Commit graph

514 commits

Author SHA1 Message Date
Stan Silvert
e2970fcf8a KEYCLOAK-4396: Add keycloak.d.ts for TypeScript 2017-03-20 12:42:26 -04:00
Peter Nalyvayko
b2f10359c8 KEYCLOAK-4335: x509 client certificate authentication
Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments

x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute

Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received

Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes

Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document

A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README

Changes to the formating of the readme

Added a list of features to readme

Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions

Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master

Removed a superfluous file created when merging x509 and main branches

X509 authentication: removed the PKIX path validation as superflous

Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main

Merge the unit tests from x509 branch

added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured

CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing.

changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail

Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway)

X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them

X509 fixed a compile error caused by the changes to the user model in master

Integration tests to validate X509 client certificate authentication

Minor tweaks to X509 client auth related integration tests

CRLs to support x509 client cert auth integration tests

X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime

X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class

X509 separated the browser and direct grant x509 authenction integration tests

x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator

x509 removed the dependency on mockito

x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests

index.txt.attr is needed by openssl to run a simple OCSP server

x509: minor grammar fixes

Add OCSP stub responder to integration tests

This commit adds OCSP stub responder needed for the integration tests,
and eliminates the need to run external OCSP responder in order to run
the OCSP in X509OCSPResponderTest.

Replace printStackTrece with logging

This commit replaces call to printStackTrace that will end up going to
the stderr with logging statement of WARN severity.

Remove unused imports

Removed unused imports in
org.keycloak.authentication.authenticators.x509 package.

Parameterized Hashtable variable

Removed unused CertificateFactory variable

Declared serialVersionUID for Serializable class

Removed unused CertificateBuilder class

The CertificateBuilder was not used anywhere in the code, removing it to
prevent technical debt.

Removing unused variable declaration

`response` variable is not used in the test, removed it.

Made sure InputStreams are closed

Even though the InputStreams are memory based, added try-with-resources
to make sure that they are closed.

Removed deprecated usage of URLEncoder

Replaced invocation of deprecated method from URLEncoder with Encode
from Keycloak util package.

Made it more clear how to control OCSP stub responder in the tests

X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job

KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests

KEYCLOAK-4335: fixed a few issues after rebasing
2017-03-17 05:24:57 -04:00
Stian Thorgersen
a87ee04024 Bump to 3.1.0.CR1-SNAPSHOT 2017-03-16 14:21:40 +01:00
Gabriel Lavoie
fb507048f5 KEYCLOAK-4563: Large user account ID and group ID may break distribution builds.
- Maven documentation recommends using POSIX tar format.
2017-03-13 13:28:51 -04:00
Bill Burke
0ff4223184 Merge pull request #3922 from hmlnarik/KEYCLOAK-4288-SAML-logouts-are-not-invalidating-the-sessions-for-all-the-logged-in-applications
KEYCLOAK-4288 Invalidate sessions in cluster for SAML logouts
2017-03-09 19:13:37 -05:00
Rene Ploetz
e770a05db0
KEYCLOAK-4537 Jetty 9.4 implementation (OIDC/SAML) 2017-03-06 23:01:24 +01:00
Stan Silvert
794defe6fc KEYCLOAK-4514: Update migration scripts according to changes to the
subsystem
2017-03-01 13:53:40 -05:00
Hynek Mlnarik
3a0c2be885 KEYCLOAK-4288 AS 7 / EAP 6 2017-03-01 15:17:39 +01:00
Hynek Mlnarik
04da679628 KEYCLOAK-4288 Wildfly 2017-03-01 15:17:39 +01:00
Stian Thorgersen
2a7f595d1c KEYCLOAK-4483
Overlay standalone differs from dist standalone
2017-02-22 19:44:01 +01:00
Stian Thorgersen
49ac3587b6 KEYCLOAK-4384 Remove Mongo support 2017-02-15 15:20:58 +01:00
Stian Thorgersen
ceece3dce4 Merge pull request #3847 from stianst/KEYCLOAK-4008-CHECKSUMS
KEYCLOAK-4008 Include checksums in download files
2017-02-08 20:05:39 +01:00
Stian Thorgersen
3de77b7be9 KEYCLOAK-4008 Include checksums in download files 2017-02-08 14:51:36 +01:00
Pedro Igor
27c0f783bc [KEYCLOAK-4373] - Adapter Feature Pack is missing keycloak-authz-client 2017-02-07 08:43:53 -02:00
Stan Silvert
a7c3d1b8df KEYCLOAK-4262 Split migration-domain script into two separate scripts 2017-02-01 14:23:20 -05:00
Stian Thorgersen
6f22f88d85 Bump version to 3.0.0.CR1 2017-01-26 06:18:11 +01:00
Stian Thorgersen
9f33685785 KEYCLOAK-4252 Update server-overlay assembly 2017-01-18 12:29:39 +01:00
Stan Silvert
fe294dcb58 KEYCLOAK-4101: Fix pom 2017-01-10 07:37:40 -05:00
Stan Silvert
8441bda3da KEYCLOAK-4101: Move tests under testsuite. Only run under
-Pauth-server-wildfly
2017-01-10 07:30:58 -05:00
Stan Silvert
9e697d033f KEYCLOAK-4101: Use the same undocumented tags for server-args. Only
documented in the examples.
2017-01-09 18:15:37 -05:00
Stan Silvert
2ec3eaf68a KEYCLOAK-4101: Use undocumented method to specify java-opts 2017-01-09 18:15:34 -05:00
Stan Silvert
e047872c25 KEYCLOAK-4101: Bump version on pom 2017-01-09 18:15:31 -05:00
Stan Silvert
f1173f8022 KEYCLOAK-4101: Try setting javaOpts on each individual execution. 2017-01-09 18:15:28 -05:00
Stan Silvert
420286c103 KEYCLOAK-4101: jboss-cli script to do migration of configuration 2017-01-09 18:15:26 -05:00
Stan Silvert
eb1b011989 KEYCLOAK-4123: keycloak-install.cli fails if not run from bin dir 2017-01-05 21:25:41 -05:00
Stian Thorgersen
e805ffd945 Bump version to 2.5.1.Final-SNAPSHOT 2016-12-22 08:22:18 +01:00
Gabriel Lavoie
32c23c2410 KEYCLOAK-4002: realmRevisions cache too small with high number of realms.
- Increased the hardcoded default value to help running master with high number of realms.
- Added a value computation based on the realms cache max size (to match the userRevisions cache configuration pattern).
- Computed revisions cache size is now 2 times the configured maximum cache size.
- Added a maximum realms cache size configuration to the different standalone.xml templates.
- Added a missing users cache size configuration to standalone.xsl.
2016-12-05 08:07:24 -05:00
Stian Thorgersen
b771b84f56 Bump to 2.5.0.Final-SNAPSHOT 2016-11-30 15:44:51 +01:00
mposolda
b640e9fe39 KEYCLOAK-3982 keycloak-jboss-adapter-core module.xml unsynced among Wildfly OIDC and SAML adapter ZIPs 2016-11-25 11:04:24 +01:00
Stian Thorgersen
6ec82865d3 Bump version to 2.4.1.Final-SNAPSHOT 2016-11-22 14:56:21 +01:00
Marek Posolda
60afd280c3 Merge pull request #3512 from abstractj/KEYCLOAK-3918
[KEYCLOAK-3918] - Server won't boot on Windows
2016-11-18 08:44:37 +01:00
Bruno Oliveira
5c089e45d4
[KEYCLOAK-3918] - Server won't boot on Windows 2016-11-16 19:37:48 -02:00
mposolda
a27be0cee7 KEYCLOAK-3857 Clustered invalidation cache fixes and refactoring. Support for cross-DC for invalidation caches. 2016-11-16 22:29:23 +01:00
Stian Thorgersen
cf17687b8b Merge pull request #3506 from abstractj/KEYCLOAK-3913
[KEYCLOAK-3913] - Native libraries included within SSSD jar
2016-11-16 14:56:53 +01:00
Bruno Oliveira
8a0cb507c5 [KEYCLOAK-3913] - Native libraries included within SSSD jar
- Revert "[KEYCLOAK-3580] - Migrate DBus Java from Unix Socket C library to jnr-unixsocket"
    This reverts commit 6c5d1b9214.
  - Use JNA RPM, instead of Maven
2016-11-16 09:14:05 -02:00
Pedro Igor
394a9daa64 [KEYCLOAK-3906] - Update IP-BOM 6.0.10.Final 2016-11-15 01:03:35 +00:00
Pedro Igor
a3beef754c [KEYCLOAK-3339] - Enable authorization services to EAP6 adapter 2016-11-15 00:26:29 +00:00
Stian Thorgersen
7e33f4a7d1 KEYCLOAK-3882 Split server-spi into server-spi and server-spi-private 2016-11-10 13:28:42 +01:00
Hynek Mlnarik
14f96fdb4b KEYCLOAK-1881 Wildfly, AS7, EAP Adapters 2016-11-04 21:53:43 +01:00
Stian Thorgersen
bb1d255c40 KEYCLOAK-3726
Add supported WildFly version to server overlay
2016-10-28 09:43:51 +02:00
Stian Thorgersen
c615674cbb Bump version 2016-10-21 07:03:15 +02:00
Stian Thorgersen
14a51e589d Merge pull request #3325 from mstruk/cli-reg
KEYCLOAK-2084 Client Registration CLI
2016-10-19 06:33:45 +02:00
Marko Strukelj
c912f941e7 KEYCLOAK-2084 Client Registration CLI 2016-10-18 12:33:02 +02:00
Vlasta Ramik
041413d8de KEYCLOAK-3619 Update default datasource definition to non-XA 2016-10-18 12:12:41 +02:00
Stian Thorgersen
f62e66681e Merge branch 'KEYCLOAK-3628' of https://github.com/pedroigor/keycloak 2016-10-17 19:47:05 +02:00
Stian Thorgersen
144898c0d2 Merge pull request #3262 from vramik/KEYCLOAK-3615
KEYCLOAK-3615 Resolve warnings while building the effective model
2016-10-17 19:09:30 +02:00
Pedro Igor
5d836fefc5 [KEYCLOAK-3628] - Using JBPM/BRMS BOM to resolve dependencies versions 2016-10-17 12:05:44 -02:00
Stian Thorgersen
160e26b699 KEYCLOAK-3665 Remove theme module and make built-in theme resources read-only 2016-10-17 13:47:55 +02:00
Pedro Igor
2b589186ed [KEYCLOAK-3628] - Spliting org.drools module 2016-10-10 13:21:51 +02:00
Bill Burke
4af0976194 remove UserCredValueModel and hold hash providers 2016-10-04 12:34:15 -04:00
mposolda
81e773688f KEYCLOAK-3644 demo-dist broken due to broken datasource element in standalone.xml 2016-10-03 17:42:20 +02:00
mposolda
f9a0abcfc4 KEYCLOAK-3493 KEYCLOAK-3532 Added KeyStorageProvider. Support key rotation for OIDC clients and identity providers with JWKS url. 2016-09-30 21:28:23 +02:00
Bill Burke
ecc104719d bump pom version 2016-09-26 11:01:18 -04:00
Vlasta Ramik
103fa975a1 Resolve warnings while building the effective model 2016-09-26 12:34:46 +02:00
Stian Thorgersen
bb7080584d KEYCLOAK-3612
Mark keycloak-authz-policy-common and keycloak-authz-policy-drools modules as private
2016-09-26 09:07:54 +02:00
Bill Burke
ff1326fe35 authenticator example updated 2016-09-23 16:50:08 -04:00
Stian Thorgersen
80cc9b0585 KEYCLOAK-3578 Remove source distribution 2016-09-19 10:32:40 +02:00
Bill Burke
04ee5ca7c1 jta=false for demo-dist 2016-09-08 09:42:05 -04:00
Bill Burke
3b9a6b32e1 Revert "Revert "KEYCLOAK-3440""
This reverts commit 01e48dc4b8.
2016-09-07 23:41:32 -04:00
Bill Burke
01e48dc4b8 Revert "KEYCLOAK-3440" 2016-09-07 23:17:35 -04:00
Bill Burke
3f35234cf5 Merge remote-tracking branch 'upstream/master' 2016-09-07 23:11:38 -04:00
Bill Burke
da135389c7 KEYCLOAK-3440 2016-09-07 23:11:28 -04:00
Bruno Oliveira
1b2a5eda32
Initial FreeIPA Integration
- Provide username/password authentication with PAM
  - Obtain user data from SSSD
  - Feature packs for dbus-java, libpam4j and SSSD API
  - Provisioning script
2016-09-06 18:04:43 -03:00
mposolda
fbb2dfcf59 Fuse adapter ZIP download 2016-09-06 10:46:36 +02:00
mposolda
e18f3edbcd KEYCLOAK-3526 Fuse adapter ZIP fix 2016-09-06 07:14:01 +02:00
Marek Posolda
6ede760725 Merge pull request #3083 from martin-kanis/master
Package Fuse adapter as overlay zip
2016-09-06 05:44:27 +02:00
Stan Silvert
e4d97485ec KEYCLOAK-3196: Create master cli script for server-subsystem. 2016-08-23 11:27:04 -04:00
Stan Silvert
ef442cae92 KEYCLOAK-3196: Create single place to declare default keycloak subsystem
config.
2016-08-23 11:26:58 -04:00
Stan Silvert
3493aa4ab7 KEYCLOAK-3196: Use WildFly management model for server configuration. 2016-08-23 11:26:56 -04:00
Stian Thorgersen
c522a20ab9 KEYCLOAK-3447 Manual upgrade of database schema 2016-08-22 10:22:08 +02:00
Pedro Igor
a8d2b810cf [KEYCLOAK-3144] - Add authorization settings when exporting/importing a realm. 2016-08-15 10:35:28 -03:00
Pedro Igor
bfe10e34e7 [KEYCLOAK-3390] - Updating authorization objects doesn't invalidate cache in cluster 2016-08-12 11:15:13 -03:00
mposolda
d52e043322 Set version to 2.2.0-SNAPSHOT 2016-08-10 08:57:18 +02:00
Bill Burke
83306963e8 jta transaction abstraction 2016-08-08 12:32:36 -04:00
Bill Burke
33d7d89ad9 provider hot deployment 2016-08-07 11:41:52 -04:00
mposolda
bf3541414c KEYCLOAK-3393 Fix Keycloak on EAP7 overlay 2016-08-03 13:01:44 +02:00
Martin Kanis
8ad3c3fb03 Package Fuse adapter as overlay zip 2016-07-29 11:16:05 +02:00
Pedro Igor
f36a68308d [KEYCLOAK-3320] - Enable authorization services to WF8 adapter 2016-07-20 08:16:37 -03:00
Stian Thorgersen
b1ae0a9000 Merge pull request #3003 from iconoeugen/fix/update_server_spi_module_deps_for_script_based
KEYCLOAK-3285: Update server-spi module to include deps required by script based flow executor
2016-07-15 13:27:28 +02:00
Bill Burke
bd2887aa77 Merge pull request #2982 from ahus1/jetty_9_3
KEYCLOAK-2684: jetty 9.3 implementation (oidc/saml)
2016-07-07 14:59:29 -04:00
Horatiu Eugen Vlad
bd124d5f9b Update server-spi module deps to include dependencies required by script based flow executor. 2016-07-06 18:00:46 +02:00
Stian Thorgersen
3fc215d041 KEYCLOAK-3202 Creating users causes memory leak 2016-07-05 19:54:55 +02:00
Alexander Schwartz
9384aa1398 KEYCLOAK-2684: jetty 9.3 implementation 2016-07-01 12:26:59 +02:00
Bill Burke
b224917fc5 bump version 2016-06-30 17:17:53 -04:00
mposolda
1a4d03e283 KEYCLOAK-3194 Fix fuse adapter. Remove karaf related steps from README 2016-06-27 15:43:23 +02:00
Stian Thorgersen
107830bd2c KEYCLOAK-3093 Remove documentation from main repository 2016-06-22 13:40:21 +02:00
Pedro Igor
d5167c1632 [KEYCLOAK-3134] - Remove 'org.keycloak.keycloak-authz-server' module 2016-06-20 11:54:32 -03:00
Pedro Igor
6a1fb8f870 [KEYCLOAK-3132] - Single module for common policy providers 2016-06-17 20:38:03 -03:00
Pedro Igor
086c29112a [KEYCLOAK-2753] - Fine-grained Authorization Services 2016-06-17 02:07:34 -03:00
Stian Thorgersen
087f84bfff Merge pull request #2901 from mposolda/master
KEYCLOAK-3065 Remove 'provider' from realmCache in keycloak-server.js…
2016-06-02 14:58:16 +02:00
Pedro Igor
0ad86b3a53 [KEYCLOAK-3069] - Adding javax.xml.soap.api dependency 2016-06-01 16:57:06 -03:00
mposolda
fd2fc34386 KEYCLOAK-3065 Remove 'provider' from realmCache in keycloak-server.json to have 'enabled' switch working 2016-06-01 17:25:51 +02:00
Paolo Antinori
d35f8c1905 KEYCLOAK-2805 - Update docs for JBoss Fuse 6.3 2016-05-05 15:22:14 +02:00
Paolo Antinori
f5f36545f3 KEYCLOAK-2805 - Support for JBoss Fuse 6.3
Upgrade of CXF, Jetty and Pax-Web required to rewrite part of the integration.
2016-05-05 15:21:51 +02:00
Bill Burke
43e88b4d73 Merge pull request #2755 from patriot1burke/master
add bind addresses to domain template
2016-04-27 22:09:07 -04:00
Bill Burke
c52da46e54 add bind addresses to domain template 2016-04-27 22:05:01 -04:00
Bill Burke
15f4c764bc Merge pull request #2752 from patriot1burke/master
KEYCLOAK-2922 KEYCLOAK-2920
2016-04-27 11:37:20 -04:00
Bill Burke
cd8ba1653d KEYCLOAK-2922 KEYCLOAK-2920 2016-04-27 10:36:36 -04:00
Stian Thorgersen
8d9047c338 KEYCLOAK-2927 Rename add-user script to add-user-keycloak 2016-04-27 16:18:42 +02:00
Stian Thorgersen
0008d50dfa KEYCLOAK-2827 ModuleLoadError: org.keycloak.keycloak-core-public:main 2016-04-14 15:23:21 +02:00