Francis Pouatcha
542fc65923
Issue 29627: Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414 ( #29628 )
...
closes #29627
Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-05-22 10:30:34 +02:00
rmartinc
f7044ba5c2
Use SessionExpirationUtils for validate user and client sessions
...
Check client session is valid in TokenManager
Closes #24936
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-22 10:12:20 +02:00
Case Walker
f32cd91792
Upgrade owasp-java-html-sanitizer, address all fallout
...
Signed-off-by: Case Walker <case.b.walker@gmail.com>
2024-05-22 09:15:25 +02:00
Raffaele Lucca
a5a55dc66e
Protocol now is mandatory during client scope creation. ( #29544 )
...
closes #29027
Signed-off-by: raff897 <85362193+raff897@users.noreply.github.com>
2024-05-22 09:10:46 +02:00
Patrick Jennings
84acc953dd
Client type OIDC base read only defaults ( #29706 )
...
closes #29742
closes #29422
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-05-22 09:07:19 +02:00
Pedro Igor
b019cf6129
Support unmanaged attributes for service accounts and make sure they are only managed through the admin api
...
Closes #29362
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-21 16:56:18 -03:00
Martin Kanis
97cd5f3b8d
Provide an additional endpoint to allow sending both invitation and registration links depending on the email being associated with an user or not
...
Closes #29482
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-21 12:29:10 -03:00
rmartinc
3304540855
Allow admin console whoami endpoint to applications that have a special attribute
...
Closes #29640
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-20 09:51:07 +02:00
Stefan Guilhen
1aab371912
Fix errors when importing realms with the organization feature enabled
...
Closes #29630
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-17 07:25:31 -03:00
Ricardo Martin
74a80997c7
Fix CRL verification failing due to client cert not being in chain ( #29582 )
...
closes #19853
Signed-off-by: Micah Algard <micahalgard@gmail.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Micah Algard <micahalgard@gmail.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-05-17 11:28:07 +02:00
Dimitri Papadopoulos Orfanos
64a145e960
Fix user-facing typos in error messages ( #29326 )
...
Update resource file and tests accordingly
Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
2024-05-16 09:55:41 +02:00
Takashi Norimatsu
b4e7d9b1aa
Passkeys: Supporting WebAuthn Conditional UI ( #24305 )
...
closes #24264
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2024-05-16 07:58:43 +02:00
rmartinc
89d7108558
Restrict access to whoami endpoint for the admin console and users with realm access
...
Closes #25219
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-15 19:06:57 +02:00
Stefan Guilhen
c4760b8188
Ensure that IDP's linked domains are remove when org is deleted or when the domain is removed from the org.
...
Closes #29481
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-14 15:39:18 -03:00
Martin Kanis
3985157f9f
Make sure operations on a organization are based on realm they belong to
...
Closes #28841
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-14 10:47:39 -03:00
Pedro Igor
b4d231fd40
Fixing realm removal when removing groups and brokers associated with an organization
...
Closes #29495
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 14:29:27 +02:00
Pedro Igor
b5a854b68e
Minor improvements to invitation email templates ( #29498 )
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 13:19:02 +02:00
Pedro Igor
1b583a1bab
Email validation for managed members should only fail if it does not match the domain set to a broker
...
Closes #29460
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 10:46:22 +02:00
mposolda
d8a7773947
Adding dummyHash to DirectGrant request in case user does not exists. Fix dummyHash for normal login requests
...
closes #12298
Signed-off-by: mposolda <mposolda@gmail.com>
2024-05-13 16:33:29 +02:00
kaustubh-rh
8a82b6b587
Added a check in ClientInitialAccessResource ( #29353 )
...
closes #29311
Signed-off-by: Kaustubh Bawankar <kbawanka@redhat.com>
2024-05-13 13:00:36 +02:00
rmartinc
2cc051346d
Allow empty CSP header in headers provider
...
Closes #29458
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-13 10:51:31 +02:00
Alexander Schwartz
6cc8d653f3
Make SessionWrapper related fields immutable that are part of the equals method
...
The cache replace logic depends on it, as values returned by reference from a local cache must never be modified on those critical fields directly.
Closes #28906
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-13 09:59:50 +02:00
Giuseppe Graziano
d735668fcd
Fix test failures after @DisableFeature
...
Closes #29253
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-05-13 08:20:54 +02:00
Pedro Igor
b50d481b10
Make sure organization groups can not be managed but when managing an organization
...
Closes #29431
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-10 21:28:11 -03:00
Stefan Guilhen
f0620353a4
Ensure master realm can't be removed
...
Closes #28896
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 16:56:18 -03:00
Stefan Guilhen
ceed7bc120
Add ability to search organizations by attribute
...
Closes #29411
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 16:45:41 -03:00
Pedro Igor
77b58275ca
Improvements to the organization authentication flow
...
Closes #29416
Closes #29417
Closes #29418
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-09 16:07:52 -03:00
Pedro Igor
a65508ca13
Simplifying the CORS SPI and the default implementation
...
Closes #27646
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-08 12:27:55 -03:00
Pedro Ruivo
cbce548e71
Infinispan 15.0.3.Final
...
Closes #29068
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-05-08 17:18:39 +02:00
Stefan Guilhen
dde2746595
Improve tests to ensure managed users disabled upon disabling the org can't be updated
...
Closes #28891
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-07 18:11:52 -03:00
Pedro Igor
927ba48f7a
Adding tests to cover using SAML brokers in an organization
...
Closes #28732
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-07 20:44:38 +02:00
Douglas Palmer
8d628d740e
Can we remove undertow OIDC adapter?
...
Closes #28788
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-05-07 19:47:46 +02:00
Thore
4b194d00be
iso-date validator for the user-profile
...
Adds a new validator in order to be able to validate user-model fields which should be modified/supplied by a datepicker.
Closes #11757
Signed-off-by: Thore <thore@kruess.xyz>
2024-05-07 11:42:39 -03:00
Martin Kanis
d4b7e1a7d9
Prevent to manage groups associated with organizations from different APIs
...
Closes #28734
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-07 11:16:40 -03:00
Pedro Igor
f8bc74d64f
Adding SAML protocol mapper to map organization membership
...
Closes #28732
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-07 15:52:35 +02:00
Stefan Guilhen
aa945d5636
Add description field to OrganizationEntity
...
Closes #29356
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-07 10:35:51 -03:00
Pedro Igor
c0325c9fdb
Do not manage brokers through the Organization API
...
Closes #29268
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-07 09:15:25 -03:00
Dinesh Solanki
2172741eb6
Refactor element identifiers from ID to class ( #28690 )
...
Closes #24462
Signed-off-by: Dinesh Solanki <15937452+DineshSolanki@users.noreply.github.com>
2024-05-07 13:56:21 +02:00
Alice W
d1549a021e
Update invitation changes based on review and revert deleted test from OrganizationMembertest
...
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
40a283b9e8
Token expiration tests and updates to registration required action
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
158162fb4f
Review tests and having invitation related operations in a separate class
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
287f3a44ce
registration link tests
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Alice W
ce2e83c7f9
Update test and link formation on invite of new user
...
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-05-06 17:57:13 -03:00
Alice W
18356761db
Add test for user invite registration and fix minor bug with registration link generation and email templating
...
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
e0bdb42d41
adding test and minor updates to cover inviting existing users
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Stefan Guilhen
dae1eada3d
Add enabled field to OrganizationEntity
...
Closes #28891
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-06 14:46:56 -03:00
Alexander Schwartz
a9532274e3
Generate translations for locales via built-in Java functionality ( #29125 )
...
Closes #29124
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-05-06 09:30:14 +02:00
Giuseppe Graziano
c6d3e56cda
Handle reset password flow with logged in user
...
Closes #8887
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-05-06 09:10:47 +02:00
Douglas Palmer
00bd6224fa
Remove remaining Fuse adapter bits
...
Closes #28787
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-05-06 09:02:26 +02:00
Michal Hajas
128bba34d3
Remove PERSISTENT_USER_SESSIONS_No_CACHE feature
...
Closes #29264
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-05-06 08:53:39 +02:00
Michal Hajas
8b715d3a31
Do not use LastSessionRefreshPersister with persistent user sessions enabled
...
Closes #29144
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-05-06 08:49:48 +02:00
Thomas Darimont
ba43a10a6d
Improve details for user error events in OIDC protocol endpoints
...
Closes #29166
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-05-06 08:32:31 +02:00
Pedro Igor
32d25f43d0
Support for mutiple identity providers
...
Closes #28840
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-04 16:19:27 +02:00
Douglas Palmer
051c0197db
Remove old-WildFly, EAP 7.4 and 6.4 SAML adapters
...
Closes #28785
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-05-03 15:39:05 +02:00
Justin Tay
7bd48e9f9f
Set logout token type to logout+jwt
...
Closes #28939
Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-05-03 14:51:10 +02:00
Giuseppe Graziano
8c3f7cc6e9
Ignore include in token scope for refresh token
...
Closes #12326
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-05-03 09:05:03 +02:00
Douglas Palmer
e0176a7e31
Remove Wildfly and EAP OIDC adapters
...
Closes #23381
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-05-02 20:16:55 +02:00
Steven Hawkins
3b1ca46be2
fix: updating docs around -q parameter ( #29151 )
...
closes : #27877
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-05-02 16:48:43 +02:00
Stefan Guilhen
45e5e6cbbf
Introduce filtered (and paginated) search for organization members
...
Closes #28844
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-02 11:25:43 -03:00
Stefan Wiedemann
3e16af8c0f
Fix oid4vc tests ( #29209 )
...
closes #28982
closes #28983
closes #28984
closes #28985
closes #28986
closes #28987
closes #28988
closes #28989
closes #28990
closes #28991
closes #28992
closes #28993
closes #28994
closes #28995
closes #28996
* only enable/disable features that should
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
* use default profile if nothing is set
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
---------
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-05-02 10:57:25 +00:00
Patrick Jennings
64824bb77f
Client type service account default type ( #29037 )
...
* Adding additional non-applicable client fields to the default service-account client type configuration.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Creating TypedClientAttribute which maps clientmodel fields to standard client type configurations.
Adding overrides for fields in TypeAwareClientModelDelegate required for
service-account client type.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Splitting client type attribute enum into 3 separate enums, representing
the top level ClientModel fields, the extended attributes through the
client_attributes table, and the composable fields on
ClientRepresentation.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Removing reflection use for client types.
Validation will be done in the RepresentationToModel methods that are responsible for the ClientRepresentation -> ClientModel create and update static methods.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
More updates
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Update client utilzes type aware client property update method.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* If user inputted representation object does not contain non-null value, try to get property value from the client. Type aware client model will return non-applicable or default value to keep fields consistent.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Cleaning up RepresentationToModel
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issue when updating client secret.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issue where created clients would not have fullscope allowed, because getter is a boolean and so cannot be null.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Need to be able to clear out client attributes on update as was allowed before and causing failures in integration tests.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issues with redirectUri and weborigins defaults in type aware clients.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Need to allow client attributes the ability to clear out values during update.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Renaming interface based on PR feedback.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Shall be able to override URI sets with an empty set.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Comments around fields that are primitive and may cause problems determining whether to set sane default on create.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
---------
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-05-02 12:22:02 +02:00
Ricardo Martin
65bdf1a604
Encode realm name in console URIs ( #29102 )
...
Before this fix console uris (including the client redirect uris) did not contain the url encoded realm name and therefore were invalid.
closes #25807
Signed-off-by: Philip Sanetra <code@psanetra.de>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Philip Sanetra <code@psanetra.de>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-05-02 10:30:06 +02:00
Michal Hajas
7c427e8d38
Remove offline sessions timeouts adjusters as with persistent session we have bounded caches and it is no longer necessary to adjust time in caches
...
Closes #29140
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-04-30 18:03:17 +02:00
Douglas Palmer
8d4d5c1c54
Remove redundant servers from the testsuite
...
Closes #29089
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-30 17:39:32 +02:00
Stefan Guilhen
02e2ebf258
Add check to prevent deserialization issues when the context token is not an AccessTokenResponse.
...
- also adds a test for the refresh token on first login scenario.
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-30 12:02:10 -03:00
Alexander Schwartz
d69872fa11
Batch writes originating from logins/logouts for persistent sessions
...
All writes for the sessions are handled by a background thread which batches them.
Closes #28862
Wait for persistent-store to contain update
instead of cache which has the change immediately since it is in memory + introduce new model-test profile
Closes #29141
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-04-30 14:07:35 +02:00
rmartinc
8042cd5d4f
Set client in the context for docker protocol
...
Fix to execute again the docker test
Closes #28649
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-30 10:17:17 +02:00
Pedro Igor
51352622aa
Allow adding realm users as an organization member
...
Closes #29023
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-29 08:37:47 -03:00
Jon Koops
a6e2ab5523
Remove jaxrs-oauth-client
and OIDC servlet-filter
adapters
...
Closes #28784
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-04-26 15:56:57 +02:00
Douglas Palmer
cca660067a
Remove JAAS login modules
...
Closes #28789
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
b2f09feebf
Remove servlet filter saml adapters
...
Closes #28786
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
a4a7d023a7
Remove Jetty OIDC adapter
...
Closes #28779
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
c5dbab2740
Remove Jetty SAML adapter
...
Closes #28782
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
bf2c97065f
Remove SpringBoot adapters
...
Closes #28781
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
43aa10e091
Remove Tomcat OIDC adapter
...
Closes #28778
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
98faf6e6a0
Remove Tomcat SAML adapter
...
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Closes #28783
2024-04-26 09:30:35 +02:00
Stefan Guilhen
bfabc291cc
28843 - Introduce filtered (and paginated) searches for organizations
...
Closes #28843
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-25 12:38:20 -03:00
Stefan Guilhen
8fa2890f68
28818 - Reintroduce search by name for subgroups
...
Closes #28818
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-25 12:06:07 -03:00
vramik
d65649d5c0
Make sure organization are only manageable by the admin users with the manage-realm role
...
Closes #28733
Signed-off-by: vramik <vramik@redhat.com>
2024-04-23 12:16:57 -03:00
Mark Banierink
ad32896725
replaced and removed deprecated token methods ( #27715 )
...
closes #19671
Signed-off-by: Mark Banierink <mark.banierink@nedap.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-23 09:23:37 +02:00
mposolda
337a337bf9
Grant urn:ietf:params:oauth:grant-type:pre-authorized_code was enabled even if oid4vc_vci feature is disabled
...
closes #28968
Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-22 18:31:46 +02:00
Ott
975bb6762f
Fixed type in invalidPasswordNotContainsUsernameMessage
...
Signed-off-by: Ott <ottalexanderdev@gmail.com>
2024-04-22 08:06:02 -03:00
Douglas Palmer
ed22530d16
Failure reset time is applied to Permanent Lockout
...
Closes #28821
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-22 11:47:22 +02:00
Stefan Wiedemann
b08c644601
Support credentials issuance through oid4vci ( #27931 )
...
closes #25940
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-04-22 11:37:55 +02:00
Lex Cao
7e034dbbe0
Add IdpConfirmOverrideLinkAuthenticator to handle duplicate federated identity ( #26393 )
...
Closes #26201 .
Signed-off-by: Lex Cao <lexcao@foxmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-22 11:30:14 +02:00
etiksouma
1afd20e4c3
return proper error message for admin users endpoint
...
closes #28416
Signed-off-by: etiksouma <al@mouskite.com>
2024-04-20 12:17:53 +02:00
Pedro Ruivo
3e0a185070
Remove deprecated EnvironmentDependentProviderFactory.isSupported method
...
Closes #26280
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-19 16:36:49 +02:00
Giuseppe Graziano
f6071f680a
Avoid the same userSessionId after re-authentication
...
Closes keycloak/keycloak-private#69
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-19 14:44:39 +02:00
mposolda
c427e65354
Secondary factor bypass in step-up authentication
...
closes #34
Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit e632c03ec4dbfbb7c74c65b0627027390b2e605d)
2024-04-19 14:43:53 +02:00
Giuseppe Graziano
897c44bd1f
Validation of providerId during required action registration
...
Closes #26109
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-19 13:06:51 +02:00
Joerg Matysiak
76a5a27082
Refactored StripSecretsUtils in order to make it unit-testable, added unit tests for it
...
Don't mask secrets at realm export
Closes #21562
Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Pedro Igor
7483bae130
Make sure admin events are not referencing sensitive data from their representation
...
Closes #21562
Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Steve Hawkins
0be34d64e7
task: refactor overlap between cli clients
...
also repackaging to more clearly delineate code roles
closes : #28329
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-04-18 17:39:16 -03:00
cgeorgilakis-grnet
89263f5255
Fix refresh token scope in refresh token flow with scope request parameter
...
Closes #28463
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-04-18 16:17:46 -03:00
Ricardo Martin
8daace3f69
Validate Saml URLs inside DefaultClientValidationProvider ( #135 ) ( #28873 )
...
Closes keycloak/keycloak-private#62
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-18 16:04:13 +02:00
Ricardo Martin
fc6b6f0d94
Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access ( #131 ) ( #28872 )
...
Closes keycloak/keycloak-private#113
Closes keycloak/keycloak-private#134
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2024-04-18 16:02:24 +02:00
Douglas Palmer
00d4cab55e
Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLink
...
Closes #21422
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-18 15:54:30 +02:00
vramik
860f3b7320
Prevent updating IdP via organization API not linked with the organization
...
Closes #28833
Signed-off-by: vramik <vramik@redhat.com>
2024-04-18 09:14:54 -03:00
Stian Thorgersen
0d60e58029
Restrict the token types that can be verified when not using the user info endpoint ( #146 ) ( #28866 )
...
Closes #47
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Conflicts:
core/src/main/java/org/keycloak/util/TokenUtil.java
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-18 14:11:05 +02:00
Justin Tay
d807093f63
Fix OCSP nonce handling
...
Closes #26439
Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-18 09:04:46 +02:00