Commit graph

488 commits

Author SHA1 Message Date
Pedro Igor
eec712a259 [KEYCLOAK-3135] - Role and user policies apis 2017-04-12 00:52:14 -03:00
Pedro Igor
54ebc1918c [KEYCLOAK-3135] - Using abstract policy representation when creating policies and updating tests 2017-04-12 00:52:13 -03:00
Pedro Igor
55f747ecd0 [KEYCLOAK-3135] - Part 1: Permission Management API 2017-04-12 00:52:13 -03:00
Dominik Langenegger
8840bc073f KEYCLOAK-4736 Extend security defenses with additional option to set the X-XSS-Protection header, block by default 2017-04-10 11:20:07 +02:00
Nekrasov Aleksander
2066259518 KEYCLOAK-4502 Update Russian translation 2017-04-08 11:42:33 +07:00
Nekrasov Aleksander
9bca7fb7c5 KEYCLOAK-4502 Update russian translation 2017-04-08 11:27:34 +07:00
Dominik Langenegger
c73de4f2b9 KEYCLOAK-4734 Update Italian translations 2017-04-07 16:46:43 +02:00
Dominik Langenegger
16430791bb KEYCLOAK-4729 Update German translations 2017-04-07 16:03:34 +02:00
Dominik Langenegger
e9d22f3506 KEYCLOAK-4728 Fix typo 2017-04-07 09:31:05 +02:00
Stian Thorgersen
af4c74f1d9 Merge pull request #3718 from thomasdarimont/issue/KEYCLOAK-4163-improve-support-for-email-addresses
KEYCLOAK-4163 Improve support for e-mail addresses
2017-04-06 15:34:30 +02:00
Stian Thorgersen
4845286e04 Merge pull request #4001 from stianst/KEYCLOAK-4693
KEYCLOAK-4693
2017-04-04 15:48:08 +02:00
Stian Thorgersen
eaf386f1d2 KEYCLOAK-4693
Improve blocking search indexing
2017-04-04 09:56:48 +02:00
Pedro Igor
838a045239 [KEYCLOAK-4650] - Adding scope filter and fixing cancel buttons 2017-03-29 12:59:41 -03:00
Pedro Igor
33a0dc880f [KEYCLOAK-4650] - Confirmation dialog when disabling authorization settings 2017-03-29 11:17:10 -03:00
Marko Strukelj
d26f2b44bd KEYCLOAK-4496 Strange truncation of Client information when creating a new client
- Added polyfill from https://github.com/tbosch/autofill-event
2017-03-28 18:06:17 +02:00
Bill Burke
f554fd90db Merge pull request #3911 from almighty/oso_provider
[KEYCLOAK-4528] Adds Openshift Identity Provider as part of social brokers
2017-03-25 19:25:44 -04:00
Stian Thorgersen
7968394537 KEYCLOAK-4654 Disable unsupported LDAP vendors in product profile 2017-03-24 13:44:33 +01:00
Nekrasov Aleksander
d0b3cb32f0 KEYCLOAK-4502 Update Russian translation 2017-03-24 18:22:25 +07:00
Stian Thorgersen
90c4de27e5 KEYCLOAK-3251 Add product Maven profile
KEYCLOAK-3254 Product profile should include RH-SSO theme and change default theme
2017-03-24 07:10:11 +01:00
Bartosz Majsak
210143738e Merge branch 'master' into oso_provider 2017-03-23 13:45:07 +01:00
Pedro Igor
deae380941 Merge pull request #3964 from pedroigor/KEYCLOAK-4587
[KEYCLOAK-4587] - Missing breadcrumb
2017-03-22 13:55:50 -03:00
Marek Posolda
975dfe9489 Merge pull request #3167 from brat000012001/master
X509 Certificate user authentication
2017-03-22 08:26:26 +01:00
Thomas Darimont
05a8fffdbf KEYCLOAK-4614 Fix linkOnly tooltip reference 2017-03-22 00:07:40 +01:00
Pedro Igor
c517565cc5 [KEYCLOAK-4587] - Missing breadcrumb 2017-03-21 16:55:21 -03:00
Peter Nalyvayko
b2f10359c8 KEYCLOAK-4335: x509 client certificate authentication
Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments

x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute

Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received

Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes

Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document

A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README

Changes to the formating of the readme

Added a list of features to readme

Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions

Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master

Removed a superfluous file created when merging x509 and main branches

X509 authentication: removed the PKIX path validation as superflous

Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main

Merge the unit tests from x509 branch

added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured

CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing.

changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail

Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway)

X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them

X509 fixed a compile error caused by the changes to the user model in master

Integration tests to validate X509 client certificate authentication

Minor tweaks to X509 client auth related integration tests

CRLs to support x509 client cert auth integration tests

X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime

X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class

X509 separated the browser and direct grant x509 authenction integration tests

x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator

x509 removed the dependency on mockito

x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests

index.txt.attr is needed by openssl to run a simple OCSP server

x509: minor grammar fixes

Add OCSP stub responder to integration tests

This commit adds OCSP stub responder needed for the integration tests,
and eliminates the need to run external OCSP responder in order to run
the OCSP in X509OCSPResponderTest.

Replace printStackTrece with logging

This commit replaces call to printStackTrace that will end up going to
the stderr with logging statement of WARN severity.

Remove unused imports

Removed unused imports in
org.keycloak.authentication.authenticators.x509 package.

Parameterized Hashtable variable

Removed unused CertificateFactory variable

Declared serialVersionUID for Serializable class

Removed unused CertificateBuilder class

The CertificateBuilder was not used anywhere in the code, removing it to
prevent technical debt.

Removing unused variable declaration

`response` variable is not used in the test, removed it.

Made sure InputStreams are closed

Even though the InputStreams are memory based, added try-with-resources
to make sure that they are closed.

Removed deprecated usage of URLEncoder

Replaced invocation of deprecated method from URLEncoder with Encode
from Keycloak util package.

Made it more clear how to control OCSP stub responder in the tests

X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job

KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests

KEYCLOAK-4335: fixed a few issues after rebasing
2017-03-17 05:24:57 -04:00
Stian Thorgersen
a87ee04024 Bump to 3.1.0.CR1-SNAPSHOT 2017-03-16 14:21:40 +01:00
Stian Thorgersen
feeac69197 Merge pull request #3888 from daklassen/KEYCLOAK-4421
KEYCLOAK-4421 Change any http maven urls to https to reduce build-time MITM vulnerability
2017-03-15 09:54:21 +01:00
Thomas Darimont
b782892769 KEYCLOAK-4163 Improve support for e-mail addresses
Added support for user friendly email addresses as well as dedicated
reply-to addresses for emails being sent by Keycloak.
Both can be customized via the email settings per realm in
the admin-console.
User friendly email addresses use the format:
"Friendly Name"<email@example.org> and provide way to add a meaning
full name to an e-mail address.

We also allow to specify an optional envelope from bounce address.
If a mail sent to a user could not be delivered the email-provider
will sent a notification to that address.

See: https://en.wikipedia.org/wiki/Bounce_address

Add test for proper email headers in sent messages
2017-03-14 18:22:54 +01:00
Bill Burke
6d51862057 Merge pull request #3897 from anderius/feature/KEYCLOAK-4504-redirect-logout
[WIP] Saml broker: Option to specify logout request binding
2017-03-14 11:32:26 -04:00
David Klassen
32d3f760ec KEYCLOAK-4421: Change http url to https
Change any http maven urls to https to reduce build-time MITM vulnerability
2017-03-14 10:18:40 +01:00
Stian Thorgersen
99581748e0 Merge pull request #3921 from gmarziou/fix-french-plural
KEYCLOAK-4561 Fix plural error in French translation
2017-03-14 09:32:37 +01:00
Stian Thorgersen
f0ae34d1ad Merge pull request #3885 from sk8ter/master
add Swedish translation for account, email, login
2017-03-14 09:31:36 +01:00
Stan Silvert
e6df617cfc KEYCLOAK-4535: Needless heading while adding or editing a Role 2017-03-13 21:03:05 -04:00
Pedro Igor
45caea4dbd [KEYCLOAK-4549] - Scope Permission Form is not showing saved resource 2017-03-10 17:32:55 -03:00
Bill Burke
b618dbd97f Merge pull request #3926 from mrpardijs/KEYCLOAK-4360-Add-SAML-OneTimeUse-Condition
KEYCLOAK-4360: Add OneTimeUse condition to SAMLResponse
2017-03-09 19:09:02 -05:00
Gaël MARZIOU
46c6db1739 Update URL for FreeOTP
It was poniting to obsolete location: https://fedorahosted.org/freeotp/

Now pointing to: https://freeotp.github.io/
2017-03-09 16:20:28 +01:00
Mark Pardijs
c78c0b73d3 KEYCLOAK-4360: Add OneTimeUse condition to SAMLResponse
Add OneTimeUse Condition to SAMLResponse when configured in client settings
2017-03-09 13:01:05 +01:00
Gael MARZIOU
0fc4cd134f Fix plural error in French translation 2017-03-08 18:47:06 +01:00
Bill Burke
c6dc59f63e Merge remote-tracking branch 'upstream/master' 2017-03-03 11:00:32 -05:00
Bill Burke
3bb29e033b KEYCLOAK-4501, KEYCLOAK-4511, KEYCLOAK-4513 2017-03-03 09:48:52 -05:00
Bartosz Majsak
669b0143af Adds tooltip for URL and en translation 2017-03-02 20:24:52 +01:00
Bartosz Majsak
1a6bb2fedb Adds Openshift Identity Provider as part of social brokers 2017-03-02 15:14:57 +01:00
Quentin Caillard
75851ee0b3 administrator Spelling mistake 2017-03-01 12:32:55 +01:00
Marek Posolda
b54d7c37b6 Merge pull request #3890 from daklassen/KEYCLOAK-2994
KEYCLOAK-2994: Revise german translations
2017-03-01 12:22:44 +01:00
Anders Båtstrand
8d82390843 KEYCLOAK-4504 New configuration option for SAML Broker:
* postBindingLogout: Indicates if POST or redirect should be used for the logout requests.

This applies to both IdP-initiated logout, and Keycloak-initiated logout. If unset (for example when upgrading Keycloak), the setting is initially set to the same as postBindingResponse.

The flag is also set when importing IdP metadata.
2017-02-28 12:08:22 +01:00
Anders Båtstrand
89c6cda2ac Two new configuration options for the Saml broker:
* wantAssertionsSigned: This will toggle the flag in the SP Metadata Descriptor, and validate the signature if and only if "Validate signature" is selected.
 * wantAssertionsEncrypted: This will simply require that the assertion is encrypted.

 Default behavior is unchanged. The signature validation uses the original XML, and supports therefore an IdP that adds whitespace and line breaks between tags (for example OpenAM).
2017-02-24 15:08:57 +01:00
Mika Andrianarijaona
ceb5a3a04b Update french translation in admin console 2017-02-23 11:04:55 +03:00
David Klassen
999a3f62ac KEYCLOAK-2994: Revise german translations
Corrected a huge amount of typos. Improved some translations.
2017-02-23 08:45:51 +01:00
Viktor Kostov
2cf25b6c57 add Swedish translation for account, email, login 2017-02-22 11:51:30 +01:00
Stan Silvert
4f78312a98 KEYCLOAK-4463: JS warnings caused by ui-ace while manipulating with
mappers
2017-02-21 19:31:25 -05:00
Stan Silvert
3bf9428cc0 KEYCLOAK-4467: Realm name collides with sidebar navigation 2017-02-20 15:43:46 -05:00
Stian Thorgersen
3653d7ed9a Merge pull request #3762 from sldab/hide-providers
KEYCLOAK-4224 Allow hiding identity providers on login page
2017-02-17 12:04:35 +01:00
Stan Silvert
224f93f25d Merge pull request #3782 from cargosoft/master
KEYCLOAK-4270 Custom login protocol doesn't show when creating a client
2017-02-13 07:58:21 -05:00
Bill Burke
75bee51ac1 console remote imported/unlink users 2017-02-09 09:11:48 -05:00
Bill Burke
cf5e2a1d20 unlink/remoteimported 2017-02-08 19:48:22 -05:00
Stian Thorgersen
6f22f88d85 Bump version to 3.0.0.CR1 2017-01-26 06:18:11 +01:00
Stian Thorgersen
07689c9537 KEYCLOAK-4259 Tweak login screen 2017-01-25 08:21:58 +01:00
Stian Thorgersen
cea52a6db9 KEYCLOAK-4259 Add top-margin to container to prevent overlay with logo 2017-01-24 09:35:57 +01:00
Stian Thorgersen
04228791f3 KEYCLOAK-4259 Reverted original padding around logo 2017-01-24 09:27:28 +01:00
Stian Thorgersen
15d0a116ac Merge pull request #3769 from hmlnarik/KEYCLOAK-4167-Unable-to-validate-access-token-for-OIDC-External-IDP-using-configured-public-key
KEYCLOAK-4167 Always use preset key for verification if key ID not set
2017-01-23 13:59:35 +01:00
Dmitry Telegin
5bacd2919d KEYCLOAK-4270 Custom login protocol doesn't show when creating a client 2017-01-21 01:46:34 +03:00
Stan Silvert
f55d18189c KEYCLOAK-4259: Login page rendering broken 2017-01-20 16:07:36 -05:00
Stan Silvert
fe8e437e74 Merge pull request #3768 from ssilvert/otp-scrollbar
KEYCLOAK-3884: Another small tweak.
2017-01-20 14:22:27 -05:00
Stian Thorgersen
536b88790e Merge pull request #3757 from mstruk/KEYCLOAK-4150
KEYCLOAK-4150 Unresolved variable ${cliane_security-admin-console} in admin web client
2017-01-19 13:55:36 +01:00
Pedro Igor
c7f2a0ffdd Merge pull request #3766 from pedroigor/KEYCLOAK-4203
[KEYCLOAK-4203] - Removing references to Drools
2017-01-18 13:31:23 -02:00
Pedro Igor
c19360c6f2 [KEYCLOAK-4203] - Removing references to Drools 2017-01-18 12:44:30 -02:00
Hynek Mlnarik
df4f1e7129 KEYCLOAK-4167 Always use preset key for verification if key ID not set 2017-01-18 10:29:06 +01:00
mposolda
843b4b470b KEYCLOAK-2333 LDAP/MSAD password policies are not used when user changes password 2017-01-17 21:06:09 +01:00
Slawomir Dabek
9bb65ba9b7 KEYCLOAK-4224 Allow hiding identity providers on login page 2017-01-17 14:32:59 +01:00
Stan Silvert
2eeb2f52c5 KEYCLOAK-3884: Another small tweak. 2017-01-16 14:24:44 -05:00
Stan Silvert
23c1f513e7 KEYCLOAK-3953: Remove recalculation of time when units change 2017-01-16 09:55:08 -05:00
Marko Strukelj
d68f6bbc42 KEYCLOAK-4150 Unresolved variable ${cliane_security-admin-console} in admin web client 2017-01-13 17:48:21 +01:00
Stan Silvert
c4cce147e2 Merge pull request #3747 from ssilvert/otp-scrollbar
KEYCLOAK-3884: OTP login page cutoff under weird sizes
2017-01-12 16:37:43 -05:00
Stan Silvert
3a2927e12e KEYCLOAK-3884: OTP login page cutoff under weird sizes 2017-01-12 16:02:04 -05:00
Hynek Mlnarik
e11957ecf3 KEYCLOAK-4167 Make OIDC identity provider key ID configurable 2017-01-11 18:24:22 +01:00
Marek Posolda
227900f288 Merge pull request #3731 from mposolda/master
KEYCLOAK-4175 Provide a way to set the connect and read timeout for l…
2017-01-10 09:49:18 +01:00
Stian Thorgersen
345e0da76d Merge pull request #3733 from stianst/KEYCLOAK-4180
KEYCLOAK-4180 When you turn on authorization for client Clustering ta…
2017-01-10 09:33:04 +01:00
Stian Thorgersen
ab0a669662 KEYCLOAK-4180 When you turn on authorization for client Clustering tab appears without saving 2017-01-10 06:59:40 +01:00
mposolda
c32620b718 KEYCLOAK-4175 Provide a way to set the connect and read timeout for ldap connections 2017-01-09 21:35:58 +01:00
Stian Thorgersen
dd74b57d13 KEYCLOAK-4165 KEYCLOAK-4014 Add missing sources for ace editor and fix loading of ace libs 2017-01-09 14:59:50 +01:00
Bas Dalenoord
42a8a0eb15 KEYCLOAK-4177: Changed URL to FreeOTP homepage; 2017-01-09 10:30:29 +01:00
Pedro Igor
5bc134ea7b Merge pull request #3717 from pedroigor/KEYCLOAK-4164
[KEYCLOAK-4164] - Creating typed resources always result in error
2017-01-06 17:29:47 -02:00
Stian Thorgersen
fb6a8da863 Merge pull request #3713 from stianst/KEYCLOAK-3952
KEYCLOAK-3952
2017-01-06 07:17:27 +01:00
Pedro Igor
72691b2e74 [KEYCLOAK-4164] - Creating typed resources always result in error 2017-01-05 14:32:49 -02:00
Stian Thorgersen
2d1417d72b KEYCLOAK-3952
User Administration: Double step cancel
2017-01-05 08:50:22 +01:00
Stan Silvert
a76c52ef84 KEYCLOAK-4155: User Federation: Page not found when click cancel creating
ldap provider
2017-01-04 14:03:39 -05:00
Stian Thorgersen
8a0859fcba Merge pull request #3700 from stianst/KEYCLOAK-2980
KEYCLOAK-2980 Fix admin query for resource path
2017-01-04 07:01:19 +01:00
Stian Thorgersen
b7c98ed433 KEYCLOAK-2980 Fix admin query for resource path 2017-01-03 10:34:21 +01:00
Stian Thorgersen
902332c5ae Merge pull request #3696 from stianst/KEYCLOAK-4038
KEYCLOAK-4038 Get bind credential from component if stored
2017-01-02 15:44:59 +01:00
Stian Thorgersen
08d7211a93 KEYCLOAK-4038 Get bind credential from component if stored 2017-01-02 14:40:12 +01:00
Stian Thorgersen
e805ffd945 Bump version to 2.5.1.Final-SNAPSHOT 2016-12-22 08:22:18 +01:00
Pedro Igor
df7a68b709 [KEYCLOAK-4125] - Fixing when running in a cluster 2016-12-21 20:04:08 -02:00
Stian Thorgersen
e262f8fb63 KEYCLOAK-4120
Authz doesn't show in menu for clients
2016-12-20 14:46:56 +01:00
Stian Thorgersen
d365d9d784 Merge pull request #3649 from sldab/bearer-client-credentials
KEYCLOAK-4086 Client credentials missing in bearer-only JSON config
2016-12-20 12:32:03 +01:00
Stian Thorgersen
f6323d94ec Merge pull request #3676 from stianst/KEYCLOAK-4109
KEYCLOAK-4109 Ability to disable impersonation
2016-12-20 09:35:03 +01:00
Stian Thorgersen
eb7ad07e31 KEYCLOAK-4109 Ability to disable impersonation 2016-12-20 08:46:21 +01:00
Pedro Igor
40591cff25 Merge pull request #3662 from pedroigor/KEYCLOAK-4034
[KEYCLOAK-4034] - Improvements to UI, performance and some code cleanup
2016-12-19 16:49:10 -02:00
Pedro Igor
5cf5168770 [KEYCLOAK-4034] - Improvements to UI, performance and some code cleanup 2016-12-19 16:48:16 -02:00
Slawomir Dabek
16fb1e2078 KEYCLOAK-4086 Client credentials missing in bearer-only Keycloak OIDC JSON 2016-12-19 16:55:19 +01:00
Marek Posolda
c6363aa146 Merge pull request #3630 from sldab/duplicate-email-support
KEYCLOAK-4059 Support for duplicate emails
2016-12-19 15:37:18 +01:00