Thomas Darimont
ab376d9101
Make required actions configurable ( #28400 )
...
- Add tests for crud operations on configurable required actions
- Add support exposing the required action configuration via RequiredActionContext
- Make configSaveError message reusable in other contexts
- Introduced admin-ui specific endpoint for retrieving required actions with config metadata
Fixes #28400
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-05-23 08:38:36 +02:00
Stefan Guilhen
37f85937a7
Move organization authenticator into conditional subflows in the default browser and first broker login flows
...
Closes #29446
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-22 20:48:29 -03:00
vramik
1e597cca3e
Split OrganizationResource into OrganizationResource and OrganizationsResource
...
Closes #29574
Signed-off-by: vramik <vramik@redhat.com>
2024-05-22 07:58:26 -03:00
vramik
278341aff9
Add organizations enabled/disabled capability
...
Closes #28804
Signed-off-by: vramik <vramik@redhat.com>
2024-05-22 07:58:26 -03:00
Francis Pouatcha
542fc65923
Issue 29627: Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414 ( #29628 )
...
closes #29627
Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-05-22 10:30:34 +02:00
rmartinc
f7044ba5c2
Use SessionExpirationUtils for validate user and client sessions
...
Check client session is valid in TokenManager
Closes #24936
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-22 10:12:20 +02:00
Case Walker
f32cd91792
Upgrade owasp-java-html-sanitizer, address all fallout
...
Signed-off-by: Case Walker <case.b.walker@gmail.com>
2024-05-22 09:15:25 +02:00
Raffaele Lucca
a5a55dc66e
Protocol now is mandatory during client scope creation. ( #29544 )
...
closes #29027
Signed-off-by: raff897 <85362193+raff897@users.noreply.github.com>
2024-05-22 09:10:46 +02:00
Patrick Jennings
84acc953dd
Client type OIDC base read only defaults ( #29706 )
...
closes #29742
closes #29422
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-05-22 09:07:19 +02:00
rmartinc
9dfaab6d82
Invalid default/options in JavaKeystoreKeyProviderFactory algorithm property
...
Closes #29426
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-22 08:49:45 +02:00
Pedro Igor
b019cf6129
Support unmanaged attributes for service accounts and make sure they are only managed through the admin api
...
Closes #29362
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-21 16:56:18 -03:00
Marek Posolda
6dc28bc7b5
Clarify the documentation about step-up authentication ( #29735 )
...
closes #28341
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-05-21 19:46:27 +02:00
Martin Kanis
97cd5f3b8d
Provide an additional endpoint to allow sending both invitation and registration links depending on the email being associated with an user or not
...
Closes #29482
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-21 12:29:10 -03:00
Hynek Mlnarik
65fcd44fe1
Use admin console correctly in KeycloakIdentity
...
Fixes : #29688
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-05-21 13:35:44 +02:00
rmartinc
3304540855
Allow admin console whoami endpoint to applications that have a special attribute
...
Closes #29640
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-20 09:51:07 +02:00
Richard van den Berg
cb3f248d73
Document getGroupById() will not set subGroups in JavaDoc
...
Closes #27787
Signed-off-by: Richard van den Berg <richard@vdberg.org>
2024-05-17 17:05:25 +02:00
Filipe Roque
e83f3af080
Call super constructor in subclasses of WebApplicationException
...
Frameworks like Datadog dd-trace-java java agent inspect the known WebApplicationException
and mark the exception as an HTTP 500, because that is the default for the
non argument constructor.
https://github.com/keycloak/keycloak/issues/29451
Signed-off-by: Filipe Roque <froque@premium-minds.com>
2024-05-17 16:25:59 +02:00
Ricardo Martin
74a80997c7
Fix CRL verification failing due to client cert not being in chain ( #29582 )
...
closes #19853
Signed-off-by: Micah Algard <micahalgard@gmail.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Micah Algard <micahalgard@gmail.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-05-17 11:28:07 +02:00
Stefan Guilhen
bfa4660ecd
Add OpenAPI documentation for the Organization API
...
Closes #29479
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-16 14:59:30 -03:00
Takashi Norimatsu
b4e7d9b1aa
Passkeys: Supporting WebAuthn Conditional UI ( #24305 )
...
closes #24264
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2024-05-16 07:58:43 +02:00
rmartinc
89d7108558
Restrict access to whoami endpoint for the admin console and users with realm access
...
Closes #25219
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-15 19:06:57 +02:00
Pedro Igor
b4d231fd40
Fixing realm removal when removing groups and brokers associated with an organization
...
Closes #29495
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 14:29:27 +02:00
Pedro Igor
b5a854b68e
Minor improvements to invitation email templates ( #29498 )
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 13:19:02 +02:00
Pedro Igor
1b583a1bab
Email validation for managed members should only fail if it does not match the domain set to a broker
...
Closes #29460
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 10:46:22 +02:00
mposolda
d8a7773947
Adding dummyHash to DirectGrant request in case user does not exists. Fix dummyHash for normal login requests
...
closes #12298
Signed-off-by: mposolda <mposolda@gmail.com>
2024-05-13 16:33:29 +02:00
kaustubh-rh
8a82b6b587
Added a check in ClientInitialAccessResource ( #29353 )
...
closes #29311
Signed-off-by: Kaustubh Bawankar <kbawanka@redhat.com>
2024-05-13 13:00:36 +02:00
vramik
fbdaf03972
Ensure master realm can't be removed
...
Fixes #28896
Signed-off-by: vramik <vramik@redhat.com>
2024-05-13 07:47:48 -03:00
rmartinc
2cc051346d
Allow empty CSP header in headers provider
...
Closes #29458
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-13 10:51:31 +02:00
Pedro Igor
b50d481b10
Make sure organization groups can not be managed but when managing an organization
...
Closes #29431
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-10 21:28:11 -03:00
Stefan Guilhen
f0620353a4
Ensure master realm can't be removed
...
Closes #28896
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 16:56:18 -03:00
Stefan Guilhen
ceed7bc120
Add ability to search organizations by attribute
...
Closes #29411
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 16:45:41 -03:00
Pedro Igor
77b58275ca
Improvements to the organization authentication flow
...
Closes #29416
Closes #29417
Closes #29418
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-09 16:07:52 -03:00
Pedro Igor
a65508ca13
Simplifying the CORS SPI and the default implementation
...
Closes #27646
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-08 12:27:55 -03:00
Thomas Darimont
6ba8b3faa2
Revise ObjectMapper construction ( #16295 )
...
Previously an ObjectMapper was created multiple times during startup:
two times during bootstrap and one additional time for the first request sent to Keycloak.
Additionally jackson modules, e.g. support for JSR310 java.time types
were not registered event-though they are present on the classpath.
This PR revises the initialization of the ObjectMapper.
- Ensure ObjectMapper is only initialized once
- Ensure that jackson modules on the classpath are properly
Fixes #16295
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-05-07 19:04:43 +02:00
Martin Kanis
d4b7e1a7d9
Prevent to manage groups associated with organizations from different APIs
...
Closes #28734
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-07 11:16:40 -03:00
Pedro Igor
f8bc74d64f
Adding SAML protocol mapper to map organization membership
...
Closes #28732
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-07 15:52:35 +02:00
Stefan Guilhen
aa945d5636
Add description field to OrganizationEntity
...
Closes #29356
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-07 10:35:51 -03:00
Pedro Igor
c0325c9fdb
Do not manage brokers through the Organization API
...
Closes #29268
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-07 09:15:25 -03:00
Alice W
d1549a021e
Update invitation changes based on review and revert deleted test from OrganizationMembertest
...
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
7553679116
Using a common name for token parameter and setting it to action urls when available from query parameters
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
5359840f10
Reverting changes to login action services
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
6ae8c1e262
Reverting changes to freemarker login forms provider
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
40a283b9e8
Token expiration tests and updates to registration required action
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
158162fb4f
Review tests and having invitation related operations in a separate class
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
287f3a44ce
registration link tests
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Alice W
ce2e83c7f9
Update test and link formation on invite of new user
...
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-05-06 17:57:13 -03:00
Alice W
694105da89
Update the handling of invite tokens for new user registration to work with the base level oauth flows and implicit grants
...
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-05-06 17:57:13 -03:00
Alice W
18356761db
Add test for user invite registration and fix minor bug with registration link generation and email templating
...
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-05-06 17:57:13 -03:00
Pedro Igor
e0bdb42d41
adding test and minor updates to cover inviting existing users
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-06 17:57:13 -03:00
Alice W
584e92aaba
Add support for organizational invites to new and existing users based on tokens
...
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-05-06 17:57:13 -03:00
Dimitri Papadopoulos Orfanos
cd8e0fd333
Fix user-facing typos in Javadoc ( #28971 )
...
Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-05-06 18:57:55 +00:00
Stefan Guilhen
dae1eada3d
Add enabled field to OrganizationEntity
...
Closes #28891
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-06 14:46:56 -03:00
Alexander Schwartz
2ebad818f9
Provide details in the log when a client credential grant fails ( #28927 )
...
Closes #28926
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-06 09:31:25 +02:00
Alexander Schwartz
a9532274e3
Generate translations for locales via built-in Java functionality ( #29125 )
...
Closes #29124
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-05-06 09:30:14 +02:00
Giuseppe Graziano
c6d3e56cda
Handle reset password flow with logged in user
...
Closes #8887
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-05-06 09:10:47 +02:00
Thomas Darimont
ba43a10a6d
Improve details for user error events in OIDC protocol endpoints
...
Closes #29166
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-05-06 08:32:31 +02:00
Pedro Igor
32d25f43d0
Support for mutiple identity providers
...
Closes #28840
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-04 16:19:27 +02:00
Justin Tay
7bd48e9f9f
Set logout token type to logout+jwt
...
Closes #28939
Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-05-03 14:51:10 +02:00
Giuseppe Graziano
8c3f7cc6e9
Ignore include in token scope for refresh token
...
Closes #12326
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-05-03 09:05:03 +02:00
alexagc
5e00fe8b10
Ignore g-recaptcha-response in user profile validation
...
Signed-off-by: alexagc <alexcanal@gmail.com>
2024-05-02 17:12:54 -03:00
Steven Hawkins
4697cc956b
further refinement of context handling ( #28182 )
...
* fully removing providers and moving the keycloaksession creation / final
cleanup
also deprecated Resteasy utility methods
closes : #29223
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-02 11:21:01 -04:00
Stefan Guilhen
45e5e6cbbf
Introduce filtered (and paginated) search for organization members
...
Closes #28844
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-02 11:25:43 -03:00
Patrick Jennings
64824bb77f
Client type service account default type ( #29037 )
...
* Adding additional non-applicable client fields to the default service-account client type configuration.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Creating TypedClientAttribute which maps clientmodel fields to standard client type configurations.
Adding overrides for fields in TypeAwareClientModelDelegate required for
service-account client type.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Splitting client type attribute enum into 3 separate enums, representing
the top level ClientModel fields, the extended attributes through the
client_attributes table, and the composable fields on
ClientRepresentation.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Removing reflection use for client types.
Validation will be done in the RepresentationToModel methods that are responsible for the ClientRepresentation -> ClientModel create and update static methods.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
More updates
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Update client utilzes type aware client property update method.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* If user inputted representation object does not contain non-null value, try to get property value from the client. Type aware client model will return non-applicable or default value to keep fields consistent.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Cleaning up RepresentationToModel
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issue when updating client secret.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issue where created clients would not have fullscope allowed, because getter is a boolean and so cannot be null.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Need to be able to clear out client attributes on update as was allowed before and causing failures in integration tests.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issues with redirectUri and weborigins defaults in type aware clients.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Need to allow client attributes the ability to clear out values during update.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Renaming interface based on PR feedback.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Shall be able to override URI sets with an empty set.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Comments around fields that are primitive and may cause problems determining whether to set sane default on create.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
---------
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-05-02 12:22:02 +02:00
Ricardo Martin
65bdf1a604
Encode realm name in console URIs ( #29102 )
...
Before this fix console uris (including the client redirect uris) did not contain the url encoded realm name and therefore were invalid.
closes #25807
Signed-off-by: Philip Sanetra <code@psanetra.de>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Philip Sanetra <code@psanetra.de>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-05-02 10:30:06 +02:00
Stefan Guilhen
02e2ebf258
Add check to prevent deserialization issues when the context token is not an AccessTokenResponse.
...
- also adds a test for the refresh token on first login scenario.
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-30 12:02:10 -03:00
Geoffrey Fourmis
24d9a22f49
25815 do not remove previous refresh token for federated identity
...
Signed-off-by: Geoffrey Fourmis <geoffrey.fourmis@gmail.com>
2024-04-30 12:02:10 -03:00
rmartinc
8042cd5d4f
Set client in the context for docker protocol
...
Fix to execute again the docker test
Closes #28649
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-30 10:17:17 +02:00
Pedro Igor
51352622aa
Allow adding realm users as an organization member
...
Closes #29023
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-29 08:37:47 -03:00
Alexander Schwartz
d55a8b0b17
Run validation of email addresses only for new and changed email addresses
...
Closes #29133
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-29 07:38:26 -03:00
Stefan Guilhen
bfabc291cc
28843 - Introduce filtered (and paginated) searches for organizations
...
Closes #28843
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-25 12:38:20 -03:00
Stefan Guilhen
8fa2890f68
28818 - Reintroduce search by name for subgroups
...
Closes #28818
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-25 12:06:07 -03:00
vramik
d65649d5c0
Make sure organization are only manageable by the admin users with the manage-realm role
...
Closes #28733
Signed-off-by: vramik <vramik@redhat.com>
2024-04-23 12:16:57 -03:00
Steven Hawkins
9486432f3f
fix: removing httpclient override ( #28304 )
...
we need to have a dependency on commons-logging-jboss-logging
closes : #21392
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-04-23 10:09:06 +02:00
Mark Banierink
ad32896725
replaced and removed deprecated token methods ( #27715 )
...
closes #19671
Signed-off-by: Mark Banierink <mark.banierink@nedap.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-23 09:23:37 +02:00
mposolda
337a337bf9
Grant urn:ietf:params:oauth:grant-type:pre-authorized_code was enabled even if oid4vc_vci feature is disabled
...
closes #28968
Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-22 18:31:46 +02:00
Tero Saarni
64862d568e
Convert database errors to 500 instead of 400.
...
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2024-04-22 11:42:18 -03:00
Stefan Guilhen
f1532565b6
Don't use no-arg version of GroupModel.getSubGroupsStream() when fetching the subgroups from the GroupResource endpoint.
...
- prevents pre-loading all groups; instead use the stream from the JPA adapter to load subgroups one by one and then filter based on the user permissions.
Closes #28935
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-22 11:27:29 -03:00
Marek Posolda
b553fc2ae0
Fix compilation error ( #28965 )
...
closes #28964
Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-22 11:19:33 +00:00
Erwin Rohde
10544a5a93
socketTimeoutUnits and establishConnectionTimeoutUnits use TimeUnit set in HttpClientBuilder
...
Closes #28881
Signed-off-by: Erwin Rohde <erwin@rohde.nu>
2024-04-22 08:11:11 -03:00
Douglas Palmer
ed22530d16
Failure reset time is applied to Permanent Lockout
...
Closes #28821
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-22 11:47:22 +02:00
Stefan Wiedemann
b08c644601
Support credentials issuance through oid4vci ( #27931 )
...
closes #25940
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-04-22 11:37:55 +02:00
Lex Cao
7e034dbbe0
Add IdpConfirmOverrideLinkAuthenticator to handle duplicate federated identity ( #26393 )
...
Closes #26201 .
Signed-off-by: Lex Cao <lexcao@foxmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-22 11:30:14 +02:00
etiksouma
1afd20e4c3
return proper error message for admin users endpoint
...
closes #28416
Signed-off-by: etiksouma <al@mouskite.com>
2024-04-20 12:17:53 +02:00
Pedro Ruivo
3e0a185070
Remove deprecated EnvironmentDependentProviderFactory.isSupported method
...
Closes #26280
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-19 16:36:49 +02:00
Giuseppe Graziano
f6071f680a
Avoid the same userSessionId after re-authentication
...
Closes keycloak/keycloak-private#69
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-19 14:44:39 +02:00
mposolda
c427e65354
Secondary factor bypass in step-up authentication
...
closes #34
Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit e632c03ec4dbfbb7c74c65b0627027390b2e605d)
2024-04-19 14:43:53 +02:00
Giuseppe Graziano
897c44bd1f
Validation of providerId during required action registration
...
Closes #26109
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-19 13:06:51 +02:00
Joerg Matysiak
76a5a27082
Refactored StripSecretsUtils in order to make it unit-testable, added unit tests for it
...
Don't mask secrets at realm export
Closes #21562
Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Pedro Igor
7483bae130
Make sure admin events are not referencing sensitive data from their representation
...
Closes #21562
Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
cgeorgilakis-grnet
89263f5255
Fix refresh token scope in refresh token flow with scope request parameter
...
Closes #28463
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-04-18 16:17:46 -03:00
Ricardo Martin
4c2542b91f
Better management of domains in TrustedHostClientRegistrationPolicy ( #139 ) ( #28876 )
...
Closes keycloak/keycloak-private#63
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-18 16:06:50 +02:00
Ricardo Martin
8daace3f69
Validate Saml URLs inside DefaultClientValidationProvider ( #135 ) ( #28873 )
...
Closes keycloak/keycloak-private#62
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-18 16:04:13 +02:00
Ricardo Martin
fc6b6f0d94
Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access ( #131 ) ( #28872 )
...
Closes keycloak/keycloak-private#113
Closes keycloak/keycloak-private#134
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2024-04-18 16:02:24 +02:00
Hynek Mlnarik
9d1433d266
Update URL builder
...
Fixes : keycloak/keycloak-quickstarts#548
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-04-18 14:50:10 +02:00
vramik
860f3b7320
Prevent updating IdP via organization API not linked with the organization
...
Closes #28833
Signed-off-by: vramik <vramik@redhat.com>
2024-04-18 09:14:54 -03:00
Stian Thorgersen
0d60e58029
Restrict the token types that can be verified when not using the user info endpoint ( #146 ) ( #28866 )
...
Closes #47
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Conflicts:
core/src/main/java/org/keycloak/util/TokenUtil.java
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-18 14:11:05 +02:00
Stian Thorgersen
cbc4a8c305
Limit requests sent through session status iframe ( #132 ) ( #28864 )
...
Closes #116
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-04-18 14:02:37 +02:00
rmartinc
ddacfbdefd
Remove deprecated LinkedIn social provider
...
Closes #23127
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-18 10:10:58 +02:00
Pedro Igor
f0f8a88489
Automatically fill username when authenticating to through a broker
...
Closes #28848
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-18 08:24:34 +02:00
Pedro Igor
1e3837421e
Organization member onboarding using the organization identity provider
...
Closes #28273
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-17 07:24:01 -03:00