Commit graph

6739 commits

Author SHA1 Message Date
Douglas Palmer
00bd6224fa Remove remaining Fuse adapter bits
Closes #28787

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-05-06 09:02:26 +02:00
Michal Hajas
128bba34d3 Remove PERSISTENT_USER_SESSIONS_No_CACHE feature
Closes #29264

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-05-06 08:53:39 +02:00
Michal Hajas
8b715d3a31 Do not use LastSessionRefreshPersister with persistent user sessions enabled
Closes #29144

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-05-06 08:49:48 +02:00
Thomas Darimont
ba43a10a6d
Improve details for user error events in OIDC protocol endpoints
Closes #29166

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-05-06 08:32:31 +02:00
Pedro Igor
32d25f43d0 Support for mutiple identity providers
Closes #28840

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-04 16:19:27 +02:00
Douglas Palmer
051c0197db Remove old-WildFly, EAP 7.4 and 6.4 SAML adapters
Closes #28785

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-05-03 15:39:05 +02:00
Justin Tay
7bd48e9f9f Set logout token type to logout+jwt
Closes #28939

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-05-03 14:51:10 +02:00
Giuseppe Graziano
8c3f7cc6e9 Ignore include in token scope for refresh token
Closes #12326

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-05-03 09:05:03 +02:00
Douglas Palmer
e0176a7e31 Remove Wildfly and EAP OIDC adapters
Closes #23381

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-05-02 20:16:55 +02:00
Steven Hawkins
3b1ca46be2
fix: updating docs around -q parameter (#29151)
closes: #27877

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-05-02 16:48:43 +02:00
Stefan Guilhen
45e5e6cbbf Introduce filtered (and paginated) search for organization members
Closes #28844

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-02 11:25:43 -03:00
Stefan Wiedemann
3e16af8c0f
Fix oid4vc tests (#29209)
closes #28982
closes #28983
closes #28984
closes #28985
closes #28986
closes #28987
closes #28988
closes #28989
closes #28990
closes #28991
closes #28992
closes #28993
closes #28994
closes #28995
closes #28996

* only enable/disable features that should

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>

* use default profile if nothing is set

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>

---------

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-05-02 10:57:25 +00:00
Patrick Jennings
64824bb77f
Client type service account default type (#29037)
* Adding additional non-applicable client fields to the default service-account client type configuration.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Creating TypedClientAttribute which maps clientmodel fields to standard client type configurations.

Adding overrides for fields in TypeAwareClientModelDelegate required for
service-account client type.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Splitting client type attribute enum into 3 separate enums, representing
the top level ClientModel fields, the extended attributes through the
client_attributes table, and the composable fields on
ClientRepresentation.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Removing reflection use for client types.

Validation will be done in the RepresentationToModel methods that are responsible for the ClientRepresentation -> ClientModel create and update static methods.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

More updates

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Update client utilzes type aware client property update method.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* If user inputted representation object does not contain non-null value, try to get property value from the client. Type aware client model will return non-applicable or default value to keep fields consistent.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Cleaning up RepresentationToModel

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Fixing issue when updating client secret.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Fixing issue where created clients would not have fullscope allowed, because getter is a boolean and so cannot be null.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Need to be able to clear out client attributes on update as was allowed before and causing failures in integration tests.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Fixing issues with redirectUri and weborigins defaults in type aware clients.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Need to allow client attributes the ability to clear out values during update.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Renaming interface based on PR feedback.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Shall be able to override URI sets with an empty set.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Comments around fields that are primitive and may cause problems determining whether to set sane default on create.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

---------

Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-05-02 12:22:02 +02:00
Ricardo Martin
65bdf1a604
Encode realm name in console URIs (#29102)
Before this fix console uris (including the client redirect uris) did not contain the url encoded realm name and therefore were invalid.

closes #25807

Signed-off-by: Philip Sanetra <code@psanetra.de>
Signed-off-by: rmartinc <rmartinc@redhat.com>


Co-authored-by: Philip Sanetra <code@psanetra.de>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-05-02 10:30:06 +02:00
Michal Hajas
7c427e8d38 Remove offline sessions timeouts adjusters as with persistent session we have bounded caches and it is no longer necessary to adjust time in caches
Closes #29140
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-04-30 18:03:17 +02:00
Douglas Palmer
8d4d5c1c54 Remove redundant servers from the testsuite
Closes #29089

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-30 17:39:32 +02:00
Stefan Guilhen
02e2ebf258 Add check to prevent deserialization issues when the context token is not an AccessTokenResponse.
- also adds a test for the refresh token on first login scenario.

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-30 12:02:10 -03:00
Alexander Schwartz
d69872fa11
Batch writes originating from logins/logouts for persistent sessions
All writes for the sessions are handled by a background thread which batches them.

Closes #28862

Wait for persistent-store to contain update
instead of cache which has the change immediately since it is in memory + introduce new model-test profile

Closes #29141

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-04-30 14:07:35 +02:00
rmartinc
8042cd5d4f Set client in the context for docker protocol
Fix to execute again the docker test
Closes #28649

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-30 10:17:17 +02:00
Pedro Igor
51352622aa Allow adding realm users as an organization member
Closes #29023

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-29 08:37:47 -03:00
Jon Koops
a6e2ab5523 Remove jaxrs-oauth-client and OIDC servlet-filter adapters
Closes #28784

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-04-26 15:56:57 +02:00
Douglas Palmer
cca660067a Remove JAAS login modules
Closes #28789

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
b2f09feebf Remove servlet filter saml adapters
Closes #28786

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
a4a7d023a7 Remove Jetty OIDC adapter
Closes #28779

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
c5dbab2740 Remove Jetty SAML adapter
Closes #28782

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
bf2c97065f Remove SpringBoot adapters
Closes #28781

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
43aa10e091 Remove Tomcat OIDC adapter
Closes #28778

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-26 09:30:35 +02:00
Douglas Palmer
98faf6e6a0 Remove Tomcat SAML adapter
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>

Closes #28783
2024-04-26 09:30:35 +02:00
Stefan Guilhen
bfabc291cc 28843 - Introduce filtered (and paginated) searches for organizations
Closes #28843

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-25 12:38:20 -03:00
Stefan Guilhen
8fa2890f68 28818 - Reintroduce search by name for subgroups
Closes #28818

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-25 12:06:07 -03:00
vramik
d65649d5c0 Make sure organization are only manageable by the admin users with the manage-realm role
Closes #28733

Signed-off-by: vramik <vramik@redhat.com>
2024-04-23 12:16:57 -03:00
Mark Banierink
ad32896725
replaced and removed deprecated token methods (#27715)
closes #19671 

Signed-off-by: Mark Banierink <mark.banierink@nedap.com>


Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-23 09:23:37 +02:00
mposolda
337a337bf9 Grant urn:ietf:params:oauth:grant-type:pre-authorized_code was enabled even if oid4vc_vci feature is disabled
closes #28968

Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-22 18:31:46 +02:00
Ott
975bb6762f Fixed type in invalidPasswordNotContainsUsernameMessage
Signed-off-by: Ott <ottalexanderdev@gmail.com>
2024-04-22 08:06:02 -03:00
Douglas Palmer
ed22530d16 Failure reset time is applied to Permanent Lockout
Closes #28821

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-22 11:47:22 +02:00
Stefan Wiedemann
b08c644601
Support credentials issuance through oid4vci (#27931)
closes #25940 

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-04-22 11:37:55 +02:00
Lex Cao
7e034dbbe0
Add IdpConfirmOverrideLinkAuthenticator to handle duplicate federated identity (#26393)
Closes #26201.

Signed-off-by: Lex Cao <lexcao@foxmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-22 11:30:14 +02:00
etiksouma
1afd20e4c3 return proper error message for admin users endpoint
closes #28416

Signed-off-by: etiksouma <al@mouskite.com>
2024-04-20 12:17:53 +02:00
Pedro Ruivo
3e0a185070 Remove deprecated EnvironmentDependentProviderFactory.isSupported method
Closes #26280

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-19 16:36:49 +02:00
Giuseppe Graziano
f6071f680a Avoid the same userSessionId after re-authentication
Closes keycloak/keycloak-private#69

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-19 14:44:39 +02:00
mposolda
c427e65354 Secondary factor bypass in step-up authentication
closes #34

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit e632c03ec4dbfbb7c74c65b0627027390b2e605d)
2024-04-19 14:43:53 +02:00
Giuseppe Graziano
897c44bd1f Validation of providerId during required action registration
Closes #26109

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-19 13:06:51 +02:00
Joerg Matysiak
76a5a27082 Refactored StripSecretsUtils in order to make it unit-testable, added unit tests for it
Don't mask secrets at realm export

Closes #21562

Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Pedro Igor
7483bae130 Make sure admin events are not referencing sensitive data from their representation
Closes #21562

Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Steve Hawkins
0be34d64e7 task: refactor overlap between cli clients
also repackaging to more clearly delineate code roles

closes: #28329

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-04-18 17:39:16 -03:00
cgeorgilakis-grnet
89263f5255 Fix refresh token scope in refresh token flow with scope request parameter
Closes #28463

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-04-18 16:17:46 -03:00
Ricardo Martin
8daace3f69
Validate Saml URLs inside DefaultClientValidationProvider (#135) (#28873)
Closes keycloak/keycloak-private#62

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-18 16:04:13 +02:00
Ricardo Martin
fc6b6f0d94
Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#131) (#28872)
Closes keycloak/keycloak-private#113
Closes keycloak/keycloak-private#134

Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2024-04-18 16:02:24 +02:00
Douglas Palmer
00d4cab55e Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLink
Closes #21422

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-18 15:54:30 +02:00
vramik
860f3b7320 Prevent updating IdP via organization API not linked with the organization
Closes #28833

Signed-off-by: vramik <vramik@redhat.com>
2024-04-18 09:14:54 -03:00
Stian Thorgersen
0d60e58029
Restrict the token types that can be verified when not using the user info endpoint (#146) (#28866)
Closes #47

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	core/src/main/java/org/keycloak/util/TokenUtil.java
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-18 14:11:05 +02:00
Justin Tay
d807093f63 Fix OCSP nonce handling
Closes #26439

Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-18 09:04:46 +02:00
Pedro Igor
f0f8a88489 Automatically fill username when authenticating to through a broker
Closes #28848

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-18 08:24:34 +02:00
Pedro Igor
1e3837421e Organization member onboarding using the organization identity provider
Closes #28273

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-17 07:24:01 -03:00
Alexander Schwartz
13af4f44f5
Defer updates of last session updates and batch them (#28502)
Defer updates of last session refreshes and batch them

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-04-17 09:25:05 +02:00
Pedro Ruivo
2494ad6950 Refactor and remove deprecated Infinispan methods from DefaultInfinispanConnectionProviderFactory
Closes #28752

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-16 10:51:57 +02:00
Pedro Ruivo
63cb137b37 Remove usages of EnvironmentDependentProviderFactory.isSupported
Closes #28751

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-16 09:43:23 +02:00
Šimon Vacek
0205262c91
Workflow failure: Fuse adapter tests
Closes: #27021

Signed-off-by: Simon Vacek <simonvacky@email.cz>
2024-04-15 17:28:16 +02:00
Steven Hawkins
58398d1f69
fix: replaces aesh with picocli (#28276)
* fix: replaces aesh with picocli

closes: #28275

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* fix: replaces aesh with picocli

closes: #28275

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-04-15 13:04:58 +00:00
Stefan Guilhen
2ab8bf852d Add validation for the organization's internet domains.
Closes #28634

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-15 09:03:52 -03:00
Patrick Jennings
551a3db987 Updating validation logic to match our expectations on what applicable should mean.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
03db2e8b56 Integration tests around client type parameter validation. Throw common ClientTypeException with invalid params requested during client creation/update requests. This gets translated into ErrorResponseException in the Resource handlers.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
9814733dd3 DefaultClientType service will now validate all client type default values and respond with bad request message with the affending parameters that attempt to override readonly in the client type config.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Patrick Jennings
42202ae45e Translate client type exception during client create into bad request response.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-04-15 09:39:34 +02:00
Giuseppe Graziano
4672366eb9
Simplified checks in IntrospectionEndpoint (#28642)
Closes #24466

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>


Co-authored-by: mposolda <mposolda@gmail.com>
2024-04-12 21:19:04 +02:00
rmartinc
92bcd2645c Retry the login in the SAML adapter if response is authentication_expired
Closes #28412

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-12 14:55:31 +02:00
Marek Posolda
e6747bfd23
Adjust priority of SubMapper (#28663)
closes #28661


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-12 14:13:03 +02:00
Pedro Igor
61b1eec504 Prevent members with an email other than the domain set to an organization
Closes #28644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-12 08:33:18 -03:00
Alexander Schwartz
b4cfebd8d5
Persistent sessions code also for offline sessions (#28319)
Persistent sessions code also for offline sessions

Closes #28318

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-12 13:15:02 +02:00
Martin Bartoš
a3669a6562
Make general cache options runtime (#28542)
Closes #27549

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-04-12 11:56:11 +02:00
rmartinc
6d74e6b289 Escape slashes in full group path representation but disabled by default
Closes #23900

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-12 10:53:39 +02:00
Stefan Guilhen
e6b9d287af Add null checks after retrieving user from LDAP for validation to prevent NPE when user is removed in LDAP.
Closes #28523

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-11 14:29:30 -03:00
rmartinc
d31f128ca2 Fix test IdentityProviderTest#testSamlImportWithAnyEncryptionMethod
Closes #28577
Closes #28576
Closes #28575

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-11 18:56:37 +02:00
Steven Hawkins
d059a2af36
task: remove MultiVersionClusterTest (#28520)
closes: #17483

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-04-11 14:13:52 +02:00
Martin Bartoš
ad4cbf2a14 OrganizationTest.testAttributes fails in GHA CI
Fixes #28606

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-04-11 11:56:43 +02:00
tqe1999
6e0fc8a774
fix integer overflow with explicit cast
Closes #28564

Signed-off-by: tqe1999 <tqe1999@gmail.com>
2024-04-11 10:58:44 +02:00
Giuseppe Graziano
33b747286e Changed userId value for refresh token events
Closes #28567

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-11 07:46:44 +02:00
Stefan Guilhen
9a466f90ab Add ability to set one or more internet domain to an organization.
Closed #28274

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-10 13:18:12 -03:00
devjos
cccddc0810 Fix brute force detection for LDAP read-only users
Closes #28579

Signed-off-by: devjos <github_11837948@feido.de>
2024-04-10 16:36:11 +02:00
vramik
00ce3e34bd Manage a single identity provider for an organization
Closes #28272

Signed-off-by: vramik <vramik@redhat.com>
2024-04-10 09:47:51 -03:00
Jon Koops
0327787645 Remove legacy Account Console tests
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-04-10 14:34:56 +02:00
vramik
0826a12ca4 Exclude groovy artefact from testsuite to avoid version collision
Closes #28555

Signed-off-by: vramik <vramik@redhat.com>
2024-04-10 09:16:36 -03:00
Martin Kanis
51fa054ba7 Manage organization attributes
Closes #28253

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-04-10 09:10:49 -03:00
rmartinc
41b706bb6a Initial security profile SPI to integrate default client policies
Closes #27189

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-10 11:19:56 +02:00
Giuseppe Graziano
c76cbc94d8 Add sub via protocol mapper to access token
Closes #21185

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-10 10:40:42 +02:00
mposolda
aa619f0170 Redirect error to client right-away when browser tab detects that another browser tab authenticated
closes #27880

Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-09 17:59:34 +02:00
Konstantinos Georgilakis
a40a953644 SAML element EncryptionMethod can consist any element
closes #12585

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-04-09 14:15:56 +02:00
Stian Thorgersen
a499512f35
Set SameSite for all cookies (#28467)
Closes #28465

Signed-off-by: stianst <stianst@gmail.com>
2024-04-09 12:29:19 +02:00
Václav Muzikář
e4987f10f5
Hostname SPI v2 (#26345)
* Hostname SPI v2

Closes: #26084

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Fix HostnameV2DistTest#testServerFailsToStartWithoutHostnameSpecified

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Address review comment

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Partially revert the previous fix

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Do not polish values

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Remove filtering of denied categories

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

---------

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
2024-04-09 11:25:19 +02:00
vibrown
3fffc5182e Added ClientType implementation from Marek's prototype
Signed-off-by: vibrown <vibrown@redhat.com>

More updates

Signed-off-by: vibrown <vibrown@redhat.com>

Added client type logic from Marek's prototype

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

Testing to see if skipRestart was cause of test failures in MR
2024-04-08 20:20:37 +02:00
Pedro Igor
52ba9b4b7f Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user
Closes #28248

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-08 09:05:16 -03:00
Justin Tay
e765932df3 Skip unsupported keys in JWKS
Closes #16064

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-08 08:42:31 +02:00
rmartinc
2b769e5129 Better management of the CSP header
Closes https://github.com/keycloak/keycloak/issues/24568

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-08 08:19:57 +02:00
Giuseppe Graziano
b4f791b632 Remove session_state from tokens
Closes #27624

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-08 08:12:51 +02:00
MNaaz
811c70d136 Support for searching users based on search filter, enabled attribute, first, max Closes #27241
Signed-off-by: MNaaz <feminity2001@yahoo.com>
2024-04-05 12:10:15 -03:00
Jon Koops
d3c2475041
Upgrade admin and account console to PatternFly 5 (#28196)
Closes #21345
Closes #21344

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Mark Franceschelli <mfrances@redhat.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@redhat.com>
Co-authored-by: Agnieszka Gancarczyk <agancarc@redhat.com>
2024-04-05 16:37:05 +02:00
Gilvan Filho
96db7e3154 fix NotContainsUsernamePasswordPolicyProvider: reversed check
closes #28389

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
2024-04-05 10:39:07 -03:00
Pedro Igor
8fb6d43e07 Do not export ids when exporting authorization settings
Closes #25975

Co-authored-by: 박시준 <sjpark@logblack.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-04 19:26:03 +02:00
Justin Tay
30cd40e097 Use realm default signature algorithm for id_token_signed_response_alg
Closes #9695

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-04 11:37:28 +02:00
Justin Tay
89a5da1afd Allow empty key use in JWKS for client authentication
Closes #28004

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-04 10:42:37 +02:00
Marek Posolda
335a10fead
Handle 'You are already logged in' for expired authentication sessions (#27793)
closes #24112

Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-04 10:41:03 +02:00
Martin Bartoš
7f048300fe
Support management port for health and metrics (#27629)
* Support management port for health and metrics

Closes #19334

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* Deprecate option

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* Remove relativePath first-class citizen, rename ManagementSpec

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* Fix KeycloakDistConfiguratorTest

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

---------

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2024-04-03 16:18:44 +02:00
Hynek Mlnarik
8ef3423f4a Present effective sync mode value
When sync mode value is missing in the config of newly created identity
provider, the provider does not store any. When no value is
found, the identity provider behaves as if `LEGACY` was used (#6705).

This PR ensures the correct sync mode is returned from the REST endpoint,
regardless of whether it has been stored in the database or not.

Fixes: #26019

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-04-03 15:49:18 +02:00
Pedro Igor
4ec9fea8f7 Adding tests
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-03 08:04:17 -03:00
Clemens Zagler
b44252fde9 authz/client: Fix getPermissions returning wrong type
Due to an issue with runtime type erasure, getPermissions returned a
List<LinkedHashSet> instead of List<Permission>.
Fixed and added test to catch this

Closes #16520

Signed-off-by: Clemens Zagler <c.zagler@noi.bz.it>
2024-04-02 11:09:43 -03:00
Giuseppe Graziano
fe06df67c2 New default client scope for 'basic' claims with 'auth_time' protocol mapper
Closes #27623

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-02 08:44:28 +02:00
Stefan Guilhen
2ca59d4141 Align isEnabled in MSAD mappers to how other properties are processed in UserAttributeLDAPStorageMapper
- user model is updated by onImport with the enabled/disabled status of the LDAP user
- a config option always.read.enabled.value.from.ldap was introduced, in synch to what we have in UserAttributeLDAPStorageMapper
- isEnabled checks the flag to decide if it should always retrieve the value from LDAP, or return the local value.
- setEnabled first updates the LDAP tx, and then calls the delegate to avoid issue #24201

Closes #26695
Closed #24201

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-01 08:20:35 -03:00
Steven Hawkins
e9ad9d0564
fix: replace aesh with picocli (#27458)
* fix: replace aesh with picocli

closes: #27388

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/commands/AbstractRequestCmd.java

Co-authored-by: Martin Bartoš <mabartos@redhat.com>

* splitting the error handling for password input

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* adding a change note about kcadm

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc

Co-authored-by: Martin Bartoš <mabartos@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2024-03-28 14:34:06 +01:00
Alexander Schwartz
c580c88c93
Persist online sessions to the database (#27977)
Adding two feature toggles for new code paths to store online sessions in the existing offline sessions table. Separate the code which is due to be changed in the next iteration in new classes/providers which used instead of the old one.

Closes #27976

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-03-28 09:17:07 +01:00
Gilvan Filho
757c524cc5 Password policy for not having username in the password
closes #27643

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
2024-03-28 08:29:03 +01:00
Pedro Igor
b9a7152a29 Avoid commiting the transaction prematurely when creating users through the User API
Closes #28217

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-27 19:16:09 -03:00
Lex Cao
a53cacc0a7 Fire logout event when logout other sessions (#26658)
Closes #26658

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-03-27 11:13:48 +01:00
Jon Koops
3382e16954
Remove Account Console version 2 (#27510)
Closes #19664

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-03-27 10:53:28 +01:00
Tomas Ondrusko
3160116a56
Remove Twitter workaround (#28232)
Relates to #23252

Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>
2024-03-27 10:34:26 +01:00
Steven Hawkins
be32f8b1bf
fix: limit the use of Resteasy to the KeycloakSession (#28150)
* fix: limit the use of Resteasy to the KeycloakSession

contextualizes other state to the KeycloakSession

close: #28152
2024-03-26 13:43:41 -04:00
vramik
fa1571f231 Map organization metadata when issuing tokens for OIDC clients acting on behalf of an organization member
Closes #27993

Signed-off-by: vramik <vramik@redhat.com>
2024-03-26 14:02:09 -03:00
Pedro Igor
a470711dfb Resolve the user federation link as null when decorating the user profile metadata in the LDAP provider
Closes #28100

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-26 10:14:49 -03:00
Stian Thorgersen
c3a98ae387
Use Argon2 as default password hashing algorithm (#28162)
Closes #28161

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 13:04:14 +00:00
Stian Thorgersen
8cbd39083e
Default password hashing algorithm should be set to default password hash provider (#28128)
Closes #28120

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 12:44:11 +01:00
Stian Thorgersen
3f9cebca39
Ability to set the default provider for an SPI (#28135)
Closes #28134

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 07:45:08 +01:00
Stian Thorgersen
cae92cbe8c
Argon2 password hashing provider (#28031)
Closes #28030

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 07:08:09 +01:00
Reda Bourial
a41d865600 fix for SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY (#27756)
Signed-off-by: Reda Bourial <reda.bourial@gmail.com>
2024-03-21 17:06:42 +01:00
Steven Hawkins
7eab019748
task: deprecate WILDCARD and STRICT options (#26833)
closes: #24893

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-21 16:22:41 +01:00
Steven Hawkins
35b9d8aa49
task: remove usage of resteasy-core-spi (#27387)
closes: #27242

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-21 15:28:34 +01:00
Giuseppe Graziano
b24d446911 Avoid using wait() to wait for the redirect
Closes #22644

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-03-21 14:36:43 +01:00
Giuseppe Graziano
939420cea1 Always include offline_access scope when refreshing with offline token
Closes #27878

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-03-21 14:32:31 +01:00
Pedro Igor
32541f19a3 Allow managing members for an organization
Closes #27934

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-21 10:26:30 -03:00
Martin Kanis
4154d27941 Invalidating offline token is not working from client sessions tab
Closes #27275

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-03-21 09:04:58 -03:00
Sebastian Schuster
0542554984 12671 querying by user attribute no longer forces case insensitivity for keys
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
2024-03-21 08:35:29 -03:00
Pedro Igor
f970deac37 Do not grant scopes not granted for resources owned the resource server itself
Closes #25057

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-20 18:36:41 +01:00
Alexander Schwartz
149e50e1b1
Upgrading to Quarkus 3.8.3 (#28085)
Closes #28084

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-20 17:16:42 +01:00
Takashi Norimatsu
d5bf79b932 Refactoring JavaScript code of WebAuthn's authenticators to follow the current Keycloak's JavaScript coding convention
closes #26713

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-03-20 13:22:48 +01:00
René Zeidler
83a3500ccf Attributes without a group should appear first
In the login theme, user profile attributes that
are not assigned to an attribute group should
appear before all other attributes. This aligns
the login theme (registration, verify profile,
etc.) with the account and admin console.

Fixes #27981

Signed-off-by: René Zeidler <rene.zeidler@gmx.de>
2024-03-19 18:40:01 +01:00
Hynek Mlnařík
9caac3814c
Enable WebAuthn tests for Account v3 (#28029)
* Re-enable WebAuthn testsuite
* Remove reference to Account 2 in UI testsuites

Fixes: #26080

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>

---------

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-03-19 14:26:44 +01:00
Stefan Wiedemann
67d3e1e467
Issue Verifiable Credentials in the VCDM format #25943 (#27071)
closes #25943


Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-03-18 17:05:53 +01:00
cgeorgilakis-grnet
24f105e8fc successful SAML IdP Logout Request with BaseID or EncryptedID and SessionIndex
Closes #23528

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-03-18 08:19:13 -03:00
Alexander Schwartz
62d24216e3 Remove offline session preloading
Closes #27602

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-15 15:19:27 +01:00
Pedro Igor
7fc2269ba5 The bare minimum implementation for organization
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: vramik <vramik@redhat.com>
2024-03-15 11:06:43 -03:00
Alexander Schwartz
6de5325d1c Limit the received content when handling the content as a String
Closes #27293

Co-authored-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-13 16:43:03 +01:00
Pedro Igor
9ad447390a Only remove attributes with empty values when updating user profile
Closes #27797

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-13 15:03:08 +01:00
Réda Housni Alaoui
1bf90321ad
"Allowed Protocol Mapper Types" prevents clients from self-updating via client registration api (#27578)
closes #27558 

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-03-13 14:00:34 +01:00
rmartinc
d679c13040 Continue LDAP search if a duplicated user (ModelDuplicateException) is found
Closes #25778

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-13 08:52:58 -03:00
rmartinc
43a5779f6e Do not challenge inside spnego authenticator is FORKED_FLOW
Closes #20637

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-12 14:23:03 +01:00
Pedro Igor
1e48cce3ae Make sure empty configuration resolves to the system default configuration
Closes #27611

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-11 09:01:38 -03:00
Stefan Wiedemann
6fc69b6a01
Issue Verifiable Credentials in the SD-JWT-VC format (#27207)
closes #25942

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>


Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-03-11 08:55:28 +01:00
Steve Hawkins
4091baf4c2 fix: accounting for the possibility of null flows from existing realms
closes: #23980

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-08 14:25:23 +01:00
Pedro Igor
40385061f7 Make sure refresh token expiration is based on the current time when the token is issued
Closes #27180

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-07 15:23:19 +01:00
rmartinc
ea4155bbcd Remove recursively when deleting an authentication executor
Closes #24795

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 14:43:23 +01:00
graziang
54b40d31b6 Revoked token cache expiration fix
Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.

Closes #26113

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-07 13:33:37 +01:00
rmartinc
dea15e25da Only add the nonce claim to the ID Token (mapper for backwards compatibility)
Closes #26893

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 09:56:57 +01:00