Garth
7988f026e0
Add a PasswordPoliciesBean to the FreeMarker context.
...
Closes #32553
Signed-off-by: Garth <244253+xgp@users.noreply.github.com>
2024-09-10 12:19:53 +02:00
Alexander Schwartz
b88ecc0237
Removing the extra two-minute Window for persistent user sessions ( #32660 )
...
Closes #28418
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-09-09 09:28:48 +02:00
Steven Hawkins
58d742bb5c
fix: refining v2 hostname validation ( #32659 )
...
closes : #32643
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-09-06 17:49:25 +02:00
Thomas Darimont
211224f613
Use correct error value in Token Exchange error responses
...
The Token Exchange [RFC8693 Section-2.2.2](https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.2 ) requires
that the error code for invalid requests is `invalid_request`.
Previously, Keycloak used `invalid_token` as the error code.
Fixes #31547
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-09-05 18:35:36 +02:00
keshavprashantdeshpande
9f5f8e017e
Improve message for failing partial import of realm ( #32667 )
...
Closes #28017
Signed-off-by: Keshav Deshpande <keshavprashantdeshpande@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-05 15:12:37 +02:00
mposolda
866101e72e
Optimize LogoutEndpoint.backchannelLogout endpoint
...
closes #32683
Signed-off-by: mposolda <mposolda@gmail.com>
2024-09-05 13:49:31 +02:00
Thomas Darimont
693a63b532
Handle ClientData parsing errors in SessionCodeChecks gracefully
...
- Move ClientData parsing out of SessionCodeChecks ctor
- Respond with a bad request if invalid client data is presented
Closes #32515
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-05 10:50:27 +02:00
Giuseppe Graziano
a14548a7a2
Lightweight access tokens for Admin REST API ( #32347 )
...
* Lightweight access tokens for Admin REST API
Closes #31513
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-09-04 18:04:23 +02:00
cgeorgilakis-grnet
e6b271895e
Make update IdentityProvider admin REST API more efficient
...
Closes #32388
Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-09-04 11:49:32 -03:00
Alexander Schwartz
0e1a7c6f8e
Add information about token expiry to events
...
Closes #28311
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-04 14:44:51 +02:00
Stefan Guilhen
e7a4635620
Filter out org brokers from the account console
...
- org-linked brokers should not be available for login
- prepare the endpoint for search/pagination
Closes #31944
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-09-04 09:00:52 -03:00
Alexander Schwartz
4d1e1e0bcb
Show details for error messages where they were missing ( #32534 )
...
Closes #32533
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-09-04 07:23:54 -04:00
Theresa Henze
a1c23fef8c
introduce event types to update/remove credentials
...
Closes #10114
Signed-off-by: Theresa Henze <theresa.henze@bare.id>
2024-09-03 18:27:27 +02:00
Pedro Igor
079242c398
Binding brokering OIDC user sessions with the issuer of the ID Token to avoid looking up sessions by iterating over all brokers in a realm
...
Closes #32091
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-09-03 17:51:20 +02:00
Thomas Darimont
88a5c96fff
Add kc_action
to redirect URI after a required action is cancelled ( #31925 )
...
Closes #31894
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-09-03 14:26:23 +00:00
mposolda
dad4477995
Remove keycloak-core and keycloak-crypto-default from SAML galleon feature pack and upgrade them to Java 17
...
closes #32586
Signed-off-by: mposolda <mposolda@gmail.com>
2024-09-03 15:58:57 +02:00
Alexander Schwartz
5bd3da657b
Cache regex patterns in frequently used production code
...
Closes #32428
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-02 08:57:03 -03:00
Jon Koops
2d17024b14
Remove redirect_uri
support from OIDC logout endpoint
...
Closes #10983
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
2024-08-30 12:52:49 +00:00
Martin Kanis
e7d71d43c3
Identity Provider secret visible in Organization tab (API request)
...
Closes #32486
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-08-30 09:26:25 -03:00
Douglas Palmer
ecbd856176
Brute force protection: Lockout permanently uses parameters configured under lockout temporarily
...
Closes #30969
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-08-29 16:30:22 +02:00
Martin Kanis
7e6dd682d4
Validate organization alias for forbidden chars
...
Closes #32392
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-08-28 21:59:38 +02:00
Pedro Igor
449557290b
More options to organization scope mapper including adding organization attributes to tokens
...
Closes #31642
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-27 09:40:55 -03:00
Stefan Guilhen
88cca10472
Rename IDPSpi to IdentityProviderStorageSpi
...
Closes #31639
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-08-26 15:10:09 -03:00
Erik Jan de Wit
776a491989
added organizations table to account ( #32311 )
...
* added organizations table to account
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-22 15:44:03 -03:00
Vlasta Ramik
d63c0fbd13
Decouple Identity provider mappers from RealmModel ( #32251 )
...
* Decouple Identity provider mappers from RealmModel
Closes #31731
Signed-off-by: vramik <vramik@redhat.com>
2024-08-22 12:05:19 -03:00
Steven Hawkins
d9a92f5de3
fix: expose bootstrap-admin-* options ( #32241 )
...
* fix: expose bootstrap-admin-* options
closes : #32176
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Update quarkus/config-api/src/main/java/org/keycloak/config/BootstrapAdminOptions.java
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2024-08-21 15:52:38 +02:00
Peter Zaoral
6ab3b98743
Temporary admin account notice logged to org.keycloak.events ( #32307 )
...
* removed the temporary admin accounts logging from JBossLoggingEventListenerProvider
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2024-08-21 13:31:57 +00:00
Pedro Igor
c1f6d5ca64
Support for selecting an organization when requesting the organization scope
...
Closes #31438
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-21 13:04:58 +02:00
Stefan Guilhen
585d179fe0
Ensure identity providers returned to the org IDP selection are IDPs not associated with any orgs.
...
Closes #32238
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-08-21 07:49:01 -03:00
Peter Zaoral
1b5fe5437a
Warnings for temporary admin user and service account ( #31387 )
...
* UI banner, labels and log messages are shown when temporary admin account is used
* added UI tests that check the elements' presence
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
2024-08-21 09:30:24 +02:00
Pedro Ruivo
4675a4eda9
Deprecate UserSessionCrossDCManager
...
Fixes #31878
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-08-21 08:52:39 +02:00
Pedro Igor
e3c0b918bd
Returning a full representation when querying organizations
...
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-20 11:11:14 -03:00
Pedro Igor
4376a3c757
Add an endpoint to the organizations endpoint to return the organizations for a given user
...
Closes #32158
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-20 11:11:14 -03:00
Pedro Igor
eeae50fb43
Make sure federationLink always map to the storage provider associated with federated users
...
Closes #31670
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-20 11:27:22 +02:00
Stefan Guilhen
fa7c2b5da6
Address review comments
...
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-08-19 09:06:35 -03:00
Stefan Guilhen
f82159cf65
Rework logic to fetch IDPs for the login page so that IDPs are fetched from the provider and not filtered in code.
...
Closes #32090
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-08-19 09:06:35 -03:00
Pedro Igor
8e0436715c
Support for ALL and ANY organization scope values
...
Related #31438
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-19 08:45:23 -03:00
mposolda
3d787727f9
Add acr scope to all clients for those migrating from older than Keycloak 18
...
closes #31107
Signed-off-by: mposolda <mposolda@gmail.com>
2024-08-16 12:17:43 +02:00
Václav Muzikář
cb418b0bfc
Upgrade to Quarkus 3.13.2 ( #31678 )
...
* Upgrade to Quarkus 3.13.2
Closes #31676
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Peter Zaoral <pzaoral@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2024-08-16 11:41:34 +02:00
himanshi1099
7459992e40
Realm update validation for incorrect timeout values ( #32137 )
...
closes #31595
Signed-off-by: Himanshi Gupta <higupta@redhat.com>
2024-08-16 08:58:27 +02:00
Alexander Schwartz
80d235fffb
Handle non-existing client gracefully ( #32151 )
...
Closes #32150
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-08-15 16:08:40 +02:00
Stefan Guilhen
aeb1951aba
Replace calls to deprecated RealmModel IDP methods
...
- use the new provider instead
Closes #31254
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-08-15 10:55:36 -03:00
Pedro Igor
96acc62c00
Support for resolving organization based on the organization scope
...
Closes #31438
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-15 10:32:15 -03:00
Stian Thorgersen
310824cc2b
Remove legacy cookies
...
Closes #16770
Signed-off-by: stianst <stianst@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-08-15 15:27:38 +02:00
Martin Kanis
708a6898db
Add a count method to the OrganizationMembersResource
...
Closes #31388
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-08-15 09:12:57 -03:00
Yoshiyuki Tabata
cb6eb187ac
Client Policy - Condition : Client - Client Attribute
...
Closes https://github.com/keycloak/keycloak/issues/31766
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2024-08-14 09:56:56 +02:00
kaustubh-rh
cf8905efe8
Fix for Client secret is visable in Admin event representation when Credentials Reset action performed for the Client. ( #32067 )
...
* Stripping secrets for the credential representation
Signed-off-by: kaustubh B <kbawanka@redhat.com>
2024-08-12 13:47:41 -03:00
Steven Hawkins
b72ddbcc45
fix: add a warning log if a deprecated admin env variable is used ( #32038 )
...
closes : #31491
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-08-12 08:54:30 +02:00
rmartinc
347f595913
Add ECDH-ES encyption algorithms to the java keystore key provider
...
Closes #32023
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-08-09 15:57:51 +02:00
Martin Kanis
da0864682a
Conditionally redirect existing users to a broker based on their credentials
...
Closes #31006
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-08-09 07:59:25 -03:00