Commit graph

4873 commits

Author SHA1 Message Date
Stian Thorgersen
76307872f6
Update bootstrap admin client to use lightweight access token, and disable standard flow (#33014)
Closes #33010, closes #33011

Signed-off-by: stianst <stianst@gmail.com>
2024-09-17 12:23:19 +00:00
rmartinc
5fe916861d Return 404 on invalid theme type
Closes #32798

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-09-17 09:09:34 +02:00
Giuseppe Graziano
e6c5ee31e4 Admin API with Lightweight access token and transient session
Closes #32802

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-09-16 09:30:15 +02:00
Nate Drake
75973157aa
Fix a few typos (#32929)
Signed-off-by: Nate Drake <ndrake@gmail.com>
2024-09-15 10:12:26 +00:00
Pedro Ruivo
f67bec0417 Rename remote-cache Feature
Renamed to "clusterless"

Closes #32596

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-09-13 13:03:13 +02:00
Stian Thorgersen
40049f31fa
Remove ProxyClassLoader and PlatformProvider returning script classloader (#32806)
Closes #32804

Signed-off-by: stianst <stianst@gmail.com>
2024-09-11 17:11:26 +02:00
rmartinc
b60621d819 Allow brute force to have http request/response and send emails
Closes #29542

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-09-11 08:35:03 +02:00
cgeorgilakis-grnet
f8b1b3ee03 Search Identity Providers by alias or display name
Closes #32588

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-09-10 21:52:59 +02:00
Thomas Darimont
6b83a45b2e
Propagate locale when using app initiated registration URL
Fixes #13505

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-09-10 12:25:17 +02:00
Garth
7988f026e0 Add a PasswordPoliciesBean to the FreeMarker context.
Closes #32553

Signed-off-by: Garth <244253+xgp@users.noreply.github.com>
2024-09-10 12:19:53 +02:00
Alexander Schwartz
b88ecc0237
Removing the extra two-minute Window for persistent user sessions (#32660)
Closes #28418

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-09-09 09:28:48 +02:00
Steven Hawkins
58d742bb5c
fix: refining v2 hostname validation (#32659)
closes: #32643

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-09-06 17:49:25 +02:00
Thomas Darimont
211224f613
Use correct error value in Token Exchange error responses
The Token Exchange [RFC8693 Section-2.2.2](https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.2) requires
that the error code for invalid requests is `invalid_request`.
Previously, Keycloak used `invalid_token` as the error code.

Fixes #31547

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-09-05 18:35:36 +02:00
keshavprashantdeshpande
9f5f8e017e
Improve message for failing partial import of realm (#32667)
Closes #28017
Signed-off-by: Keshav Deshpande <keshavprashantdeshpande@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-05 15:12:37 +02:00
mposolda
866101e72e Optimize LogoutEndpoint.backchannelLogout endpoint
closes #32683

Signed-off-by: mposolda <mposolda@gmail.com>
2024-09-05 13:49:31 +02:00
Thomas Darimont
693a63b532
Handle ClientData parsing errors in SessionCodeChecks gracefully
- Move ClientData parsing out of SessionCodeChecks ctor
- Respond with a bad request if invalid client data is presented

Closes #32515

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-05 10:50:27 +02:00
Giuseppe Graziano
a14548a7a2
Lightweight access tokens for Admin REST API (#32347)
* Lightweight access tokens for Admin REST API

Closes #31513


Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-09-04 18:04:23 +02:00
cgeorgilakis-grnet
e6b271895e Make update IdentityProvider admin REST API more efficient
Closes #32388

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-09-04 11:49:32 -03:00
Alexander Schwartz
0e1a7c6f8e Add information about token expiry to events
Closes #28311

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-04 14:44:51 +02:00
Stefan Guilhen
e7a4635620 Filter out org brokers from the account console
- org-linked brokers should not be available for login
- prepare the endpoint for search/pagination

Closes #31944

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-09-04 09:00:52 -03:00
Alexander Schwartz
4d1e1e0bcb
Show details for error messages where they were missing (#32534)
Closes #32533

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-09-04 07:23:54 -04:00
Theresa Henze
a1c23fef8c introduce event types to update/remove credentials
Closes #10114

Signed-off-by: Theresa Henze <theresa.henze@bare.id>
2024-09-03 18:27:27 +02:00
Pedro Igor
079242c398 Binding brokering OIDC user sessions with the issuer of the ID Token to avoid looking up sessions by iterating over all brokers in a realm
Closes #32091

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-09-03 17:51:20 +02:00
Thomas Darimont
88a5c96fff
Add kc_action to redirect URI after a required action is cancelled (#31925)
Closes #31894

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-09-03 14:26:23 +00:00
mposolda
dad4477995 Remove keycloak-core and keycloak-crypto-default from SAML galleon feature pack and upgrade them to Java 17
closes #32586

Signed-off-by: mposolda <mposolda@gmail.com>
2024-09-03 15:58:57 +02:00
Alexander Schwartz
5bd3da657b Cache regex patterns in frequently used production code
Closes #32428

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-02 08:57:03 -03:00
Jon Koops
2d17024b14
Remove redirect_uri support from OIDC logout endpoint
Closes #10983

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
2024-08-30 12:52:49 +00:00
Martin Kanis
e7d71d43c3 Identity Provider secret visible in Organization tab (API request)
Closes #32486

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-08-30 09:26:25 -03:00
Douglas Palmer
ecbd856176 Brute force protection: Lockout permanently uses parameters configured under lockout temporarily
Closes #30969

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-08-29 16:30:22 +02:00
Martin Kanis
7e6dd682d4 Validate organization alias for forbidden chars
Closes #32392

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-08-28 21:59:38 +02:00
Pedro Igor
449557290b More options to organization scope mapper including adding organization attributes to tokens
Closes #31642

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-27 09:40:55 -03:00
Stefan Guilhen
88cca10472 Rename IDPSpi to IdentityProviderStorageSpi
Closes #31639

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-08-26 15:10:09 -03:00
Erik Jan de Wit
776a491989
added organizations table to account (#32311)
* added organizations table to account

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-22 15:44:03 -03:00
Vlasta Ramik
d63c0fbd13
Decouple Identity provider mappers from RealmModel (#32251)
* Decouple Identity provider mappers from RealmModel

Closes #31731

Signed-off-by: vramik <vramik@redhat.com>
2024-08-22 12:05:19 -03:00
Steven Hawkins
d9a92f5de3
fix: expose bootstrap-admin-* options (#32241)
* fix: expose bootstrap-admin-* options

closes: #32176

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update quarkus/config-api/src/main/java/org/keycloak/config/BootstrapAdminOptions.java

Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2024-08-21 15:52:38 +02:00
Peter Zaoral
6ab3b98743
Temporary admin account notice logged to org.keycloak.events (#32307)
* removed the temporary admin accounts logging from JBossLoggingEventListenerProvider

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2024-08-21 13:31:57 +00:00
Pedro Igor
c1f6d5ca64 Support for selecting an organization when requesting the organization scope
Closes #31438

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-21 13:04:58 +02:00
Stefan Guilhen
585d179fe0 Ensure identity providers returned to the org IDP selection are IDPs not associated with any orgs.
Closes #32238

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-08-21 07:49:01 -03:00
Peter Zaoral
1b5fe5437a
Warnings for temporary admin user and service account (#31387)
* UI banner, labels and log messages are shown when temporary admin account is used
* added UI tests that check the elements' presence

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
2024-08-21 09:30:24 +02:00
Pedro Ruivo
4675a4eda9 Deprecate UserSessionCrossDCManager
Fixes #31878

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-08-21 08:52:39 +02:00
Pedro Igor
e3c0b918bd Returning a full representation when querying organizations
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-20 11:11:14 -03:00
Pedro Igor
4376a3c757 Add an endpoint to the organizations endpoint to return the organizations for a given user
Closes #32158

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-20 11:11:14 -03:00
Pedro Igor
eeae50fb43 Make sure federationLink always map to the storage provider associated with federated users
Closes #31670

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-20 11:27:22 +02:00
Stefan Guilhen
fa7c2b5da6 Address review comments
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-08-19 09:06:35 -03:00
Stefan Guilhen
f82159cf65 Rework logic to fetch IDPs for the login page so that IDPs are fetched from the provider and not filtered in code.
Closes #32090

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-08-19 09:06:35 -03:00
Pedro Igor
8e0436715c Support for ALL and ANY organization scope values
Related #31438

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-19 08:45:23 -03:00
mposolda
3d787727f9 Add acr scope to all clients for those migrating from older than Keycloak 18
closes #31107

Signed-off-by: mposolda <mposolda@gmail.com>
2024-08-16 12:17:43 +02:00
Václav Muzikář
cb418b0bfc
Upgrade to Quarkus 3.13.2 (#31678)
* Upgrade to Quarkus 3.13.2

Closes #31676

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Peter Zaoral <pzaoral@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2024-08-16 11:41:34 +02:00
himanshi1099
7459992e40
Realm update validation for incorrect timeout values (#32137)
closes #31595

Signed-off-by: Himanshi Gupta <higupta@redhat.com>
2024-08-16 08:58:27 +02:00
Alexander Schwartz
80d235fffb
Handle non-existing client gracefully (#32151)
Closes #32150

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-08-15 16:08:40 +02:00
Stefan Guilhen
aeb1951aba Replace calls to deprecated RealmModel IDP methods
- use the new provider instead

Closes #31254

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-08-15 10:55:36 -03:00
Pedro Igor
96acc62c00 Support for resolving organization based on the organization scope
Closes #31438

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-15 10:32:15 -03:00
Stian Thorgersen
310824cc2b
Remove legacy cookies
Closes #16770

Signed-off-by: stianst <stianst@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-08-15 15:27:38 +02:00
Martin Kanis
708a6898db Add a count method to the OrganizationMembersResource
Closes #31388

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-08-15 09:12:57 -03:00
Yoshiyuki Tabata
cb6eb187ac Client Policy - Condition : Client - Client Attribute
Closes https://github.com/keycloak/keycloak/issues/31766

Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2024-08-14 09:56:56 +02:00
kaustubh-rh
cf8905efe8
Fix for Client secret is visable in Admin event representation when Credentials Reset action performed for the Client. (#32067)
* Stripping secrets for the credential representation

Signed-off-by: kaustubh B <kbawanka@redhat.com>
2024-08-12 13:47:41 -03:00
Steven Hawkins
b72ddbcc45
fix: add a warning log if a deprecated admin env variable is used (#32038)
closes: #31491

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-08-12 08:54:30 +02:00
rmartinc
347f595913 Add ECDH-ES encyption algorithms to the java keystore key provider
Closes #32023

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-08-09 15:57:51 +02:00
Martin Kanis
da0864682a Conditionally redirect existing users to a broker based on their credentials
Closes #31006

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-08-09 07:59:25 -03:00
rmartinc
2a06e1a6db Add SHAKE256 hash provider for Ed448
Closes #31931

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-08-08 17:36:54 +02:00
Justin Tay
966a454548
Add ECDH-ES JWE Algorithm Provider, Add generated ECDH key provider (#23928)
Closes #23596
Closes #23597

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-08-08 17:29:35 +02:00
Steven Hawkins
7ce6f12fe3
fix: adds a check for duplicate users/clients to simplify cmd errors (#31583)
also changes temp-admin-service to temp-admin

closes: #31160

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-08-08 08:20:33 -04:00
Pedro Igor
3ab2446074 Do not return identity providers when querying the realm representation
Closes #21072

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-07 10:06:51 -03:00
rmartinc
acbbfde4ab Adding upgrading notes for brute force changes
Closes #31960

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-08-07 14:38:30 +02:00
Pascal Knüppel
f3341390f4
Issuer id must be a URL according to specification (#30961)
fixes #30960

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
Signed-off-by: Captain-P-Goldfish <captain.p.goldfish@gmx.de>
2024-08-07 14:35:58 +02:00
Giuseppe Graziano
35c8c09b8d OIDC dynamic client registration with response_type=none
Closes #19564

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-08-07 10:34:47 +02:00
rmartinc
8a09905e5c Remove the attempt in brute force when the off-thread finishes
Closes #31881

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-08-06 15:30:49 -03:00
Michal Hajas
50c07c6e7c
Simplify configuration for MULTI_SITE
Closes #31807

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-08-06 16:14:33 +00:00
Stefan Wiedemann
6258256c1b
Fix access token issue OID4VC (#31763)
closes #31712 

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-08-04 11:42:40 +02:00
Ingrid Kamga
7c69c857a1 Add a media type to error responses on OID4VC endpoints
Closes #31585

Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com>
2024-08-02 12:09:09 +02:00
Justin Tay
f537343545 Allow empty key use in JWKS from identity provider
Closes #31823

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-08-02 11:39:43 +02:00
rmartinc
773e309f75 Parse saml urls correctly if the bindings are different
Closes #31780

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-08-02 11:34:06 +02:00
Thomas Darimont
282260dc95 Ensure issued_client_type is always added to successful token-exchange response (#31548)
- Compute issued_token_type response parameter based on requested_token_type and client configuration
- `issued_token_type` is a required response parameter as per [RFC8693 2.2.1](https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.1)
- Added test to ClientTokenExchangeTest that requests an access-token as requested-token-type

Fixes #31548

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-07-30 18:33:51 +02:00
Alexander Schwartz
11b19bc272
For persistent sessions, don't remove user session if there is no session in the remote store (#31756)
Closes #31115

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-07-30 17:57:09 +02:00
Pedro Igor
a79761a447 Support for blocking concurrent requests when brute force is enabled
Closes #31726

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
2024-07-30 10:01:48 +02:00
Martin Kanis
d91d6d18d5 Can not update organization group error when trying to create organisation from REST API
Closes #31144

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-07-29 17:39:56 +02:00
Pascal Knüppel
94784182df
Implement DPoP for all grantTypes (#29967)
fixes #30179
fixes #30181


Signed-off-by: Pascal Knüppel <captain.p.goldfish@gmx.de>
Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
2024-07-29 16:30:54 +02:00
Stefan Guilhen
f45529de8c Deprecate IDP related methods in RealmModel
- delegate to the new provider

Closes #31253

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-07-29 16:02:26 +02:00
Stefan Guilhen
c16e88bcee Make the IDPProvider via session.identityProviders()
Closes #31252

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-07-29 16:02:26 +02:00
Alexander Schwartz
6d404b86c9 Trigger clearing the user cache when the duplicate email allowed flag changes
Closes #31045

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-07-29 10:37:42 +02:00
Francis Pouatcha
cc78fd7ca0
Provided keycloak with a protocol mapper, that can allow to optionally add iat and nbf claims to VCs (#31620)
closes #31581 


Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-07-29 09:32:48 +02:00
Pedro Igor
87c279d645 Respect the username value format when processing federated users
Closes #31240

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-29 09:28:43 +02:00
Pedro Igor
4d8c525644
Make sure changes to user profile metadata is not stored when calling decorators (#31549)
Closes #30476

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-29 09:03:21 +02:00
Pedro Igor
1f8280c71a Allow members joining multiple organizations
Closes #30747

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-29 09:02:36 +02:00
Giuseppe Graziano
12732333c8 Client scope assignment for client registration
Closes #31062

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-07-26 17:33:49 +02:00
Stian Thorgersen
30cd88fefe
Change default bootstrap admin service account client-id (#31649)
Closes #31648

Signed-off-by: stianst <stianst@gmail.com>
2024-07-26 10:45:26 +00:00
vramik
649b35929e Make sure users created through a registration link are managed members
Closes #30743

Signed-off-by: vramik <vramik@redhat.com>
2024-07-25 04:30:13 -03:00
Maciej Mierzwa
97e89e2071 feature: password age in days policy
Closes #30210

Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
2024-07-24 15:12:16 -03:00
Francis Pouatcha
30be268672
Enhance Verifiable Credential Signing Service Flexibility and Key Rotation(#30692)
closes #30525 

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-07-24 13:45:39 +02:00
rmartinc
5db3772d45 Remove TrustedHostClientRegistrationPolicyTest#testGithubDomain
Closes #29271

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-07-23 11:33:38 +02:00
Diego Ramp
ae74d923d2 fix bad debugv({}) in favor of more tolerant debugf(%s)
Closes #31368

Signed-off-by: Diego Ramp <diego.ramp@mobi.ch>
2024-07-18 10:34:32 +02:00
mposolda
3110bb8989 Missing Cache-Control header when response_type parameter is missing in login request
closes #29866

Signed-off-by: mposolda <mposolda@gmail.com>
2024-07-18 10:17:52 +02:00
Pascal Knüppel
018a0802bc
Remove java.util.Date from VerifiableCredential (#30920)
closes #30918

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
Signed-off-by: Captain-P-Goldfish <captain.p.goldfish@gmx.de>
2024-07-18 09:52:02 +02:00
Captain-P-Goldfish
526286e851 Manipulate OpenID redirect-response with custom implementation
Signed-off-by: Captain-P-Goldfish <captain.p.goldfish@gmx.de>
2024-07-17 17:20:18 +02:00
Martin Kanis
e5848bdcf9 Cannot set unmanagedAttributePolicy without profile attributes
Closes #31153

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-07-17 09:53:59 -03:00
Ricardo Martin
3d12c05005
Correctly moves to the next required action (#31358)
Closes #31014

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>


Co-authored-by: Giuseppe Graziano <g.graziano94@gmail.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-07-17 09:38:29 +02:00
Pascal Knüppel
8485bc38ef
Make ProofType a string instead of enum (#31000)
fixes #30999

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
2024-07-16 11:30:38 +02:00
Martin Kanis
887db25f00 Allow auto-redirect existing users federated from organization broker when using the username
Closes #30746

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-07-15 13:48:45 -03:00
Pedro Igor
c33585a5f4 All pubic brokers are shown during authentication rather than only those associated with the current organization
Closes #31246

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-12 17:51:39 +02:00
Douglas Palmer
9300903674 page-expired error page shown when using browser back-button on forgot-password page after invalid login attempt
Closes #25440

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-07-12 16:24:21 +02:00
Pascal Knüppel
4028ada2a5
Add required default-context value to VerifiableCredential (#30959)
closes #30958

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
2024-07-11 18:25:11 +02:00
Pascal Knüppel
96234d42cf
Exchange Enum type of Format for String (#30875)
closes #30873

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
2024-07-11 18:18:14 +02:00
Steven Hawkins
4970a9b729
fix: deprecate KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD
closes: #30658

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-07-11 18:07:57 +02:00
Pedro Igor
0410653e71 Do not send attributes when unlocking the user
Closes #31165

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-11 14:16:23 +02:00
rmartinc
096e335a92 Support for vault and AES and HMAC algorithms to JavaKeystoreKeyProvider
Closes #30880
Closes #29755

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-07-11 12:40:45 +02:00
Pedro Igor
da6c9ab7c1 Bruteforce protector does not work when using organizations
Closes #31204

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-11 00:26:47 +02:00
Martin Kanis
922eaa9fc8
Disable username prohibited chars validator when email as username is… (#31140)
* Disable username prohibited chars validator when email as the username is set

Closes #25339

Signed-off-by: Martin Kanis <mkanis@redhat.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-10 09:46:24 -03:00
Pedro Igor
d475833361 Do not expose kc.org attribute in user representations
Closes #31143

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-10 13:43:23 +02:00
rmartinc
f78a46485d TE should create a transient session when there is no initial session in client-to-client exchange
Closes #30614

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-07-08 15:44:38 -03:00
Lucy Linder
b4f7487dd3 Fix ReCAPTCHA Enterprise failing due to new properties in response
The assessment response added a new field called accountDefenderAssessment.
This commit adds the new property, and also ensures new properties won't be
problematic next time by ignoring unknown properties on the top level object.

Closes: #30917

Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>
2024-07-08 16:59:47 +02:00
Thomas Darimont
c460fa7b48
Allow user to configure prompt parameter for google sign-in
Closes #16750

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-07-04 12:01:32 +02:00
Pedro Igor
f010f7df9b Reverting removal of test assertions and keeping existing logic where only brokers the user is linked to is shown after identity-first login page
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-03 11:55:04 -03:00
Martin Kanis
e1b735fc41 Identity-first login flow should be followed by asking for the user credentials
Closes #30339

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-07-03 11:55:04 -03:00
Steven Hawkins
96511e55c6
startup, welcome, and cli handling of bootstrap-admin user (#30054)
* fix: adding password and service account based bootstrap and recovery

closes: #29324, #30002, #30003

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Fix tests

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Václav Muzikář <vmuzikar@redhat.com>
2024-07-03 15:23:40 +02:00
Giuseppe Graziano
02d64d959c Using _system client when account client is disabled for email actions
Closes #17857

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-07-03 08:43:36 +02:00
cgeorgilakis-grnet
20cedb84eb Check refresh token flow response for offline based on refresh token request parameter
Closes #30857

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-07-02 18:13:30 -03:00
Pedro Igor
cc2ccc87b0 Filtering organization groups when managing or processing groups
Closes #30589

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-28 10:27:18 -03:00
Thomas Darimont
690c6051bb Fix scope policy evaluation for client to client token exchange (#26435)
Previously the scope from the token was not set available in the ClientModelIdentity attributes.
This caused the NPE in `org.keycloak.authorization.policy.provider.clientscope.ClientScopePolicyProvider.hasClientScope`(..)
when calling `identity.getAttributes().getValue("scope")`.

We now pass the provided decoded AccessToken down to the ClientModelIdentity creation
to allow to populate the required scope attribute.

We also ensure backwards compatibility for ClientPermissionManagement API.

Fixes #26435

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-06-28 10:33:20 +02:00
Douglas Palmer
601355d517 Flaky test: org.keycloak.testsuite.oauth.TokenIntrospectionTest#testUnsupportedToken
Closes #30111

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-06-27 18:41:48 +02:00
mposolda
3c3f59f861 Move some server related logic from info representation classes to server codebase
Signed-off-by: mposolda <mposolda@gmail.com>
2024-06-27 11:00:30 +02:00
Jon Koops
cd0dbdf264
Use the Keycloak server URL for common resources (#30823)
Closes #30541

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-06-26 14:52:25 +00:00
Takashi Norimatsu
b0aac487a3 VC issuance in Authz Code flow with considering scope parameter
closes #29725

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-06-24 10:53:19 +02:00
Jon Koops
df18629ffe
Use a default Java version from root POM (#29927)
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-06-21 14:19:31 +02:00
mposolda
6a9e60bba0 Flow steps back when changing locale or refreshing page on 'Try another way page'
closes #30520

Signed-off-by: mposolda <mposolda@gmail.com>
2024-06-21 11:22:15 +02:00
rmartinc
592c2250fc Add briefRepresentation query parameter to getUsersInRole endpoint
Closes #29480

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-21 11:21:02 +02:00
Takashi Norimatsu
6b135ff6e7 client-jwt authentication fails on Token Introspection Endpoint
closes #30599

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-06-21 10:47:25 +02:00
Pedro Igor
a0ad680346 Adding an alias to organization and exposing them to templates
Closes #30312
Closes #30313

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-20 14:36:14 -03:00
Jon Koops
77fb3c4dd4
Use correct host URL for Admin Console requests (#30535)
Closes #30432

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-06-19 15:21:53 +02:00
Francis Pouatcha
d4797e04a2
Enhance SupportedCredentialConfiguration to support optional claims object as defined in OpenID for Verifiable Credential Issuance specification (#30420)
closes #30419 

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-06-18 17:07:49 +02:00
rmartinc
38d8cf2cb3 Add UPDATE event to the client-roles condition
Closes #30284

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-18 15:30:42 +02:00
Thibault Morin
f6fa869b12
feat(SAML): add Artifact Binding on brokering scenarios when Keycloak is SP (#29619)
* feat: add Artifact Binding on brokering scenarios when Keycloak is SP

Signed-off-by: tmorin <git@morin.io>

* Adding broker test and minor improvements

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

* Fixing IdentityProviderTest

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

* Renaming methods related to idp initiated flows

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

* Fixing partial_import_test.spec.ts

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

---------

Signed-off-by: tmorin <git@morin.io>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-14 08:54:49 -03:00
vramik
d355e38424 Provide a cache layer for the organization model
Closes #30087

Signed-off-by: vramik <vramik@redhat.com>
2024-06-13 08:13:36 -03:00
Jon Koops
c7361ccf6e
Run the Vite dev server through the Keycloak server (#27311)
Closes #19750
Closes #28643
Closes #30115

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-06-12 11:55:14 +02:00
Pedro Igor
e6df8a2866 Allow multiple instances of the same social broker in a realm
Closes #30088

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-11 12:44:10 -03:00
Fouad Almalki
780ec71672
Add support of RTL UI in login themes (#29907)
Closes #29974

Signed-off-by: Fouad Almalki <me@fouad.io>
2024-06-11 07:12:13 -04:00
Patrick Jennings
75925dcf6c
Client type configuration inheritance (#30056)
closes #30213 

Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-06-10 18:59:08 +02:00
rmartinc
7d05a7a013 Logout from all clients after IdP logout is performed
Closes #25234

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-10 11:58:09 -03:00
e.sergeenko
f00c2f3eb0 Add ability to get realm attributes
Closes #30241

Signed-off-by: e.sergeenko <sergeenkoegor@yandex.ru>
2024-06-07 13:05:06 +02:00
rmartinc
760e01b9db Improvements for openapi annotations in AuthenticationManagementResource
Closes #29788

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-07 13:04:00 +02:00
Giuseppe Graziano
6067f93984
Improvements to refresh token rotation with multiple tabs (#29966)
Closes #14122

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-06-07 12:02:36 +02:00
vickeybrown
c96c6c4feb
Default SAML client type (#29493)
closes #29492 

Signed-off-by: Vickey Brown <vibrown@redhat.com>
2024-06-07 11:43:43 +02:00
Erik Jan de Wit
5897334ddb
Align environment variables between consoles (#30125)
* change to make authServerUrl the same as authUrl

fixes: #29641
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Remove `authUrl` entirely

Signed-off-by: Jon Koops <jonkoops@gmail.com>

* Remove file that is unrelated

Signed-off-by: Jon Koops <jonkoops@gmail.com>

* Split out and align environment variables between consoles

Signed-off-by: Jon Koops <jonkoops@gmail.com>

* Restore removed variables to preserve backwards compatibility

Signed-off-by: Jon Koops <jonkoops@gmail.com>

* Also deprecate the `authUrl` for the Admin Console

Signed-off-by: Jon Koops <jonkoops@gmail.com>

---------

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-06-06 08:36:46 +02:00
Pedro Igor
94c194f1f4 Prevent users to unlink from their home identity provider when they are a managed member
Closes #30092

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2024-06-05 13:57:01 +02:00
mposolda
0bf613782f Updating client policies in JSON editor is buggy. Attempt to update global client policies should throw the error
closes #30102

Signed-off-by: mposolda <mposolda@gmail.com>
2024-06-05 13:55:02 +02:00
rmartinc
eedfd0ef51 Missing auth checks in some admin endpoints (#166)
Closes keycloak/keycloak-private#156

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-05 12:04:47 +02:00
Giuseppe Graziano
d5e82356f9 Encrypted KC_RESTART cookie and removed sensitive notes
Closes #keycloak/keycloak-private#162

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-06-05 10:33:44 +02:00
Pedro Igor
f8d55ca7cd Export import realm with organizations
Closes #30006

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-06-05 09:50:03 +02:00
Martin Kanis
33331788a4 Introduce count method to avoid fetching all organization upon checking for existence
Closes #29697

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-06-04 10:45:28 -03:00
Thomas Darimont
35a4a17aa5
Add support for application/jwt media-type in token introspection (#29842)
Fixes #29841

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-06-03 19:06:21 +02:00
Martin Bartoš
262fc09edc
OpenJDK 21 support (#28518)
* OpenJDK 21 support

Closes #28517

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* x509 SAN UPN other name is not handled in JDK 21 (#904)

closes #29968

Signed-off-by: mposolda <mposolda@gmail.com>

---------

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2024-06-03 14:17:28 +02:00