* fix: adding password and service account based bootstrap and recovery
closes: #29324, #30002, #30003
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Fix tests
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Václav Muzikář <vmuzikar@redhat.com>
Previously the scope from the token was not set available in the ClientModelIdentity attributes.
This caused the NPE in `org.keycloak.authorization.policy.provider.clientscope.ClientScopePolicyProvider.hasClientScope`(..)
when calling `identity.getAttributes().getValue("scope")`.
We now pass the provided decoded AccessToken down to the ClientModelIdentity creation
to allow to populate the required scope attribute.
We also ensure backwards compatibility for ClientPermissionManagement API.
Fixes#26435
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
* feat: add Artifact Binding on brokering scenarios when Keycloak is SP
Signed-off-by: tmorin <git@morin.io>
* Adding broker test and minor improvements
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Fixing IdentityProviderTest
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Renaming methods related to idp initiated flows
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Fixing partial_import_test.spec.ts
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
---------
Signed-off-by: tmorin <git@morin.io>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
* change to make authServerUrl the same as authUrl
fixes: #29641
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Remove `authUrl` entirely
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Remove file that is unrelated
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Split out and align environment variables between consoles
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Restore removed variables to preserve backwards compatibility
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Also deprecate the `authUrl` for the Admin Console
Signed-off-by: Jon Koops <jonkoops@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
* OpenJDK 21 support
Closes#28517
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
* x509 SAN UPN other name is not handled in JDK 21 (#904)
closes#29968
Signed-off-by: mposolda <mposolda@gmail.com>
---------
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
closes#25945
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Co-authored-by: Erik Jan de Wit <edewit@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
* initial screen
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* more screens
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added members tab
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added the backend
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added member add / invite models
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* initial version of the identity provider section
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* add link and unlink providers
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* small fix
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* PR comments
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Do not validate broker domain when the domain is an empty string
Closes#29759
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added filter and value
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added first name last name
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* refresh menu when realm organization is changed
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* changed to record
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* changed to form data
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* fixed lint error
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Changing name of invitation parameters
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Chancing name of parameters on the client
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Enable organization at the realm before running tests
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Domain help message
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Handling model validation errors when creating organizations
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Message key for organizationDetails
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Do not change kc.org attribute on group
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* add realm into the context
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* tests
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Changing button in invitation model to use Send instead of Save
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Better message when validating the organization domain
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Fixing compilation error after rebase
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* fixed test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* removed wait as it no longer required and skip flacky test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* skip tests that are flaky
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* stabilize user create test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Previously the reason was omitted in the details because it was set after the event was already submitted.
Fixes#29948
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
- AuthenticationManager#actionRequired: make sure that the highest prioritized required action is performed first, possibly before the currently requested required action
- AuthenticationManager#nextRequiredAction: make sure that the next action is requested via URL, also based on highest priority (-> requested URL will match actually performed action, unless required actions for the user are changed by a parallel operation)
- add tests to RequiredActionPriorityTest, add helper method for priority setup to ApiUtil (for easier and more robust setup than up-to-now)
- fix test WebAuthnRegisterAndLoginTest - which failed because WebAuthnRegisterFactory (prio 70) is now executed before WebAuthnPasswordlessRegisterFactory (prio 80)
Closes#16873
Signed-off-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.com>
- Add tests for crud operations on configurable required actions
- Add support exposing the required action configuration via RequiredActionContext
- Make configSaveError message reusable in other contexts
- Introduced admin-ui specific endpoint for retrieving required actions with config metadata
Fixes#28400
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Frameworks like Datadog dd-trace-java java agent inspect the known WebApplicationException
and mark the exception as an HTTP 500, because that is the default for the
non argument constructor.
https://github.com/keycloak/keycloak/issues/29451
Signed-off-by: Filipe Roque <froque@premium-minds.com>
Previously an ObjectMapper was created multiple times during startup:
two times during bootstrap and one additional time for the first request sent to Keycloak.
Additionally jackson modules, e.g. support for JSR310 java.time types
were not registered event-though they are present on the classpath.
This PR revises the initialization of the ObjectMapper.
- Ensure ObjectMapper is only initialized once
- Ensure that jackson modules on the classpath are properly
Fixes#16295
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
