd
KEYCLOAK-11247 Use the transcription object for Identity providers password
2019-09-06 15:29:11 +02:00
Cédric Couralet
aadd5331bc
[KEYCLOAK-11219] log an explicit error message when state is null
2019-09-06 10:59:28 +02:00
Pedro Igor
a1d8850373
[KEYCLOAK-7416] - Device Activity
2019-09-05 11:43:27 -03:00
Sebastian Laskawiec
69d6613ab6
KEYCLOAK-10169 OpenShift 4 Identity Provider
2019-09-05 16:33:59 +02:00
Stefan Guilhen
bb9c811a65
[KEYCLOAK-10935] Add a vault transcriber implementation that can be obtained from the session.
...
- automatically parses ${vault.<KEY>} expressions to obtain the key that contains the secret in the vault.
- enchances the capabilities of the VaultProvider by offering methods to convert the raw secrets into other types.
2019-09-04 22:34:08 +02:00
Kohei Tamura
6ae0773e09
KEYCLOAK-11006 Add method to log catched exception
2019-09-02 10:11:20 +02:00
Sebastian Laskawiec
3afbdd3ea3
KEYCLOAK-10934 PlainTextVaultProvider
2019-08-20 21:46:47 +02:00
Pedro Igor
e12c245355
[KEYCLOAK-10779] - CSRF check to My Resources
...
(cherry picked from commit dbaba6f1b8c043da4a37c906dc0d1700956a0869)
2019-08-20 06:35:00 -03:00
Hynek Mlnarik
97811fdd51
KEYCLOAK-10786 Check signature presence in SAML broker
...
(cherry picked from commit ba9f73aaff22eb34c7dec16f4b76d36d855d569b)
2019-08-20 06:35:00 -03:00
Leon Graser
0ce10a3249
[KEYCLOAK-10653] Manage Consent via the Account API
2019-08-20 06:24:44 -03:00
Nemanja Hiršl
411ea331f6
KEYCLOAK-10785 X.509 Authenticator - Update user identity source mappers
...
Update user identity sources and the way how X.509 certificates are mapped to the user to:
1. Include "Serial number + Issuer DN" as described in RFC 5280
2. Include "Certificate's SHA256-Thumbprint"
3. Exclude "Issuer DN"
4. Exclude "Issuer Email"
Add an option to represent serial number in hexadecimal format.
Documentation PR created: https://github.com/keycloak/keycloak-documentation/pull/714
KEYCLOAK-10785 - Documentation for new user identity source mappers
2019-08-16 11:35:50 -03:00
Takashi Norimatsu
8225157a1c
KEYCLOAK-6768 Signed and Encrypted ID Token Support
2019-08-15 15:57:35 +02:00
Hynek Mlnarik
d2da206d6b
KEYCLOAK-10933 Interfaces for vault SPI
2019-08-13 08:50:29 +02:00
Kohei Tamura
c0f73c0df4
KEYCLOAK-10817 Set referrer on error
2019-08-02 10:02:23 -03:00
Vlastimil Elias
4571f65d1e
KEYCLOAK-10209 - AuthenticationSessionModel made available through
...
KeycloakContext in KeycloakSession
2019-07-30 12:36:57 +02:00
Pedro Igor
8b203d48ce
[KEYCLOAK-10949] - Proper error messages when failing to authenticate the request
2019-07-29 17:01:42 -03:00
Pedro Igor
967d21dbb5
[KEYCLOAK-10713] - Pagination to resources rest api
2019-07-29 16:19:22 -03:00
k-tamura
fe0d6f4583
KEYCLOAK-10665 Fix incorrect client link on my resources page
2019-07-26 15:36:06 -03:00
k-tamura
2dceda3f50
KEYCLOAK-10807 Fix incorrect RS link on my resources page
2019-07-26 15:29:25 -03:00
Stan Silvert
bc818367a1
KEYCLOAK-10854: App-initiated actions Phase I
2019-07-26 14:56:29 -03:00
Stan Silvert
6c79bdee41
KEYCLOAK-10854: App initiated actions phase I
2019-07-26 14:56:29 -03:00
mhajas
57a8fcb669
KEYCLOAK-10776 Add session expiration to Keycloak saml login response
2019-07-24 13:35:07 +02:00
Pedro Igor
5f5cb6cb7b
[KEYCLOAK-10808] - Do not show authorization tab when client is not confidential
2019-07-15 10:07:31 -03:00
rmartinc
1d2d6591b2
KEYCLOAK-10826: Provide the locale name in the LocaleBean to be used in themes
2019-07-13 07:18:40 +02:00
rmartinc
6d6db1f3e5
KEYCLOAK-10345: OCSP validation fails if there is no intermediate CA in the client certificate
2019-07-12 15:16:00 +02:00
Takashi Norimatsu
2e850b6d4a
KEYCLOAK-10747 Explicit Proof Key for Code Exchange Activation Settings
2019-07-12 08:33:20 +02:00
Martin Kanis
efdf0f1bd8
KEYCLOAK-6839 You took too long to login after SSO idle
2019-07-10 10:15:26 +02:00
Kohei Tamura
55a6141bff
KEYCLOAK-10783 Fix internal server error when logging out after sharing my resource
2019-07-09 09:06:58 -03:00
mposolda
5f9feee3f8
KEYCLOAK-9846 Verifying signatures on CRL during X509 authentication
2019-07-08 20:20:38 +02:00
Tomasz Prętki
0376e7241a
KEYCLOAK-10251 New Claim JSON Type - JSON
2019-07-08 11:59:57 +02:00
Sven-Torben Janus
c883c11e7e
KEYCLOAK-10158 Use PEM cert as X.509 user identity
...
Allows to use the full PEM encoded X.509 certificate from client cert
authentication as a user identity. Also allows to validate that user's
identity against LDAP in PEM (String and binary format). In addition,
a new custom attribute mapper allows to validate against LDAP when
certificate is stored in DER format (binay, Octet-String).
KEYCLOAK-10158 Allow lookup of certs in binary adn DER format from LDAP
2019-07-08 11:58:26 +02:00
Hynek Mlnarik
ca4e14fbfa
KEYCLOAK-7852 Use original NameId value in logout requests
2019-07-04 19:30:21 +02:00
Sebastian Laskawiec
b5d8f70cc7
KEYCLOAK-8224 Client not found error message
2019-07-03 18:34:56 +02:00
Asier Aguado
bed22b9b8d
[KEYCLOAK-10710] Make social providers compatible with OIDC UsernameTemplateMappers
2019-07-03 15:01:46 +02:00
rmartinc
bd5dec1830
KEYCLOAK-10112: Issues in loading offline session in a cluster environment during startup
2019-07-03 13:17:45 +02:00
Axel Messinese
b32d52e62b
KEYCLOAK-10750 Check if role exist on get user/group in role endpoint
2019-07-03 08:46:36 +02:00
Pedro Igor
0cdd23763c
[KEYCLOAK-10443] - Define a global decision strategy for resource servers
2019-07-02 09:14:37 -03:00
Jeroen ter Voorde
7518692c0d
[KEYCLOAK-10419] Added briefRepresentation parameter support to the admin client interface
...
And added a aquillian test for it.
2019-06-21 11:31:01 +02:00
Jeroen ter Voorde
a2099cff39
[KEYCLOAK-10419] Added support for briefRepresentation param on the GroupResource members endpoint.
2019-06-21 11:31:01 +02:00
k-tamura
542333a0dd
KEYCLOAK-10660 Fix internal server error when re-logging in from my resources page
2019-06-18 06:18:36 -03:00
Hisanobu Okuda
1ac51611d3
KEYCLOAK-10664 correct the error message when no SAML request provided
2019-06-18 08:47:35 +02:00
Pedro Igor
fdc0943a92
[KEYCLOAK-8060] - My Resources REST API
2019-06-11 14:23:26 -03:00
Pedro Igor
61eb94c674
[KEYCLOAK-8915] - Support resource type in authorization requests
2019-06-04 21:02:54 -03:00
Stefan Guilhen
40ec46b79b
[KEYCLOAK-8043] Allow prompt=none query parameter to be propagated to default IdP
2019-05-29 09:22:46 +02:00
Pedro Igor
e9ea1f0e36
[KEYCLOAK-10279] - Do not limit results when fetching resources
2019-05-28 15:35:29 -03:00
Ian Duffy
de0ee474dd
Review feedback
2019-05-27 21:30:01 +02:00
Ian Duffy
54909d3ef4
[KEYCLOAK-10230] Support for LDAP with Start TLS
...
This commit sends the STARTTLS on LDAP 389 connections is specified.
STARTTLS doesn't work with connection pooling so connection pooling will
be disabled should TLS be enabled.
2019-05-27 21:30:01 +02:00
vramik
d64f716a20
KEYCLOAK-2709 SAML Identity Provider POST Binding request page shown to user is comletely blank with nonsense title
2019-05-20 09:51:04 +02:00
Sebastian Loesch
76a6e82173
Fix log message
...
Single quotes need to be represented by double single quotes throughout a String.
See: https://docs.oracle.com/javase/7/docs/api/java/text/MessageFormat.html
2019-05-15 15:33:43 +02:00
Kohei Tamura
8bee7ec542
KEYCLOAK-9983 - Fix the P3P header corruption in Japanese and Turkish ( #6006 )
2019-05-15 15:23:45 +02:00
Tomohiro Nagai
d593ac3e6f
KEYCLOAK-9711 REQUIRED authentictor in ALTERNATIVE subflow throws AuthenticationFlowException when the authentictor returns ATTEMPTED.
2019-05-15 12:45:50 +02:00
Hynek Mlnarik
b8aa1916d8
KEYCLOAK-10195 Fix role lookup to address roles with dots
2019-05-14 13:00:04 +02:00
Kohei Tamura
43bda455bc
KEYCLOAK-10106 - Fix typos in default scripts ( #6010 )
2019-05-07 10:20:04 +02:00
Stefan Guilhen
f1acdc000e
[KEYCLOAK-10168] Handle microprofile-jwt client scope migration
2019-05-06 15:14:27 -03:00
Jan Lieskovsky
9eb400262f
KEYCLOAK-6055 Include X.509 certificate data in audit logs
...
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2019-04-30 11:31:04 +02:00
Sebastian Loesch
96250c9685
[KEYCLOAK-9573] Allow AdminEvents for custom resource types
2019-04-26 09:57:28 +01:00
Hynek Mlnarik
65326ce16a
KEYCLOAK-9629 Update cookie type
2019-04-24 07:18:41 +01:00
Sebastian Loesch
43393220bf
Add X.509 authenticator option for canonical DN
...
Because the current distinguished name determination is security provider
dependent, a new authenticator option is added to use the canonical format
of the distinguished name, as descriped in
javax.security.auth.x500.X500Principal.getName(String format).
2019-04-23 21:04:18 +02:00
Bekh-Ivanov George
ebcfeb20a3
[KEYCLOAK-10020] - Add ability to request user-managed (ticket) permissions by name
2019-04-12 08:44:57 -03:00
Takashi Norimatsu
9b3e297cd0
KEYCLOAK-9756 PS256 algorithm support for token signing and validation
2019-04-09 20:52:02 +02:00
Francesco Degrassi
1bf19ada7e
KEYCLOAK-9825: keep existing refresh token on token exchange requiring refresh if new one not provided in response
2019-04-09 15:21:56 -03:00
Francesco Degrassi
5b78063dce
KEYCLOAK-6614: Support requesting refresh tokens from Google using access_type=offline
2019-04-08 15:06:03 -03:00
Stefan Guilhen
2fa2437555
KEYCLOAK-5613 Add built-in optional client scope for MicroProfile-JWT
2019-04-02 08:40:19 -03:00
Hisanobu Okuda
b44c86bd26
KEYCLOAK-9833 Large SSO Session Idle/SSO Session Max causes login failure
2019-03-27 11:42:40 +01:00
vramik
b7c5ca8b38
KEYCLOAK-8535 Inconsistent SAML Logout endpoint handling
2019-03-22 14:09:31 +01:00
Pedro Igor
d2275ca563
[KEYCLOAK-7939] - Startup logs warning instead of error when admin user already exists
2019-03-21 11:44:17 -03:00
mposolda
db271f7150
KEYCLOAK-9572 Support for multiple CRLs with X509 authentication
2019-03-20 15:00:44 +01:00
Hynek Mlnarik
25c07f78bc
KEYCLOAK-9578 Fix typo in SAML attribute name format
2019-03-19 11:45:38 +01:00
Hynek Mlnarik
1c906c834b
KEYCLOAK-3373 Remove SAML IdP descriptor from client installation and publicize it in realm endpoint instead
2019-03-19 11:37:15 +01:00
fisache
a868b8b22a
[KEYCLOAK-9772] Permissions are duplicated
...
- when resource server is current user
2019-03-18 16:37:54 -03:00
stianst
8d42c9193b
KEYCLOAK-9838 Trim username in admin welcome page
2019-03-18 09:20:38 +01:00
vramik
3cc405b1c5
KEYCLOAK-8542 Remove resteasy workaround - KeycloakStringEntityFilter
2019-03-16 13:53:54 +01:00
mposolda
a48698caa3
KEYCLOAK-6056 Map user by Subject Alternative Name (otherName) when authenticating user with X509
2019-03-15 23:11:47 +01:00
Yaser Abouelenein
404ac1d050
KEYCLOAK-8701 changes needed to include x5c property in jwks
2019-03-15 06:01:15 +01:00
Axel Messinese
e18fb56389
KEYCLOAK-4978 Add endpoint to get groups by role
2019-03-15 06:00:17 +01:00
Corey McGregor
be77fd9459
KEYCLOAK-2339 Adding impersonator details to user session notes and supporting built-in protocol mappers.
2019-03-08 09:14:42 +01:00
rmartinc
231db059b2
KEYCLOAK-8996: Provide a way to set a responder certificate in OCSP/X509 Authenticator
2019-03-07 07:57:20 +01:00
Gilles
f295a2e303
[KEYCLOAK-3723] Fixed updated of protocol mappers within client updates in clients-registrations resource
2019-03-04 11:57:59 +01:00
vramik
5d205d16e8
KEYCLOAK-9167 Using kcadm to update an identity-provider instance via a json file does not work without an "internalId" present in the json
2019-02-27 14:56:36 +01:00
Stan Silvert
fe5966d224
KEYCLOAK-8602: PatternFly 4 integration
2019-02-25 08:26:54 -03:00
Simon Neaves
b5fbc04e5e
KEYCLOAK-9376 Add "aud" to DEFAULT_CLAIMS_SUPPORTED
...
See https://issues.jboss.org/browse/KEYCLOAK-9376?_sscc=t
2019-02-25 10:21:49 +01:00
Pedro Igor
99f8e5f808
[KEYCLOAK-9489] - Fixing fine-grained permission functionality
2019-02-22 09:22:14 -03:00
Steven Aerts
d36cb27bd9
KEYCLOAK-9526 admin console auth-url with hostname SPI
2019-02-21 11:55:11 +01:00
Guilhem Lucas
b666756b8f
KEYCLOAK-9320 Make theme properties available in email templates
2019-02-21 11:19:17 +01:00
Pedro Igor
34d8974e7f
[KEYCLOAK-9489] - User not able to log in to admin console when using query-* roles
2019-02-20 18:09:36 +01:00
Hynek Mlnarik
52840533c9
KEYCLOAK-9111 Fix for unhandled exception
2019-02-13 15:49:49 +01:00
Hynek Mlnarik
37e6b6ffc6
KEYCLOAK-9113 Add support for inspecting log messages for uncaught errors
2019-02-13 15:49:49 +01:00
Pedro Igor
382f6b0c2c
[KEYCLOAK-9185] - Update LinkedIn broker to LinkedIn API v2
2019-01-09 15:29:40 +01:00
Hynek Mlnarik
ca76f943c1
KEYCLOAK-9190 Update GoogleIdentityProvider endpoints
...
per https://accounts.google.com/.well-known/openid-configuration
2019-01-03 14:32:57 +01:00
stianst
07ccbdc3db
KEYCLOAK-9182
2019-01-03 14:28:35 +01:00
Hynek Mlnarik
2e52093ac5
KEYCLOAK-9123 Fix content-type check
2018-12-19 10:43:33 +01:00
mposolda
061693a8c9
KEYCLOAK-9089 IllegalArgumentException when trying to use ES256 as OIDC access token signature
2018-12-14 21:01:03 +01:00
mposolda
1237986fd0
KEYCLOAK-8838 Incorrect resource_access in accessToken when clientId contains dots
2018-12-13 10:31:27 +01:00
rmartinc
3c44e6c377
KEYCLOAK-9068: IDP-initiated-flow is not working with REDIRECT binding
2018-12-13 06:28:38 -02:00
mposolda
c51c492996
KEYCLOAK-9050 Change LoginProtocol.authenticated to read most of the values from authenticationSession
2018-12-12 13:30:03 +01:00
Stan Silvert
3ed77825a2
KEYCLOAK-8495: Account REST Svc doesn't require acct roles
2018-12-12 12:07:29 +01:00
mposolda
a7f57c7e23
KEYCLOAK-9021
2018-12-12 07:09:14 +01:00
mposolda
10eb13854e
KEYCLOAK-9028 Fix another NPE in Cors debug logging
2018-12-11 21:24:32 +01:00
Hynek Mlnarik
cea9e877ad
KEYCLOAK-9036 Fix NPE
2018-12-11 15:35:19 +01:00
MICHEL Arnault (UA 2118)
3f13df81ab
[KEYCLOAK-8580] Fixes and log improvements :
...
- fix buildChain method (return value)
- method setJVMDebuggingForCertPathBuilder removed as it doesn't output anything in server.log
- Performance : don't reload truststore on each authentication request
- Don't generate stacktrace while detecting intermediate CA's
- review log levels and messages : no log if
- log if truststore is not properly configured in standalone[-ha].xml
2018-12-10 13:58:58 +01:00
Hynek Mlnarik
dad12635f6
KEYCLOAK-9014 Fix displayed applications
2018-12-10 09:59:46 +01:00
Pedro Igor
0c39eda8d2
[KECLOAK-8237] - Openshift Client Storage
2018-12-06 10:57:53 -02:00
Hynek Mlnarik
27f145969f
KEYCLOAK-7936 Prevent registration of the same node
...
The root cause is that NodesRegistrationManagement.tryRegister can be
called from multiple threads on the same node, so it can require
registration of the same node multiple times. Hence once it turns to
tasks that invoke sendRegistrationEvent (called sequentially), the same
check has been added to that method to prevent multiple invocations on
server side, or invocation upon undeployment/termination.
2018-12-05 12:34:17 +01:00
Pedro Igor
e798c3bca2
[KEYCLOAK-8901] - Identity Provider : UserInfo response as JWT Token not supported
2018-12-05 09:28:12 -02:00
Pedro Igor
4355c89b9d
[KEYCLOAK-7365] - No need to check roles when refreshing tokens
2018-11-29 08:51:25 -02:00
rmartinc
1b37394276
KEYCLOAK-7242: LDAPS not working with truststore SPI and connection timeout
2018-11-29 11:21:46 +01:00
mposolda
6db1f60e27
KEYCLOAK-7774 KEYCLOAK-8438 Errors when SSO authenticating to same client multiple times concurrently in more browser tabs
2018-11-21 21:51:32 +01:00
Cédric Couralet
dc06a8cee3
Fix KEYCLOAK-8832 ( #5735 )
...
Avoid NullPointerException when browser sends "Origin" header and
allowedOrigin is null. This happens on chrome with admin console
2018-11-19 17:53:05 +01:00
Stian Thorgersen
f3bf1456ab
KEYCLOAK-8781 Mark OpenShift integration as preview. Fix issue in Profile where preview features was not enabled in preview mode. ( #5738 )
2018-11-19 17:32:21 +01:00
Hynek Mlnarik
548950ed8e
KEYCLOAK-8756 Consider also required actions of AuthenticationSession
2018-11-19 16:04:43 +01:00
Marek Posolda
f67d6f9660
KEYCLOAK-8482 Access token should never contain azp as an audience ( #5719 )
2018-11-19 14:38:41 +01:00
Stian Thorgersen
3756cf629b
KEYCLOAK-7081 Fixes for manual/qr mode switches on login config otp page ( #5717 )
2018-11-19 14:32:28 +01:00
Takashi Norimatsu
0793234c19
KEYCLOAK-8460 Request Object Signature Verification Other Than RS256 ( #5603 )
...
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256
also support client signed signature verification by refactored token
verification mechanism
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256
incorporate feedbacks and refactor client public key loading mechanism
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256
unsigned request object not allowed
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256
revert to re-support "none"
2018-11-19 14:28:32 +01:00
Hynek Mlnarik
461dae20de
KEYCLOAK-8731 Ensure password history is kept in line with password policy
2018-11-19 12:48:51 +01:00
mposolda
0533782d90
KEYCLOAK-7275 KEYCLOAK-5479 Faster offline sessions preloading at startup. Track lastSessionRefresh timestamps more properly by support bulk update to DB
2018-11-16 14:23:28 +01:00
Stan Silvert
0b36020bf5
KEYCLOAK-8759: Wrong RH-SSO name on Welcome Page
2018-11-15 13:00:55 -05:00
Leon Graser
85f11873c3
KEYCLOAK-8613 Group Membership Pagination
2018-11-15 17:54:07 +01:00
Gideon Caranzo
39bf08e1b9
KEYCLOAK-8783 also checked admin roles when realm admin client is specified
2018-11-15 14:23:18 +01:00
Gideon Caranzo
9f88abb022
KEYCLOAK-8783 only checked master and realm admin roles when roles are specified in imported realm
2018-11-15 14:23:18 +01:00
Thomas Darimont
cf57a1bc4b
KEYCLOAK-1267 Add dedicated SSO timeouts for Remember-Me
...
Previously remember-me sessions where tied to the SSO max session
timeout which could lead to unexpected early session timeouts.
We now allow SSO timeouts to be configured separately for sessions
with enabled remember-me. This enables users to opt-in for longer
session timeouts.
SSO session timeouts for remember-me can now be configured in the
tokens tab in the realm admin console. This new configuration is
optional and will tipically host values larger than the regular
max SSO timeouts. If no value is specified for remember-me timeouts
then the regular max SSO timeouts will be used.
Work based on PR https://github.com/keycloak/keycloak/pull/3161 by
Thomas Darimont <thomas.darimont@gmail.com>
2018-11-15 06:11:22 +01:00
Pedro Igor
f5ae76d8e3
[KEYCLOAK-8768] - Policy evaluation tool failing when client is used and identity.getId is called
2018-11-14 19:16:41 -02:00
Hynek Mlnarik
c3778e66db
KEYCLOAK-8260 Improve SAML conditions handling
2018-11-14 20:09:22 +01:00
Martin Kanis
6a23eb19f5
KEYCLOAK-8166
2018-11-14 20:09:22 +01:00
Martin Kanis
72b23c1357
KEYCLOAK-8160
2018-11-14 20:09:22 +01:00
Martin Kanis
0cb6053699
KEYCLOAK-8125
2018-11-14 20:09:22 +01:00
vramik
6564cebc0f
KEYCLOAK-7707
2018-11-14 20:09:22 +01:00
Bruno Oliveira da Silva
a957e118e6
Redirect URLs are not normalized
2018-11-14 20:09:22 +01:00
mposolda
0897d969b1
KEYCLOAK-7340
2018-11-14 20:09:22 +01:00
mposolda
1b5a83c4f1
KEYCLOAK-6980 Check if client_assertion was already used during signed JWT client authentication
2018-11-14 20:09:22 +01:00
Pedro Igor
cd96d6cc35
[KEYCLOAK-8694] - Mark Drools policy as tech preview
2018-11-09 11:08:49 -02:00
Pedro Igor
bce2aee144
[KEYCLOAK-8646] - Error deleting policies when admin events are enabled
2018-11-06 11:27:32 -02:00
rmartinc
cbe59f03b7
KEYCLOAK-8708: Provide aggregation of group attributes for mappers
2018-11-06 13:42:38 +01:00
Torbjørn Skyberg Knutsen
36b0d8b80e
KEYCLOAK-7166 Added the possibility of not logging out of remote idp on browser logout, by passing a query param containing the id of the identity provider
2018-11-06 13:39:19 +01:00
Pedro Igor
327991bd73
[KEYCLOAK-8716] - Issue with caching resolved roles in KeycloakSession
2018-11-06 10:27:04 -02:00
mposolda
ffcd8e09e7
KEYCLOAK-8175 Possibility of clientScope not being used if user doesn't have a role
2018-10-31 18:04:41 +01:00
mposolda
cfeb56e18a
KEYCLOAK-8641 Remove aud from the authorization tickets
2018-10-31 13:31:26 +01:00
mposolda
9652748ba9
KEYCLOAK-8484 Remove audience client scope template
2018-10-31 11:11:02 +01:00
Pedro Igor
f6943296c7
[KEYCLOAK-8489] - RPT request: Authorized Party's protocol mappers are being applied instead of the Audience's ones
2018-10-26 09:40:32 -03:00
Graser Leon
9ef4c7fffd
KEYCLOAK-8377 Role Attributes
2018-10-24 22:04:28 +02:00
Pedro Igor
2af9d002b6
[KEYCLOAK-8172] - Evaluation not considering scopes inherited from parent resources
2018-10-24 12:50:27 -03:00
Pedro Igor
a2b13715ed
[KEYCLOAK-8625] - Saving client settings will cause always adding default authorization settings
2018-10-24 10:18:04 -03:00
mposolda
c36b577566
KEYCLOAK-8483 Remove application from the aud claim of accessToken and refreshToken
2018-10-23 13:52:09 +02:00
Gideon Caranzo
7d85ce93bb
KEYCLOAK-8555 queried only realms with user storage provider to speed up user storage sync bootstrap
2018-10-19 09:53:58 +02:00
vramik
7a96911a83
KEYCLOAK-8300 KEYCLOAK-8301 Wildfly 14 upgrade
...
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2018-10-17 20:01:07 +02:00
MICHEL Arnault (UA 2118)
ab8789739f
[KEYCLOAK-8580] Add Nginx certificate lookup provider
2018-10-16 07:53:18 +02:00
stianst
5f0424fb11
KEYCLOAK-8310 Change scheme option to alwaysHttps option
2018-10-15 14:00:00 +02:00
Stefan Guilhen
68a54abb09
KEYCLOAK-6757 Update MicrosoftIdentityProvider to use the Microsoft Graph endpoints
2018-10-15 12:46:15 +02:00
stianst
11374a2707
KEYCLOAK-8556 Improvements to profile
2018-10-12 12:26:37 +02:00
Gideon Caranzo
0e8d79bbfb
KEYCLOAK-8554 checked if master realm exist instead of number of realms for new installation check
2018-10-12 09:43:41 +02:00
stianst
aaa33ad883
KEYCLOAK-8509 Improvements to session iframe
2018-10-10 21:01:05 +02:00
rmartinc
0a6f43c1a1
KEYCLOAK-8490: Direct grants returns invalid credentials when user has pending actions
2018-10-10 20:18:20 +02:00
Toni Ristola
22d64368a6
KEYCLOAK-8191 Fixed DI that was not working
2018-10-09 08:22:43 -03:00
Pedro Igor
79ca722b49
[KEYCLOAK-7605] - Make sure Evaluation API is read-only
2018-10-09 08:09:29 -03:00
Moritz Becker
f17b5f0f49
fix KEYCLOAK-7572 consistently perform duplicate user checks during account update only if email changes
...
Fix test
2018-10-05 09:35:05 +02:00
stianst
86a2f28561
KEYCLOAK-8310 Add support to set fixed scheme on fixed hostname provider
2018-10-05 09:34:17 +02:00
gbtec-igormartens
c41bcddd8d
Update UserResource.java
...
In my opinion, the old documentation does not match the actual behaviour of the resetPassword method.
2018-10-04 12:54:49 +02:00
mposolda
2a4cee6044
KEYCLOAK-6884 KEYCLOAK-3454 KEYCLOAK-8298 Default 'roles' and 'web-origins' client scopes. Add roles and allowed-origins to the token through protocol mappers
2018-10-04 12:00:38 +02:00
Stan Silvert
dba513c921
KEYCLOAK-8419: Make most act mgt APIs only active in preview mode
2018-10-02 16:32:56 -04:00
Pedro Igor
b4b3527df7
[KEYCLOAK-7950] - Fixes user pagination when using filtering users members of groups
2018-10-02 15:44:23 -03:00
mposolda
4b9b189016
KEYCLOAK-8008 Ensure InputStream are closed
2018-10-01 16:06:32 +02:00
Martin Kanis
efe6a38648
KEYCLOAK-6718 Auth Flow does not Check Client Protocol
2018-09-26 21:00:02 +02:00
Pedro Igor
43f5983613
[KEYCLOAK-8289] - Remove authorization services from product preview profile
2018-09-26 18:27:27 +02:00
mposolda
3777dc45d0
KEYCLOAK-3058 Support for validation of "aud" in adapters through verify-token-audience configuration switch
2018-09-21 11:17:05 +02:00
Douglas Palmer
b748e269ec
[KEYCLOAK-7435] Added code to delete a specific session and tests for session deletion
2018-09-20 15:57:58 +02:00
Pedro Igor
6b0bc0b3be
[KEYCLOAK-8308] - Deprecate token_introspection_endpoint claim from OIDC discovery document
2018-09-19 09:46:50 -03:00
Rafael Weingärtner
3dd6f9cb85
Enable "DockerComposeYamlInstallationProviderTest" to run on Windows
2018-09-19 11:22:57 +02:00
Pedro Igor
aaf78297c9
[KEYCLOAK-7987] - Can't set authorization enabled when using kcreg
2018-09-18 10:00:16 -03:00
mposolda
99a16dcc1f
KEYCLOAK-6638 Support for adding audiences to tokens
2018-09-13 21:40:16 +02:00
slominskir
c4a651bcac
KEYCLOAK-7270 - Support for automatically linking brokered identities
2018-09-12 18:50:35 +02:00