Commit graph

4619 commits

Author SHA1 Message Date
Lex Cao
7e034dbbe0
Add IdpConfirmOverrideLinkAuthenticator to handle duplicate federated identity (#26393)
Closes #26201.

Signed-off-by: Lex Cao <lexcao@foxmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-22 11:30:14 +02:00
etiksouma
1afd20e4c3 return proper error message for admin users endpoint
closes #28416

Signed-off-by: etiksouma <al@mouskite.com>
2024-04-20 12:17:53 +02:00
Pedro Ruivo
3e0a185070 Remove deprecated EnvironmentDependentProviderFactory.isSupported method
Closes #26280

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-19 16:36:49 +02:00
Giuseppe Graziano
f6071f680a Avoid the same userSessionId after re-authentication
Closes keycloak/keycloak-private#69

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-19 14:44:39 +02:00
mposolda
c427e65354 Secondary factor bypass in step-up authentication
closes #34

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit e632c03ec4dbfbb7c74c65b0627027390b2e605d)
2024-04-19 14:43:53 +02:00
Giuseppe Graziano
897c44bd1f Validation of providerId during required action registration
Closes #26109

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-19 13:06:51 +02:00
Joerg Matysiak
76a5a27082 Refactored StripSecretsUtils in order to make it unit-testable, added unit tests for it
Don't mask secrets at realm export

Closes #21562

Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Pedro Igor
7483bae130 Make sure admin events are not referencing sensitive data from their representation
Closes #21562

Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
cgeorgilakis-grnet
89263f5255 Fix refresh token scope in refresh token flow with scope request parameter
Closes #28463

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-04-18 16:17:46 -03:00
Ricardo Martin
4c2542b91f
Better management of domains in TrustedHostClientRegistrationPolicy (#139) (#28876)
Closes keycloak/keycloak-private#63

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-18 16:06:50 +02:00
Ricardo Martin
8daace3f69
Validate Saml URLs inside DefaultClientValidationProvider (#135) (#28873)
Closes keycloak/keycloak-private#62

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-18 16:04:13 +02:00
Ricardo Martin
fc6b6f0d94
Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#131) (#28872)
Closes keycloak/keycloak-private#113
Closes keycloak/keycloak-private#134

Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2024-04-18 16:02:24 +02:00
Hynek Mlnarik
9d1433d266 Update URL builder
Fixes: keycloak/keycloak-quickstarts#548

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-04-18 14:50:10 +02:00
vramik
860f3b7320 Prevent updating IdP via organization API not linked with the organization
Closes #28833

Signed-off-by: vramik <vramik@redhat.com>
2024-04-18 09:14:54 -03:00
Stian Thorgersen
0d60e58029
Restrict the token types that can be verified when not using the user info endpoint (#146) (#28866)
Closes #47

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	core/src/main/java/org/keycloak/util/TokenUtil.java
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-18 14:11:05 +02:00
Stian Thorgersen
cbc4a8c305
Limit requests sent through session status iframe (#132) (#28864)
Closes #116

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-04-18 14:02:37 +02:00
rmartinc
ddacfbdefd Remove deprecated LinkedIn social provider
Closes #23127

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-18 10:10:58 +02:00
Pedro Igor
f0f8a88489 Automatically fill username when authenticating to through a broker
Closes #28848

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-18 08:24:34 +02:00
Pedro Igor
1e3837421e Organization member onboarding using the organization identity provider
Closes #28273

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-17 07:24:01 -03:00
Jon Koops
3216e7c781
Only allow a known refferer URI for the Account Console (#28743)
Closes #27628

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-04-16 17:24:22 +02:00
Pedro Ruivo
63cb137b37 Remove usages of EnvironmentDependentProviderFactory.isSupported
Closes #28751

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-16 09:43:23 +02:00
Stefan Guilhen
2ab8bf852d Add validation for the organization's internet domains.
Closes #28634

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-15 09:03:52 -03:00
Patrick Jennings
5e0d323304 Log exception when failure to augment client and re-throw instead of returning the raw client.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
551a3db987 Updating validation logic to match our expectations on what applicable should mean.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
03db2e8b56 Integration tests around client type parameter validation. Throw common ClientTypeException with invalid params requested during client creation/update requests. This gets translated into ErrorResponseException in the Resource handlers.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
9814733dd3 DefaultClientType service will now validate all client type default values and respond with bad request message with the affending parameters that attempt to override readonly in the client type config.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
c0f5dab209 If client cannot be augmented due to error, we shall return the un-augmented client entity.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
42202ae45e Translate client type exception during client create into bad request response.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Giuseppe Graziano
4672366eb9
Simplified checks in IntrospectionEndpoint (#28642)
Closes #24466

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>


Co-authored-by: mposolda <mposolda@gmail.com>
2024-04-12 21:19:04 +02:00
Marek Posolda
e6747bfd23
Adjust priority of SubMapper (#28663)
closes #28661


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-12 14:13:03 +02:00
Pedro Igor
61b1eec504 Prevent members with an email other than the domain set to an organization
Closes #28644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-12 08:33:18 -03:00
rmartinc
6d74e6b289 Escape slashes in full group path representation but disabled by default
Closes #23900

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-12 10:53:39 +02:00
Douglas Palmer
69ba92808d DefaultBruteForceProtector leverages a single thread to write success/failed events
Closes #14084

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-12 09:53:40 +02:00
Pedro Igor
8f8094408e Encapsulate the logic to set attributes into the domain model
Closes #28646

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-11 15:32:21 -03:00
Marek Posolda
74faddec8e
Release notes for lightweight access tokens and group together relate… (#28622)
closes #28460

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-11 20:02:33 +02:00
Giuseppe Graziano
33b747286e Changed userId value for refresh token events
Closes #28567

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-11 07:46:44 +02:00
Stefan Guilhen
9a466f90ab Add ability to set one or more internet domain to an organization.
Closed #28274

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-10 13:18:12 -03:00
devjos
cccddc0810 Fix brute force detection for LDAP read-only users
Closes #28579

Signed-off-by: devjos <github_11837948@feido.de>
2024-04-10 16:36:11 +02:00
vramik
00ce3e34bd Manage a single identity provider for an organization
Closes #28272

Signed-off-by: vramik <vramik@redhat.com>
2024-04-10 09:47:51 -03:00
Martin Kanis
51fa054ba7 Manage organization attributes
Closes #28253

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-04-10 09:10:49 -03:00
rmartinc
41b706bb6a Initial security profile SPI to integrate default client policies
Closes #27189

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-10 11:19:56 +02:00
Giuseppe Graziano
c76cbc94d8 Add sub via protocol mapper to access token
Closes #21185

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-10 10:40:42 +02:00
mposolda
aa619f0170 Redirect error to client right-away when browser tab detects that another browser tab authenticated
closes #27880

Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-09 17:59:34 +02:00
Václav Muzikář
e4987f10f5
Hostname SPI v2 (#26345)
* Hostname SPI v2

Closes: #26084

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Fix HostnameV2DistTest#testServerFailsToStartWithoutHostnameSpecified

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Address review comment

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Partially revert the previous fix

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Do not polish values

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Remove filtering of denied categories

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

---------

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
2024-04-09 11:25:19 +02:00
vibrown
3fffc5182e Added ClientType implementation from Marek's prototype
Signed-off-by: vibrown <vibrown@redhat.com>

More updates

Signed-off-by: vibrown <vibrown@redhat.com>

Added client type logic from Marek's prototype

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

Testing to see if skipRestart was cause of test failures in MR
2024-04-08 20:20:37 +02:00
Pedro Igor
52ba9b4b7f Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user
Closes #28248

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-08 09:05:16 -03:00
rmartinc
2b769e5129 Better management of the CSP header
Closes https://github.com/keycloak/keycloak/issues/24568

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-08 08:19:57 +02:00
Giuseppe Graziano
b4f791b632 Remove session_state from tokens
Closes #27624

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-08 08:12:51 +02:00
Alexander Schwartz
647bce49c8 Add error details to events to be able to track down root causes
Closes #28429

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-04 20:28:45 +02:00
Justin Tay
30cd40e097 Use realm default signature algorithm for id_token_signed_response_alg
Closes #9695

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-04 11:37:28 +02:00
Justin Tay
89a5da1afd Allow empty key use in JWKS for client authentication
Closes #28004

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-04 10:42:37 +02:00
Marek Posolda
335a10fead
Handle 'You are already logged in' for expired authentication sessions (#27793)
closes #24112

Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-04 10:41:03 +02:00
Anar Sultanov
6708f1f12d Update method for sending identity broker link confirmation
Signed-off-by: Anar Sultanov <anar.sultanov@assessio.se>
2024-04-03 19:08:51 -03:00
Hynek Mlnarik
8ef3423f4a Present effective sync mode value
When sync mode value is missing in the config of newly created identity
provider, the provider does not store any. When no value is
found, the identity provider behaves as if `LEGACY` was used (#6705).

This PR ensures the correct sync mode is returned from the REST endpoint,
regardless of whether it has been stored in the database or not.

Fixes: #26019

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-04-03 15:49:18 +02:00
Pedro Igor
fefeb83588 Changes the contract to make it simpler and rely on the realm available from the current session
Closes #28403

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-03 14:45:31 +02:00
Nicola Beghin
a7e5c861cc fixes SAMLIdentityProvider not honoring SamlAuthenticationPreprocessor (keycloak/keycloak#27875)
Signed-off-by: Nicola Beghin <nicolabeghin@gmail.com>
2024-04-02 10:58:15 +02:00
Giuseppe Graziano
fe06df67c2 New default client scope for 'basic' claims with 'auth_time' protocol mapper
Closes #27623

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-02 08:44:28 +02:00
Pedro Igor
b9a7152a29 Avoid commiting the transaction prematurely when creating users through the User API
Closes #28217

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-27 19:16:09 -03:00
Lex Cao
a53cacc0a7 Fire logout event when logout other sessions (#26658)
Closes #26658

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-03-27 11:13:48 +01:00
Jon Koops
3382e16954
Remove Account Console version 2 (#27510)
Closes #19664

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-03-27 10:53:28 +01:00
Steven Hawkins
be32f8b1bf
fix: limit the use of Resteasy to the KeycloakSession (#28150)
* fix: limit the use of Resteasy to the KeycloakSession

contextualizes other state to the KeycloakSession

close: #28152
2024-03-26 13:43:41 -04:00
vramik
fa1571f231 Map organization metadata when issuing tokens for OIDC clients acting on behalf of an organization member
Closes #27993

Signed-off-by: vramik <vramik@redhat.com>
2024-03-26 14:02:09 -03:00
vramik
e7bc796553 When the realm has registrationEmailAsUsername set to false (default) it's not possible to add a member to an org
Closes #28216

Signed-off-by: vramik <vramik@redhat.com>
2024-03-26 14:02:09 -03:00
Pedro Igor
a470711dfb Resolve the user federation link as null when decorating the user profile metadata in the LDAP provider
Closes #28100

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-26 10:14:49 -03:00
Stian Thorgersen
8cbd39083e
Default password hashing algorithm should be set to default password hash provider (#28128)
Closes #28120

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 12:44:11 +01:00
Stian Thorgersen
3f9cebca39
Ability to set the default provider for an SPI (#28135)
Closes #28134

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 07:45:08 +01:00
Reda Bourial
a41d865600 fix for SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY (#27756)
Signed-off-by: Reda Bourial <reda.bourial@gmail.com>
2024-03-21 17:06:42 +01:00
Steven Hawkins
7eab019748
task: deprecate WILDCARD and STRICT options (#26833)
closes: #24893

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-21 16:22:41 +01:00
Steven Hawkins
35b9d8aa49
task: remove usage of resteasy-core-spi (#27387)
closes: #27242

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-21 15:28:34 +01:00
Giuseppe Graziano
939420cea1 Always include offline_access scope when refreshing with offline token
Closes #27878

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-03-21 14:32:31 +01:00
Pedro Igor
32541f19a3 Allow managing members for an organization
Closes #27934

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-21 10:26:30 -03:00
Martin Kanis
4154d27941 Invalidating offline token is not working from client sessions tab
Closes #27275

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-03-21 09:04:58 -03:00
Pedro Igor
f970deac37 Do not grant scopes not granted for resources owned the resource server itself
Closes #25057

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-20 18:36:41 +01:00
René Zeidler
83a3500ccf Attributes without a group should appear first
In the login theme, user profile attributes that
are not assigned to an attribute group should
appear before all other attributes. This aligns
the login theme (registration, verify profile,
etc.) with the account and admin console.

Fixes #27981

Signed-off-by: René Zeidler <rene.zeidler@gmx.de>
2024-03-19 18:40:01 +01:00
Peter Skopek
b77e228be4 Fix javadoc generation failure introduced with new dependencies
for OID4VCI support (#28038)

Fixes #28038

Signed-off-by: Peter Skopek <pskopek@redhat.com>
2024-03-19 14:14:53 +01:00
Stefan Wiedemann
67d3e1e467
Issue Verifiable Credentials in the VCDM format #25943 (#27071)
closes #25943


Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-03-18 17:05:53 +01:00
cgeorgilakis-grnet
24f105e8fc successful SAML IdP Logout Request with BaseID or EncryptedID and SessionIndex
Closes #23528

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-03-18 08:19:13 -03:00
Alexander Schwartz
62d24216e3 Remove offline session preloading
Closes #27602

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-15 15:19:27 +01:00
Pedro Igor
7fc2269ba5 The bare minimum implementation for organization
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: vramik <vramik@redhat.com>
2024-03-15 11:06:43 -03:00
Peter Keuter
e26a261e4e
Filter subgroups before paginating
Closes #27512

Signed-off-by: Peter Keuter <github@peterkeuter.nl>
2024-03-15 10:57:57 +01:00
sebastien-helbert
e33bf39055
Review log message (#23962)
missing spaces added in log message
2024-03-14 13:44:22 +01:00
Alexander Schwartz
6de5325d1c Limit the received content when handling the content as a String
Closes #27293

Co-authored-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-13 16:43:03 +01:00
Réda Housni Alaoui
1bf90321ad
"Allowed Protocol Mapper Types" prevents clients from self-updating via client registration api (#27578)
closes #27558 

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-03-13 14:00:34 +01:00
rmartinc
43a5779f6e Do not challenge inside spnego authenticator is FORKED_FLOW
Closes #20637

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-12 14:23:03 +01:00
Pedro Igor
1e48cce3ae Make sure empty configuration resolves to the system default configuration
Closes #27611

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-11 09:01:38 -03:00
Stefan Wiedemann
6fc69b6a01
Issue Verifiable Credentials in the SD-JWT-VC format (#27207)
closes #25942

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>


Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-03-11 08:55:28 +01:00
Hynek Mlnarik
26468e11f2 Use correct path to account console
Fixes: #27709

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-03-08 14:31:32 +01:00
Ricardo Martin
299118c45a
Change oidcScopeMissing from WARN to DEBUG (#27439)
Closes #27391

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-08 10:50:21 +00:00
Erik Jan de Wit
7d104dbe9d
no result to parse on success (#27336)
* no result to parse on success

fixes: #27245
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* translate error message

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

---------

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-03-08 09:56:23 +01:00
Pedro Igor
40385061f7 Make sure refresh token expiration is based on the current time when the token is issued
Closes #27180

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-07 15:23:19 +01:00
rmartinc
ea4155bbcd Remove recursively when deleting an authentication executor
Closes #24795

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 14:43:23 +01:00
graziang
54b40d31b6 Revoked token cache expiration fix
Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.

Closes #26113

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-07 13:33:37 +01:00
Alexander Schwartz
595959398b
Instead of an InputStream that doesn't know about its encoding, use a String
Closes #20916

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-07 10:24:36 +00:00
rmartinc
dea15e25da Only add the nonce claim to the ID Token (mapper for backwards compatibility)
Closes #26893

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 09:56:57 +01:00
Theresa Henze
653d09f39a trigger REMOVE_TOTP event on removal of an OTP credential
Closes #15403

Signed-off-by: Theresa Henze <theresa.henze@bare.id>
2024-03-06 17:12:50 +01:00
graziang
39299eeb38 Encode role name parameter in the location header uri
The role is encoded to avoid template resolution by the URIBuilder. This fix avoids the exception when creating roles with names containing {patterns}.

Closes #27514

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-06 15:59:26 +01:00
rmartinc
82af0b6af6 Initial client policies integration for SAML
Closes #26654

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-06 15:18:35 +01:00
graziang
4fa940a31e Device verification flow always requires consent
Force consent for device verification flow when there are no client scopes to approve by adding a default client scope to approve

Closes #26100

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-05 14:14:19 +01:00
Tero Saarni
e06fcbe6ae Change supported criteria for Google Authenticator
List Google Authenticator as supported when
- hash algorithm is SHA256 or SHA512
- number of digits is 8
- OTP type is hotp

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2024-03-05 11:19:06 +01:00
Jon Koops
7afd75ba08
Use browser router for Account Console (#22192)
Closes #27442

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-03-04 12:38:28 +00:00
Steven Hawkins
be3e2fabc4
fix: remove the reliance on allowed classes (#27368)
closes: #25038

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-04 12:17:53 +00:00
Lucy Linder
aa6771205a Update ReCAPTCHA and add support for ReCAPTCHA Enterprise
Closes #16138

Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>
2024-03-04 20:28:06 +09:00
vramik
032bb8e9cc Map Store Removal: Remove obsolete KeycloakModelUtils.isUsernameCaseSensitive method
Closes #27438

Signed-off-by: vramik <vramik@redhat.com>
2024-03-02 04:40:46 +09:00
rmartinc
f970803738 Check email and username for duplicated if isLoginWithEmailAllowed
Closes #27297

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-02 00:14:27 +09:00
Andy
137907f5ef Roles admin REST API: Don't expand composite roles
Additionally:
- Import clean-up
- Added requireMapComposite as in RoleResource.addComposites

Closes #26951

Signed-off-by: synth3 <19573241+synth3@users.noreply.github.com>
2024-03-02 00:03:03 +09:00
Takashi Norimatsu
1792af6850 OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor
closes #27412

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-03-01 14:49:23 +01:00
graziang
082f9ec15b Update client scopes in Client Update Request in DCR
Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation.
Add updateClientScopes method to set client scopes in Client Update Request in DCR.

Closes #24361

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-01 12:32:45 +01:00
Albrecht Scheidig
cad34cbb04
Restore support for locales with extensions (#27285)
Closes #27284

Signed-off-by: Albrecht Scheidig <albrecht.scheidig@hype.de>
2024-02-29 17:16:44 +00:00
Marek Posolda
ae0a0ea30b
SecureRedirectUrisEnforcerExecutor fixes (#27369)
closes #27344

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-29 17:24:20 +01:00
Steven Hawkins
8d9439913c
fix: removal of resteasy-core (#27032)
* fix: partial removal of resteasy-core

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* fix: fully removing resteasy-core

closes: #26315

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-29 11:43:13 +00:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm
Closes #25823

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-02-28 16:17:51 +01:00
Pedro Igor
788d146bf2 Use the target client when processing scopes for internal exchanges
Closes #19183

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-28 15:18:43 +01:00
graziang
16a854c91b Add option to clients to use lightweight access token
Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute.
The attribute value is used to enable or disable the lightweight access token.
Closes #27238

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-28 10:18:26 +01:00
Pedro Igor
0c91fceaad Allow setting if both 'client_id' and 'id_token_hint' params should be sent in logout requests
Closes #27281

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-27 20:37:27 +09:00
Dmitry Telegin
c18c4bbeb8 Remove setContext() + minor cleanup
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
87c2df0ea4 Fix UMA 2024-02-27 19:11:32 +09:00
Dmitry Telegin
be3d0b6202 Split OAuth2GrantType and OAuth2GrantTypeFactory 2024-02-27 19:11:32 +09:00
Dmitry Telegin
c73516ba5b Revert dynamic grant type resolution 2024-02-27 19:11:32 +09:00
Dmitry Telegin
5f04ce310a simplify OAuth2GrantType.Context creation 2024-02-27 19:11:32 +09:00
Dmitry Telegin
b81bf85a06 rebase 2024-02-27 19:11:32 +09:00
Dmitry Telegin
854ec17fd3 - rework grant type resolution to use supports() in addition to grant type
- replace initialize() with setContext()
- use EnvironmentDependentProviderFactory instead of runtime checks
- move OAuth2GrantTypeManager to server-spi-private
- javadocs, imports, minor fixes

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
cc9c8fe78a Use EnvironmentDependentProviderFactory for DeviceGrantType 2024-02-27 19:11:32 +09:00
Dmitry Telegin
983680ce0e OAuth 2.0 Grant Type SPI
Closes: #26250

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
rmartinc
562decde35 Perform internal introspect for the access token in the account app
Closes #27243

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-27 09:19:20 +01:00
kaustubh-rh
03f6cda85a
Prevent user from removing built-in client scopes (#27134)
Closes #26937

Signed-off-by: Kaustubh B <kbawanka@redhat.com>
2024-02-26 11:16:23 +01:00
Gilvan Filho
83af01c4c0 Add failedLoginNotBefore to AttackDetectionResource
Closes #17574

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
2024-02-26 09:35:51 +01:00
graziang
cecce40aa5 Avoid regenerating the totpSecret on every reload of the OTP configuration page
Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload

Closes #26052

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-22 19:09:09 +01:00
Pedro Igor
604274fb76 Allow setting an attribute as multivalued
Closes #23539

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-02-22 12:56:44 +01:00
Takashi Norimatsu
1e12b15890 Supporting OAuth 2.1 for public clients
closes #25316

Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-22 10:57:29 +01:00
Douglas Palmer
b0ef746f39 Permanently lock users out after X temporary lockouts during a brute force attack
Closes #26172

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-22 09:34:51 +01:00
Takashi Norimatsu
9ea679ff35 Supporting OAuth 2.1 for confidential clients
closes #25314

Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-22 08:34:21 +01:00
Sebastian Schuster
5e34769ee0 27031 ReadOnlyAttributeUnchangedValidator logs validation errors on debug not warning
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
2024-02-22 08:24:08 +09:00
Peter Keuter
01d66a662b
Expose display name and locales when user has ANY admin role (#27160)
* chore: expose display name and locales when user has view-realm

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

* fix: supportedlocales are available as stream

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

* fix: tests

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

* fix: remove unnecessarily added ignore

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

---------

Signed-off-by: Peter Keuter <github@peterkeuter.nl>
2024-02-21 13:30:31 -05:00
graziang
d13dc57a29 Removing duplicate claims in action tokens
Using variables instead of otherClaims map for claims in action tokens to avoid duplicate claims in the jwt payload

Closes #24980

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-21 11:30:49 +01:00
Takashi Norimatsu
1bdbaa2ca5 Client policies: executor for validate and match a redirect URI
closes #25637

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-20 08:37:33 +01:00
Stefan Wiedemann
aa6b102e3d
Support EC Key-Imports for the JavaKeystoreKeyProvider #26936 (#27030)
closes #26936

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-02-19 17:41:40 +01:00
Pedro Hos
6b3fa8b7a7
Invalid redirect uri when identity provider alias has spaces (#22840)
closes #22836


Co-authored-by: Marek Posolda <mposolda@gmail.com>
2024-02-19 14:40:42 +01:00
Takashi Norimatsu
2f35d0e346 Add EdDSA/Ed25519 to WebAuthn Signature algorithms
closes #15000

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-19 14:08:04 +01:00
graziang
1f57fc141c UPDATED_PASSWORD required-action triggered only when login using password
`UpdatePassword.evaluateTriggers` adds the required-action to the user by evaluating the expiration password policy. Added a check that skips the evaluation if no password used during auth flow. This check uses the value of an auth note set in the `validatePassword` method of the `AbstractUsernameFormAuthenticator`.
Manually adding UPDATED_PASSWORD required-action to the user continues to trigger the action regardless of the authentication method.

Closes #17155

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-16 18:16:36 +01:00
Marek Posolda
c94f9f5716
Remove random redirect after password reset (#27076)
closes #20867

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
2024-02-16 18:13:27 +01:00
mposolda
eff6c3af78 During password reset, the baseURL is not shown on the info page after browser restart
closes #21127

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-15 18:48:53 +01:00
Michal Hajas
e55ba5dcdc Make sure pagination is used even when first is null for getGroups endpoint
Closes #25731

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-15 19:46:04 +09:00
rmartinc
4ff4c3f897 Increase internal algorithm security using HS512 and 128 byte hmac keys
Closes #13080

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-15 08:16:45 +01:00
Steven Hawkins
df38081fe8
fix: add an info message, and converts info to debug on non-pem files (#26939)
* fix: add an info message, and converts info to debug on non-pem files

closes: #26929

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update services/src/main/java/org/keycloak/truststore/TruststoreBuilder.java

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
2024-02-14 19:55:53 +01:00
rmartinc
bc82929e3a Cors modifications for UserInfo endpoint
Closes #26782

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-14 18:24:06 +01:00
vibrown
161d03efd2 Added SPIs for ClientType and ClientTypeManager
Grabbed the SPIs for ClientType and ClientTypeManager from Marek's Client Type prototype.

Closes #26431

Signed-off-by: vibrown <vibrown@redhat.com>

Cleaned up TODOs

Signed-off-by: vibrown <vibrown@redhat.com>

Added isSupported methods

Signed-off-by: vibrown <vibrown@redhat.com>
2024-02-13 19:26:19 +01:00
rmartinc
bb12f3fb82 Do not require non-builtin attributes for service accounts
Closes #26716

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-13 17:42:59 +01:00
Steven Hawkins
6bbf8358b4
task: addressing build warnings (#26877)
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-13 17:04:43 +01:00
Steven Hawkins
3a04acab51
fix: adds pfx as a recognized extension (#26876)
closes #24661

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-13 15:38:12 +01:00
Pedro Igor
e50642ac32 Allow setting a default user profile configuration
Closes #26489

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-12 11:16:48 +01:00