keycloak-scim

Author	SHA1	Message	Date
Giuseppe Graziano	6067f93984	Improvements to refresh token rotation with multiple tabs (#29966 ) Closes #14122 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-06-07 12:02:36 +02:00
vickeybrown	c96c6c4feb	Default SAML client type (#29493 ) closes #29492 Signed-off-by: Vickey Brown <vibrown@redhat.com>	2024-06-07 11:43:43 +02:00
Erik Jan de Wit	5897334ddb	Align environment variables between consoles (#30125 ) * change to make authServerUrl the same as authUrl fixes: #29641 Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Remove `authUrl` entirely Signed-off-by: Jon Koops <jonkoops@gmail.com> * Remove file that is unrelated Signed-off-by: Jon Koops <jonkoops@gmail.com> * Split out and align environment variables between consoles Signed-off-by: Jon Koops <jonkoops@gmail.com> * Restore removed variables to preserve backwards compatibility Signed-off-by: Jon Koops <jonkoops@gmail.com> * Also deprecate the `authUrl` for the Admin Console Signed-off-by: Jon Koops <jonkoops@gmail.com> --------- Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> Signed-off-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-06-06 08:36:46 +02:00
Pedro Igor	94c194f1f4	Prevent users to unlink from their home identity provider when they are a managed member Closes #30092 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>	2024-06-05 13:57:01 +02:00
mposolda	0bf613782f	Updating client policies in JSON editor is buggy. Attempt to update global client policies should throw the error closes #30102 Signed-off-by: mposolda <mposolda@gmail.com>	2024-06-05 13:55:02 +02:00
rmartinc	eedfd0ef51	Missing auth checks in some admin endpoints (#166 ) Closes keycloak/keycloak-private#156 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-06-05 12:04:47 +02:00
Giuseppe Graziano	d5e82356f9	Encrypted KC_RESTART cookie and removed sensitive notes Closes #keycloak/keycloak-private#162 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-06-05 10:33:44 +02:00
Pedro Igor	f8d55ca7cd	Export import realm with organizations Closes #30006 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-06-05 09:50:03 +02:00
Martin Kanis	33331788a4	Introduce count method to avoid fetching all organization upon checking for existence Closes #29697 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-06-04 10:45:28 -03:00
Thomas Darimont	35a4a17aa5	Add support for application/jwt media-type in token introspection (#29842 ) Fixes #29841 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2024-06-03 19:06:21 +02:00
Martin Bartoš	262fc09edc	OpenJDK 21 support (#28518 ) * OpenJDK 21 support Closes #28517 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Signed-off-by: Martin Bartoš <mabartos@redhat.com> * x509 SAN UPN other name is not handled in JDK 21 (#904) closes #29968 Signed-off-by: mposolda <mposolda@gmail.com> --------- Signed-off-by: Martin Bartoš <mabartos@redhat.com> Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Marek Posolda <mposolda@gmail.com>	2024-06-03 14:17:28 +02:00
mposolda	9074696382	Editing built-in client policy profiles are silently reverted closes #27184 Signed-off-by: mposolda <mposolda@gmail.com>	2024-06-03 14:00:37 +02:00
Pedro Igor	4c39fcc79d	Allow to configure if users are automatically redirected when the email domain matches an organization Closes #30050 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-06-03 13:34:21 +02:00
vramik	a8ceada973	Fix creation of domains when creating the organization Closes #29005 Signed-off-by: vramik <vramik@redhat.com>	2024-06-03 10:22:20 +02:00
raff897	6d6131cade	Backchannel logout url with curly brackets closes #30023 Signed-off-by: raff897 <85362193+raff897@users.noreply.github.com>	2024-06-03 09:51:39 +02:00
Stefan Wiedemann	0f6f9543ba	Add oid4vci to the account console (#29174 ) closes #25945 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> Co-authored-by: Erik Jan de Wit <edewit@redhat.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-05-31 15:11:32 +02:00
Patrick Jennings	5144f8d85f	Improve Client Type Integration Tests (#29944 ) closes #30017 Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-05-31 09:53:22 +02:00
Andrejs Mivreniks	1cf87407fe	Allow setting authentication flow execution priority value via Admin API Closes #20747 Signed-off-by: Andrejs Mivreniks <andrejs@fastmail.com>	2024-05-30 19:17:45 +02:00
Pedro Igor	320f8eb1b4	Improve invitation messages and flow Closes #29945 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-29 17:51:06 +02:00
Erik Jan de Wit	f088b0009c	initial ui for organizations (#29643 ) * initial screen Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * more screens Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added members tab Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added the backend Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added member add / invite models Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * initial version of the identity provider section Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * add link and unlink providers Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * small fix Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * PR comments Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Do not validate broker domain when the domain is an empty string Closes #29759 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added filter and value Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added test Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added first name last name Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * refresh menu when realm organization is changed Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * changed to record Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * changed to form data Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * fixed lint error Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Changing name of invitation parameters Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Chancing name of parameters on the client Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Enable organization at the realm before running tests Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Domain help message Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Handling model validation errors when creating organizations Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Message key for organizationDetails Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Do not change kc.org attribute on group Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * add realm into the context Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * tests Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Changing button in invitation model to use Send instead of Save Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Better message when validating the organization domain Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * Fixing compilation error after rebase Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * fixed test Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * removed wait as it no longer required and skip flacky test Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * skip tests that are flaky Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * stabilize user create test Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> --------- Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-29 14:34:02 +02:00
Thomas Darimont	4edb204777	Add reason details in event before error event is submitted for broken SAML requests (#29948 ) Previously the reason was omitted in the details because it was set after the event was already submitted. Fixes #29948 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2024-05-29 08:34:28 +02:00
Pedro Igor	bbb83236f5	Do not lower-case the username from the IdP when creating the federated identity Closes #28495 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-29 01:58:20 -03:00
mposolda	49a2aaf7bc	Adding realmName to be logged by jboss-logging event listener closes #27506 Signed-off-by: mposolda <mposolda@gmail.com>	2024-05-28 18:41:43 +02:00
Francis Pouatcha	583054b929	Enhancement: Add support for RSA encryption key imports in JavaKeystoreKeyProvider (#29853 ) closes #29852 Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>	2024-05-28 13:56:20 +02:00
Stefan Guilhen	694ffaf289	Allow organizations in different realms to have the same domain Closes #29886 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-05-28 08:02:30 -03:00
Francis Pouatcha	4317a474d1	JWT VC Issuer Metadata /.well-known/jwt-vc-issuer to comply with SD-JWT VC Specification (#29635 ) closes #29634 Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com> Co-authored-by: DYLANE BENGONO <85441363+bengo237@users.noreply.github.com>	2024-05-28 12:51:56 +02:00
Sebastian Prehn	b5d0154bb1	Improve documentation on ClientRolemappingsRessource Closes #29266 Signed-off-by: Sebastian Prehn <sebastian.prehn@ero.eu>	2024-05-28 09:06:31 +02:00
BaptisteMcd	8d76ce3f54	Fix: Added LDSigningServiceProvider entry for LD-Credentials/VCDM Closes #29885 Signed-off-by: Baptiste Marchand <baptiste.marchand01@gmail.com>	2024-05-27 14:42:09 +00:00
Stefan Wiedemann	5a68056f2a	Fix oid4vc mappers Closes #29805 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-05-27 11:28:46 +02:00
Francis Pouatcha	29dee7ec63	Fix: Corrected media type/format string for SD-JWT-VC Closes #29620 Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>	2024-05-27 10:13:36 +02:00
Pedro Igor	2d4d32764c	Show a message when confirming an invitation link Closes #29794 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-27 08:33:22 +02:00
rmartinc	b258b459d7	Generate RESTART_AUTHENTICATION event on success Closes #29385 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-05-23 19:08:22 +02:00
vramik	0508d279f7	Filter empty domains from OrganizationsRepresentation before running validation Closes #29809 Signed-off-by: vramik <vramik@redhat.com>	2024-05-23 09:53:51 -03:00
Daniel Fesenmeyer	c08621fa63	Always order required actions by priority (regardless of context) - AuthenticationManager#actionRequired: make sure that the highest prioritized required action is performed first, possibly before the currently requested required action - AuthenticationManager#nextRequiredAction: make sure that the next action is requested via URL, also based on highest priority (-> requested URL will match actually performed action, unless required actions for the user are changed by a parallel operation) - add tests to RequiredActionPriorityTest, add helper method for priority setup to ApiUtil (for easier and more robust setup than up-to-now) - fix test WebAuthnRegisterAndLoginTest - which failed because WebAuthnRegisterFactory (prio 70) is now executed before WebAuthnPasswordlessRegisterFactory (prio 80) Closes #16873 Signed-off-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.com>	2024-05-23 09:07:56 +02:00
Thomas Darimont	ab376d9101	Make required actions configurable (#28400 ) - Add tests for crud operations on configurable required actions - Add support exposing the required action configuration via RequiredActionContext - Make configSaveError message reusable in other contexts - Introduced admin-ui specific endpoint for retrieving required actions with config metadata Fixes #28400 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2024-05-23 08:38:36 +02:00
Stefan Guilhen	37f85937a7	Move organization authenticator into conditional subflows in the default browser and first broker login flows Closes #29446 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-05-22 20:48:29 -03:00
vramik	1e597cca3e	Split OrganizationResource into OrganizationResource and OrganizationsResource Closes #29574 Signed-off-by: vramik <vramik@redhat.com>	2024-05-22 07:58:26 -03:00
vramik	278341aff9	Add organizations enabled/disabled capability Closes #28804 Signed-off-by: vramik <vramik@redhat.com>	2024-05-22 07:58:26 -03:00
Francis Pouatcha	542fc65923	Issue 29627: Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414 (#29628 ) closes #29627 Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com> Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com> Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-05-22 10:30:34 +02:00
rmartinc	f7044ba5c2	Use SessionExpirationUtils for validate user and client sessions Check client session is valid in TokenManager Closes #24936 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-05-22 10:12:20 +02:00
Case Walker	f32cd91792	Upgrade owasp-java-html-sanitizer, address all fallout Signed-off-by: Case Walker <case.b.walker@gmail.com>	2024-05-22 09:15:25 +02:00
Raffaele Lucca	a5a55dc66e	Protocol now is mandatory during client scope creation. (#29544 ) closes #29027 Signed-off-by: raff897 <85362193+raff897@users.noreply.github.com>	2024-05-22 09:10:46 +02:00
Patrick Jennings	84acc953dd	Client type OIDC base read only defaults (#29706 ) closes #29742 closes #29422 Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-05-22 09:07:19 +02:00
rmartinc	9dfaab6d82	Invalid default/options in JavaKeystoreKeyProviderFactory algorithm property Closes #29426 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-05-22 08:49:45 +02:00
Pedro Igor	b019cf6129	Support unmanaged attributes for service accounts and make sure they are only managed through the admin api Closes #29362 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-21 16:56:18 -03:00
Marek Posolda	6dc28bc7b5	Clarify the documentation about step-up authentication (#29735 ) closes #28341 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2024-05-21 19:46:27 +02:00
Martin Kanis	97cd5f3b8d	Provide an additional endpoint to allow sending both invitation and registration links depending on the email being associated with an user or not Closes #29482 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-05-21 12:29:10 -03:00
Hynek Mlnarik	65fcd44fe1	Use admin console correctly in KeycloakIdentity Fixes: #29688 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2024-05-21 13:35:44 +02:00
rmartinc	3304540855	Allow admin console whoami endpoint to applications that have a special attribute Closes #29640 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-05-20 09:51:07 +02:00
Richard van den Berg	cb3f248d73	Document getGroupById() will not set subGroups in JavaDoc Closes #27787 Signed-off-by: Richard van den Berg <richard@vdberg.org>	2024-05-17 17:05:25 +02:00
Filipe Roque	e83f3af080	Call super constructor in subclasses of WebApplicationException Frameworks like Datadog dd-trace-java java agent inspect the known WebApplicationException and mark the exception as an HTTP 500, because that is the default for the non argument constructor. https://github.com/keycloak/keycloak/issues/29451 Signed-off-by: Filipe Roque <froque@premium-minds.com>	2024-05-17 16:25:59 +02:00
Ricardo Martin	74a80997c7	Fix CRL verification failing due to client cert not being in chain (#29582 ) closes #19853 Signed-off-by: Micah Algard <micahalgard@gmail.com> Signed-off-by: rmartinc <rmartinc@redhat.com> Co-authored-by: Micah Algard <micahalgard@gmail.com> Co-authored-by: rmartinc <rmartinc@redhat.com>	2024-05-17 11:28:07 +02:00
Stefan Guilhen	bfa4660ecd	Add OpenAPI documentation for the Organization API Closes #29479 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-05-16 14:59:30 -03:00
Takashi Norimatsu	b4e7d9b1aa	Passkeys: Supporting WebAuthn Conditional UI (#24305 ) closes #24264 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com> Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: mposolda <mposolda@gmail.com>	2024-05-16 07:58:43 +02:00
rmartinc	89d7108558	Restrict access to whoami endpoint for the admin console and users with realm access Closes #25219 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-05-15 19:06:57 +02:00
Pedro Igor	b4d231fd40	Fixing realm removal when removing groups and brokers associated with an organization Closes #29495 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-14 14:29:27 +02:00
Pedro Igor	b5a854b68e	Minor improvements to invitation email templates (#29498 ) Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-14 13:19:02 +02:00
Pedro Igor	1b583a1bab	Email validation for managed members should only fail if it does not match the domain set to a broker Closes #29460 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-14 10:46:22 +02:00
mposolda	d8a7773947	Adding dummyHash to DirectGrant request in case user does not exists. Fix dummyHash for normal login requests closes #12298 Signed-off-by: mposolda <mposolda@gmail.com>	2024-05-13 16:33:29 +02:00
kaustubh-rh	8a82b6b587	Added a check in ClientInitialAccessResource (#29353 ) closes #29311 Signed-off-by: Kaustubh Bawankar <kbawanka@redhat.com>	2024-05-13 13:00:36 +02:00
vramik	fbdaf03972	Ensure master realm can't be removed Fixes #28896 Signed-off-by: vramik <vramik@redhat.com>	2024-05-13 07:47:48 -03:00
rmartinc	2cc051346d	Allow empty CSP header in headers provider Closes #29458 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-05-13 10:51:31 +02:00
Pedro Igor	b50d481b10	Make sure organization groups can not be managed but when managing an organization Closes #29431 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-10 21:28:11 -03:00
Stefan Guilhen	f0620353a4	Ensure master realm can't be removed Closes #28896 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-05-10 16:56:18 -03:00
Stefan Guilhen	ceed7bc120	Add ability to search organizations by attribute Closes #29411 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-05-10 16:45:41 -03:00
Pedro Igor	77b58275ca	Improvements to the organization authentication flow Closes #29416 Closes #29417 Closes #29418 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-09 16:07:52 -03:00
Pedro Igor	a65508ca13	Simplifying the CORS SPI and the default implementation Closes #27646 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-08 12:27:55 -03:00
Thomas Darimont	6ba8b3faa2	Revise ObjectMapper construction (#16295 ) Previously an ObjectMapper was created multiple times during startup: two times during bootstrap and one additional time for the first request sent to Keycloak. Additionally jackson modules, e.g. support for JSR310 java.time types were not registered event-though they are present on the classpath. This PR revises the initialization of the ObjectMapper. - Ensure ObjectMapper is only initialized once - Ensure that jackson modules on the classpath are properly Fixes #16295 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2024-05-07 19:04:43 +02:00
Martin Kanis	d4b7e1a7d9	Prevent to manage groups associated with organizations from different APIs Closes #28734 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-05-07 11:16:40 -03:00
Pedro Igor	f8bc74d64f	Adding SAML protocol mapper to map organization membership Closes #28732 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-07 15:52:35 +02:00
Stefan Guilhen	aa945d5636	Add description field to OrganizationEntity Closes #29356 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-05-07 10:35:51 -03:00
Pedro Igor	c0325c9fdb	Do not manage brokers through the Organization API Closes #29268 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-07 09:15:25 -03:00
Alice W	d1549a021e	Update invitation changes based on review and revert deleted test from OrganizationMembertest Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>	2024-05-06 17:57:13 -03:00
Pedro Igor	7553679116	Using a common name for token parameter and setting it to action urls when available from query parameters Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-06 17:57:13 -03:00
Pedro Igor	5359840f10	Reverting changes to login action services Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-06 17:57:13 -03:00
Pedro Igor	6ae8c1e262	Reverting changes to freemarker login forms provider Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-06 17:57:13 -03:00
Pedro Igor	40a283b9e8	Token expiration tests and updates to registration required action Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-06 17:57:13 -03:00
Pedro Igor	158162fb4f	Review tests and having invitation related operations in a separate class Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-06 17:57:13 -03:00
Pedro Igor	287f3a44ce	registration link tests Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-06 17:57:13 -03:00
Alice W	ce2e83c7f9	Update test and link formation on invite of new user Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>	2024-05-06 17:57:13 -03:00
Alice W	694105da89	Update the handling of invite tokens for new user registration to work with the base level oauth flows and implicit grants Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>	2024-05-06 17:57:13 -03:00
Alice W	18356761db	Add test for user invite registration and fix minor bug with registration link generation and email templating Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>	2024-05-06 17:57:13 -03:00
Pedro Igor	e0bdb42d41	adding test and minor updates to cover inviting existing users Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-06 17:57:13 -03:00
Alice W	584e92aaba	Add support for organizational invites to new and existing users based on tokens Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>	2024-05-06 17:57:13 -03:00
Dimitri Papadopoulos Orfanos	cd8e0fd333	Fix user-facing typos in Javadoc (#28971 ) Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2024-05-06 18:57:55 +00:00
Stefan Guilhen	dae1eada3d	Add enabled field to OrganizationEntity Closes #28891 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-05-06 14:46:56 -03:00
Alexander Schwartz	2ebad818f9	Provide details in the log when a client credential grant fails (#28927 ) Closes #28926 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-05-06 09:31:25 +02:00
Alexander Schwartz	a9532274e3	Generate translations for locales via built-in Java functionality (#29125 ) Closes #29124 Signed-off-by: Jon Koops <jonkoops@gmail.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-05-06 09:30:14 +02:00
Giuseppe Graziano	c6d3e56cda	Handle reset password flow with logged in user Closes #8887 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-05-06 09:10:47 +02:00
Thomas Darimont	ba43a10a6d	Improve details for user error events in OIDC protocol endpoints Closes #29166 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2024-05-06 08:32:31 +02:00
Pedro Igor	32d25f43d0	Support for mutiple identity providers Closes #28840 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-04 16:19:27 +02:00
Justin Tay	7bd48e9f9f	Set logout token type to logout+jwt Closes #28939 Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>	2024-05-03 14:51:10 +02:00
Giuseppe Graziano	8c3f7cc6e9	Ignore include in token scope for refresh token Closes #12326 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-05-03 09:05:03 +02:00
alexagc	5e00fe8b10	Ignore g-recaptcha-response in user profile validation Signed-off-by: alexagc <alexcanal@gmail.com>	2024-05-02 17:12:54 -03:00
Steven Hawkins	4697cc956b	further refinement of context handling (#28182 ) * fully removing providers and moving the keycloaksession creation / final cleanup also deprecated Resteasy utility methods closes: #29223 Signed-off-by: Steve Hawkins <shawkins@redhat.com> Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-05-02 11:21:01 -04:00
Stefan Guilhen	45e5e6cbbf	Introduce filtered (and paginated) search for organization members Closes #28844 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-05-02 11:25:43 -03:00
Patrick Jennings	64824bb77f	Client type service account default type (#29037 ) * Adding additional non-applicable client fields to the default service-account client type configuration. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Creating TypedClientAttribute which maps clientmodel fields to standard client type configurations. Adding overrides for fields in TypeAwareClientModelDelegate required for service-account client type. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Splitting client type attribute enum into 3 separate enums, representing the top level ClientModel fields, the extended attributes through the client_attributes table, and the composable fields on ClientRepresentation. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Removing reflection use for client types. Validation will be done in the RepresentationToModel methods that are responsible for the ClientRepresentation -> ClientModel create and update static methods. Signed-off-by: Patrick Jennings <pajennin@redhat.com> More updates Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Update client utilzes type aware client property update method. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * If user inputted representation object does not contain non-null value, try to get property value from the client. Type aware client model will return non-applicable or default value to keep fields consistent. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Cleaning up RepresentationToModel Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Fixing issue when updating client secret. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Fixing issue where created clients would not have fullscope allowed, because getter is a boolean and so cannot be null. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Need to be able to clear out client attributes on update as was allowed before and causing failures in integration tests. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Fixing issues with redirectUri and weborigins defaults in type aware clients. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Need to allow client attributes the ability to clear out values during update. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Renaming interface based on PR feedback. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Shall be able to override URI sets with an empty set. Signed-off-by: Patrick Jennings <pajennin@redhat.com> * Comments around fields that are primitive and may cause problems determining whether to set sane default on create. Signed-off-by: Patrick Jennings <pajennin@redhat.com> --------- Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-05-02 12:22:02 +02:00
Ricardo Martin	65bdf1a604	Encode realm name in console URIs (#29102 ) Before this fix console uris (including the client redirect uris) did not contain the url encoded realm name and therefore were invalid. closes #25807 Signed-off-by: Philip Sanetra <code@psanetra.de> Signed-off-by: rmartinc <rmartinc@redhat.com> Co-authored-by: Philip Sanetra <code@psanetra.de> Co-authored-by: rmartinc <rmartinc@redhat.com>	2024-05-02 10:30:06 +02:00
Stefan Guilhen	02e2ebf258	Add check to prevent deserialization issues when the context token is not an AccessTokenResponse. - also adds a test for the refresh token on first login scenario. Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-30 12:02:10 -03:00
Geoffrey Fourmis	24d9a22f49	25815 do not remove previous refresh token for federated identity Signed-off-by: Geoffrey Fourmis <geoffrey.fourmis@gmail.com>	2024-04-30 12:02:10 -03:00
rmartinc	8042cd5d4f	Set client in the context for docker protocol Fix to execute again the docker test Closes #28649 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-30 10:17:17 +02:00
Pedro Igor	51352622aa	Allow adding realm users as an organization member Closes #29023 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-29 08:37:47 -03:00
Alexander Schwartz	d55a8b0b17	Run validation of email addresses only for new and changed email addresses Closes #29133 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-04-29 07:38:26 -03:00
Stefan Guilhen	bfabc291cc	28843 - Introduce filtered (and paginated) searches for organizations Closes #28843 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-25 12:38:20 -03:00
Stefan Guilhen	8fa2890f68	28818 - Reintroduce search by name for subgroups Closes #28818 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-25 12:06:07 -03:00
vramik	d65649d5c0	Make sure organization are only manageable by the admin users with the manage-realm role Closes #28733 Signed-off-by: vramik <vramik@redhat.com>	2024-04-23 12:16:57 -03:00
Steven Hawkins	9486432f3f	fix: removing httpclient override (#28304 ) we need to have a dependency on commons-logging-jboss-logging closes: #21392 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-04-23 10:09:06 +02:00
Mark Banierink	ad32896725	replaced and removed deprecated token methods (#27715 ) closes #19671 Signed-off-by: Mark Banierink <mark.banierink@nedap.com> Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-23 09:23:37 +02:00
mposolda	337a337bf9	Grant urn:ietf:params:oauth:grant-type:pre-authorized_code was enabled even if oid4vc_vci feature is disabled closes #28968 Signed-off-by: mposolda <mposolda@gmail.com>	2024-04-22 18:31:46 +02:00
Tero Saarni	64862d568e	Convert database errors to 500 instead of 400. Signed-off-by: Tero Saarni <tero.saarni@est.tech>	2024-04-22 11:42:18 -03:00
Stefan Guilhen	f1532565b6	Don't use no-arg version of GroupModel.getSubGroupsStream() when fetching the subgroups from the GroupResource endpoint. - prevents pre-loading all groups; instead use the stream from the JPA adapter to load subgroups one by one and then filter based on the user permissions. Closes #28935 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-22 11:27:29 -03:00
Marek Posolda	b553fc2ae0	Fix compilation error (#28965 ) closes #28964 Signed-off-by: mposolda <mposolda@gmail.com>	2024-04-22 11:19:33 +00:00
Erwin Rohde	10544a5a93	socketTimeoutUnits and establishConnectionTimeoutUnits use TimeUnit set in HttpClientBuilder Closes #28881 Signed-off-by: Erwin Rohde <erwin@rohde.nu>	2024-04-22 08:11:11 -03:00
Douglas Palmer	ed22530d16	Failure reset time is applied to Permanent Lockout Closes #28821 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-04-22 11:47:22 +02:00
Stefan Wiedemann	b08c644601	Support credentials issuance through oid4vci (#27931 ) closes #25940 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-04-22 11:37:55 +02:00
Lex Cao	7e034dbbe0	Add IdpConfirmOverrideLinkAuthenticator to handle duplicate federated identity (#26393 ) Closes #26201. Signed-off-by: Lex Cao <lexcao@foxmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2024-04-22 11:30:14 +02:00
etiksouma	1afd20e4c3	return proper error message for admin users endpoint closes #28416 Signed-off-by: etiksouma <al@mouskite.com>	2024-04-20 12:17:53 +02:00
Pedro Ruivo	3e0a185070	Remove deprecated EnvironmentDependentProviderFactory.isSupported method Closes #26280 Signed-off-by: Pedro Ruivo <pruivo@redhat.com>	2024-04-19 16:36:49 +02:00
Giuseppe Graziano	f6071f680a	Avoid the same userSessionId after re-authentication Closes keycloak/keycloak-private#69 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-19 14:44:39 +02:00
mposolda	c427e65354	Secondary factor bypass in step-up authentication closes #34 Signed-off-by: mposolda <mposolda@gmail.com> (cherry picked from commit e632c03ec4dbfbb7c74c65b0627027390b2e605d)	2024-04-19 14:43:53 +02:00
Giuseppe Graziano	897c44bd1f	Validation of providerId during required action registration Closes #26109 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-19 13:06:51 +02:00
Joerg Matysiak	76a5a27082	Refactored StripSecretsUtils in order to make it unit-testable, added unit tests for it Don't mask secrets at realm export Closes #21562 Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>	2024-04-18 18:26:47 -03:00
Pedro Igor	7483bae130	Make sure admin events are not referencing sensitive data from their representation Closes #21562 Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>	2024-04-18 18:26:47 -03:00
cgeorgilakis-grnet	89263f5255	Fix refresh token scope in refresh token flow with scope request parameter Closes #28463 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-04-18 16:17:46 -03:00
Ricardo Martin	4c2542b91f	Better management of domains in TrustedHostClientRegistrationPolicy (#139 ) (#28876 ) Closes keycloak/keycloak-private#63 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-18 16:06:50 +02:00
Ricardo Martin	8daace3f69	Validate Saml URLs inside DefaultClientValidationProvider (#135 ) (#28873 ) Closes keycloak/keycloak-private#62 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-18 16:04:13 +02:00
Ricardo Martin	fc6b6f0d94	Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#131 ) (#28872 ) Closes keycloak/keycloak-private#113 Closes keycloak/keycloak-private#134 Signed-off-by: rmartinc <rmartinc@redhat.com> Co-authored-by: Stian Thorgersen <stianst@gmail.com>	2024-04-18 16:02:24 +02:00
Hynek Mlnarik	9d1433d266	Update URL builder Fixes: keycloak/keycloak-quickstarts#548 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2024-04-18 14:50:10 +02:00
vramik	860f3b7320	Prevent updating IdP via organization API not linked with the organization Closes #28833 Signed-off-by: vramik <vramik@redhat.com>	2024-04-18 09:14:54 -03:00
Stian Thorgersen	0d60e58029	Restrict the token types that can be verified when not using the user info endpoint (#146 ) (#28866 ) Closes #47 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Conflicts: core/src/main/java/org/keycloak/util/TokenUtil.java testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-18 14:11:05 +02:00
Stian Thorgersen	cbc4a8c305	Limit requests sent through session status iframe (#132 ) (#28864 ) Closes #116 Signed-off-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-04-18 14:02:37 +02:00
rmartinc	ddacfbdefd	Remove deprecated LinkedIn social provider Closes #23127 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-18 10:10:58 +02:00
Pedro Igor	f0f8a88489	Automatically fill username when authenticating to through a broker Closes #28848 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-18 08:24:34 +02:00
Pedro Igor	1e3837421e	Organization member onboarding using the organization identity provider Closes #28273 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-17 07:24:01 -03:00
Jon Koops	3216e7c781	Only allow a known refferer URI for the Account Console (#28743 ) Closes #27628 Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-04-16 17:24:22 +02:00
Pedro Ruivo	63cb137b37	Remove usages of EnvironmentDependentProviderFactory.isSupported Closes #28751 Signed-off-by: Pedro Ruivo <pruivo@redhat.com>	2024-04-16 09:43:23 +02:00
Stefan Guilhen	2ab8bf852d	Add validation for the organization's internet domains. Closes #28634 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-15 09:03:52 -03:00
Patrick Jennings	5e0d323304	Log exception when failure to augment client and re-throw instead of returning the raw client. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Patrick Jennings	551a3db987	Updating validation logic to match our expectations on what applicable should mean. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Patrick Jennings	03db2e8b56	Integration tests around client type parameter validation. Throw common ClientTypeException with invalid params requested during client creation/update requests. This gets translated into ErrorResponseException in the Resource handlers. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Patrick Jennings	9814733dd3	DefaultClientType service will now validate all client type default values and respond with bad request message with the affending parameters that attempt to override readonly in the client type config. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Patrick Jennings	c0f5dab209	If client cannot be augmented due to error, we shall return the un-augmented client entity. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Patrick Jennings	42202ae45e	Translate client type exception during client create into bad request response. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Giuseppe Graziano	4672366eb9	Simplified checks in IntrospectionEndpoint (#28642 ) Closes #24466 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com> Co-authored-by: mposolda <mposolda@gmail.com>	2024-04-12 21:19:04 +02:00
Marek Posolda	e6747bfd23	Adjust priority of SubMapper (#28663 ) closes #28661 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2024-04-12 14:13:03 +02:00
Pedro Igor	61b1eec504	Prevent members with an email other than the domain set to an organization Closes #28644 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-12 08:33:18 -03:00
rmartinc	6d74e6b289	Escape slashes in full group path representation but disabled by default Closes #23900 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-12 10:53:39 +02:00
Douglas Palmer	69ba92808d	DefaultBruteForceProtector leverages a single thread to write success/failed events Closes #14084 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-04-12 09:53:40 +02:00
Pedro Igor	8f8094408e	Encapsulate the logic to set attributes into the domain model Closes #28646 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-11 15:32:21 -03:00
Marek Posolda	74faddec8e	Release notes for lightweight access tokens and group together relate… (#28622 ) closes #28460 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2024-04-11 20:02:33 +02:00
Giuseppe Graziano	33b747286e	Changed userId value for refresh token events Closes #28567 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-11 07:46:44 +02:00
Stefan Guilhen	9a466f90ab	Add ability to set one or more internet domain to an organization. Closed #28274 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-10 13:18:12 -03:00
devjos	cccddc0810	Fix brute force detection for LDAP read-only users Closes #28579 Signed-off-by: devjos <github_11837948@feido.de>	2024-04-10 16:36:11 +02:00
vramik	00ce3e34bd	Manage a single identity provider for an organization Closes #28272 Signed-off-by: vramik <vramik@redhat.com>	2024-04-10 09:47:51 -03:00
Martin Kanis	51fa054ba7	Manage organization attributes Closes #28253 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-04-10 09:10:49 -03:00
rmartinc	41b706bb6a	Initial security profile SPI to integrate default client policies Closes #27189 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-10 11:19:56 +02:00
Giuseppe Graziano	c76cbc94d8	Add sub via protocol mapper to access token Closes #21185 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-10 10:40:42 +02:00
mposolda	aa619f0170	Redirect error to client right-away when browser tab detects that another browser tab authenticated closes #27880 Signed-off-by: mposolda <mposolda@gmail.com>	2024-04-09 17:59:34 +02:00
Václav Muzikář	e4987f10f5	Hostname SPI v2 (#26345 ) * Hostname SPI v2 Closes: #26084 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Fix HostnameV2DistTest#testServerFailsToStartWithoutHostnameSpecified Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Address review comment Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Partially revert the previous fix Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Do not polish values Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Remove filtering of denied categories Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> --------- Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>	2024-04-09 11:25:19 +02:00
vibrown	3fffc5182e	Added ClientType implementation from Marek's prototype Signed-off-by: vibrown <vibrown@redhat.com> More updates Signed-off-by: vibrown <vibrown@redhat.com> Added client type logic from Marek's prototype Signed-off-by: vibrown <vibrown@redhat.com> updates Signed-off-by: vibrown <vibrown@redhat.com> updates Signed-off-by: vibrown <vibrown@redhat.com> updates Signed-off-by: vibrown <vibrown@redhat.com> Testing to see if skipRestart was cause of test failures in MR	2024-04-08 20:20:37 +02:00
Pedro Igor	52ba9b4b7f	Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user Closes #28248 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-08 09:05:16 -03:00
rmartinc	2b769e5129	Better management of the CSP header Closes https://github.com/keycloak/keycloak/issues/24568 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-08 08:19:57 +02:00
Giuseppe Graziano	b4f791b632	Remove session_state from tokens Closes #27624 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-08 08:12:51 +02:00
Alexander Schwartz	647bce49c8	Add error details to events to be able to track down root causes Closes #28429 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-04-04 20:28:45 +02:00
Justin Tay	30cd40e097	Use realm default signature algorithm for id_token_signed_response_alg Closes #9695 Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>	2024-04-04 11:37:28 +02:00
Justin Tay	89a5da1afd	Allow empty key use in JWKS for client authentication Closes #28004 Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>	2024-04-04 10:42:37 +02:00
Marek Posolda	335a10fead	Handle 'You are already logged in' for expired authentication sessions (#27793 ) closes #24112 Signed-off-by: mposolda <mposolda@gmail.com>	2024-04-04 10:41:03 +02:00
Anar Sultanov	6708f1f12d	Update method for sending identity broker link confirmation Signed-off-by: Anar Sultanov <anar.sultanov@assessio.se>	2024-04-03 19:08:51 -03:00
Hynek Mlnarik	8ef3423f4a	Present effective sync mode value When sync mode value is missing in the config of newly created identity provider, the provider does not store any. When no value is found, the identity provider behaves as if `LEGACY` was used (#6705). This PR ensures the correct sync mode is returned from the REST endpoint, regardless of whether it has been stored in the database or not. Fixes: #26019 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2024-04-03 15:49:18 +02:00
Pedro Igor	fefeb83588	Changes the contract to make it simpler and rely on the realm available from the current session Closes #28403 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-03 14:45:31 +02:00
Nicola Beghin	a7e5c861cc	fixes SAMLIdentityProvider not honoring SamlAuthenticationPreprocessor (keycloak/keycloak#27875 ) Signed-off-by: Nicola Beghin <nicolabeghin@gmail.com>	2024-04-02 10:58:15 +02:00
Giuseppe Graziano	fe06df67c2	New default client scope for 'basic' claims with 'auth_time' protocol mapper Closes #27623 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-02 08:44:28 +02:00
Pedro Igor	b9a7152a29	Avoid commiting the transaction prematurely when creating users through the User API Closes #28217 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-27 19:16:09 -03:00
Lex Cao	a53cacc0a7	Fire logout event when logout other sessions (#26658 ) Closes #26658 Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-03-27 11:13:48 +01:00
Jon Koops	3382e16954	Remove Account Console version 2 (#27510 ) Closes #19664 Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-03-27 10:53:28 +01:00
Steven Hawkins	be32f8b1bf	fix: limit the use of Resteasy to the KeycloakSession (#28150 ) * fix: limit the use of Resteasy to the KeycloakSession contextualizes other state to the KeycloakSession close: #28152	2024-03-26 13:43:41 -04:00
vramik	fa1571f231	Map organization metadata when issuing tokens for OIDC clients acting on behalf of an organization member Closes #27993 Signed-off-by: vramik <vramik@redhat.com>	2024-03-26 14:02:09 -03:00
vramik	e7bc796553	When the realm has registrationEmailAsUsername set to false (default) it's not possible to add a member to an org Closes #28216 Signed-off-by: vramik <vramik@redhat.com>	2024-03-26 14:02:09 -03:00
Pedro Igor	a470711dfb	Resolve the user federation link as null when decorating the user profile metadata in the LDAP provider Closes #28100 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-26 10:14:49 -03:00
Stian Thorgersen	8cbd39083e	Default password hashing algorithm should be set to default password hash provider (#28128 ) Closes #28120 Signed-off-by: stianst <stianst@gmail.com>	2024-03-22 12:44:11 +01:00
Stian Thorgersen	3f9cebca39	Ability to set the default provider for an SPI (#28135 ) Closes #28134 Signed-off-by: stianst <stianst@gmail.com>	2024-03-22 07:45:08 +01:00
Reda Bourial	a41d865600	fix for SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY (#27756 ) Signed-off-by: Reda Bourial <reda.bourial@gmail.com>	2024-03-21 17:06:42 +01:00
Steven Hawkins	7eab019748	task: deprecate WILDCARD and STRICT options (#26833 ) closes: #24893 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-03-21 16:22:41 +01:00
Steven Hawkins	35b9d8aa49	task: remove usage of resteasy-core-spi (#27387 ) closes: #27242 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-03-21 15:28:34 +01:00
Giuseppe Graziano	939420cea1	Always include offline_access scope when refreshing with offline token Closes #27878 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-03-21 14:32:31 +01:00
Pedro Igor	32541f19a3	Allow managing members for an organization Closes #27934 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-21 10:26:30 -03:00
Martin Kanis	4154d27941	Invalidating offline token is not working from client sessions tab Closes #27275 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-03-21 09:04:58 -03:00
Pedro Igor	f970deac37	Do not grant scopes not granted for resources owned the resource server itself Closes #25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-20 18:36:41 +01:00
René Zeidler	83a3500ccf	Attributes without a group should appear first In the login theme, user profile attributes that are not assigned to an attribute group should appear before all other attributes. This aligns the login theme (registration, verify profile, etc.) with the account and admin console. Fixes #27981 Signed-off-by: René Zeidler <rene.zeidler@gmx.de>	2024-03-19 18:40:01 +01:00
Peter Skopek	b77e228be4	Fix javadoc generation failure introduced with new dependencies for OID4VCI support (#28038) Fixes #28038 Signed-off-by: Peter Skopek <pskopek@redhat.com>	2024-03-19 14:14:53 +01:00
Stefan Wiedemann	67d3e1e467	Issue Verifiable Credentials in the VCDM format #25943 (#27071 ) closes #25943 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-03-18 17:05:53 +01:00
cgeorgilakis-grnet	24f105e8fc	successful SAML IdP Logout Request with BaseID or EncryptedID and SessionIndex Closes #23528 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-03-18 08:19:13 -03:00
Alexander Schwartz	62d24216e3	Remove offline session preloading Closes #27602 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-03-15 15:19:27 +01:00
Pedro Igor	7fc2269ba5	The bare minimum implementation for organization Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: vramik <vramik@redhat.com>	2024-03-15 11:06:43 -03:00
Peter Keuter	e26a261e4e	Filter subgroups before paginating Closes #27512 Signed-off-by: Peter Keuter <github@peterkeuter.nl>	2024-03-15 10:57:57 +01:00
sebastien-helbert	e33bf39055	Review log message (#23962 ) missing spaces added in log message	2024-03-14 13:44:22 +01:00
Alexander Schwartz	6de5325d1c	Limit the received content when handling the content as a String Closes #27293 Co-authored-by: rmartinc <rmartinc@redhat.com> Signed-off-by: rmartinc <rmartinc@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-03-13 16:43:03 +01:00
Réda Housni Alaoui	1bf90321ad	"Allowed Protocol Mapper Types" prevents clients from self-updating via client registration api (#27578 ) closes #27558 Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-03-13 14:00:34 +01:00
rmartinc	43a5779f6e	Do not challenge inside spnego authenticator is FORKED_FLOW Closes #20637 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-12 14:23:03 +01:00
Pedro Igor	1e48cce3ae	Make sure empty configuration resolves to the system default configuration Closes #27611 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-11 09:01:38 -03:00
Stefan Wiedemann	6fc69b6a01	Issue Verifiable Credentials in the SD-JWT-VC format (#27207 ) closes #25942 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>	2024-03-11 08:55:28 +01:00
Hynek Mlnarik	26468e11f2	Use correct path to account console Fixes: #27709 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2024-03-08 14:31:32 +01:00
Ricardo Martin	299118c45a	Change oidcScopeMissing from WARN to DEBUG (#27439 ) Closes #27391 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-08 10:50:21 +00:00
Erik Jan de Wit	7d104dbe9d	no result to parse on success (#27336 ) * no result to parse on success fixes: #27245 Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * translate error message Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> --------- Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2024-03-08 09:56:23 +01:00
Pedro Igor	40385061f7	Make sure refresh token expiration is based on the current time when the token is issued Closes #27180 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-07 15:23:19 +01:00
rmartinc	ea4155bbcd	Remove recursively when deleting an authentication executor Closes #24795 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-07 14:43:23 +01:00
graziang	54b40d31b6	Revoked token cache expiration fix Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token. Closes #26113 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-07 13:33:37 +01:00
Alexander Schwartz	595959398b	Instead of an InputStream that doesn't know about its encoding, use a String Closes #20916 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-03-07 10:24:36 +00:00
rmartinc	dea15e25da	Only add the nonce claim to the ID Token (mapper for backwards compatibility) Closes #26893 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-07 09:56:57 +01:00
Theresa Henze	653d09f39a	trigger REMOVE_TOTP event on removal of an OTP credential Closes #15403 Signed-off-by: Theresa Henze <theresa.henze@bare.id>	2024-03-06 17:12:50 +01:00
graziang	39299eeb38	Encode role name parameter in the location header uri The role is encoded to avoid template resolution by the URIBuilder. This fix avoids the exception when creating roles with names containing {patterns}. Closes #27514 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-06 15:59:26 +01:00
rmartinc	82af0b6af6	Initial client policies integration for SAML Closes #26654 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-06 15:18:35 +01:00
graziang	4fa940a31e	Device verification flow always requires consent Force consent for device verification flow when there are no client scopes to approve by adding a default client scope to approve Closes #26100 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-05 14:14:19 +01:00
Tero Saarni	e06fcbe6ae	Change supported criteria for Google Authenticator List Google Authenticator as supported when - hash algorithm is SHA256 or SHA512 - number of digits is 8 - OTP type is hotp Signed-off-by: Tero Saarni <tero.saarni@est.tech>	2024-03-05 11:19:06 +01:00
Jon Koops	7afd75ba08	Use browser router for Account Console (#22192 ) Closes #27442 Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-03-04 12:38:28 +00:00
Steven Hawkins	be3e2fabc4	fix: remove the reliance on allowed classes (#27368 ) closes: #25038 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-03-04 12:17:53 +00:00
Lucy Linder	aa6771205a	Update ReCAPTCHA and add support for ReCAPTCHA Enterprise Closes #16138 Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>	2024-03-04 20:28:06 +09:00
vramik	032bb8e9cc	Map Store Removal: Remove obsolete `KeycloakModelUtils.isUsernameCaseSensitive` method Closes #27438 Signed-off-by: vramik <vramik@redhat.com>	2024-03-02 04:40:46 +09:00
rmartinc	f970803738	Check email and username for duplicated if isLoginWithEmailAllowed Closes #27297 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-02 00:14:27 +09:00
Andy	137907f5ef	Roles admin REST API: Don't expand composite roles Additionally: - Import clean-up - Added requireMapComposite as in RoleResource.addComposites Closes #26951 Signed-off-by: synth3 <19573241+synth3@users.noreply.github.com>	2024-03-02 00:03:03 +09:00
Takashi Norimatsu	1792af6850	OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor closes #27412 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-03-01 14:49:23 +01:00
graziang	082f9ec15b	Update client scopes in Client Update Request in DCR Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation. Add updateClientScopes method to set client scopes in Client Update Request in DCR. Closes #24361 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-01 12:32:45 +01:00
Albrecht Scheidig	cad34cbb04	Restore support for locales with extensions (#27285 ) Closes #27284 Signed-off-by: Albrecht Scheidig <albrecht.scheidig@hype.de>	2024-02-29 17:16:44 +00:00
Marek Posolda	ae0a0ea30b	SecureRedirectUrisEnforcerExecutor fixes (#27369 ) closes #27344 Signed-off-by: mposolda <mposolda@gmail.com>	2024-02-29 17:24:20 +01:00
Steven Hawkins	8d9439913c	fix: removal of resteasy-core (#27032 ) * fix: partial removal of resteasy-core Signed-off-by: Steve Hawkins <shawkins@redhat.com> * fix: fully removing resteasy-core closes: #26315 Signed-off-by: Steve Hawkins <shawkins@redhat.com> --------- Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-02-29 11:43:13 +00:00
Réda Housni Alaoui	a3b3ee4b87	Ability to declare a default "First broker login flow" per Realm Closes #25823 Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-02-28 16:17:51 +01:00
Pedro Igor	788d146bf2	Use the target client when processing scopes for internal exchanges Closes #19183 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-28 15:18:43 +01:00
graziang	16a854c91b	Add option to clients to use lightweight access token Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute. The attribute value is used to enable or disable the lightweight access token. Closes #27238 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-02-28 10:18:26 +01:00
Pedro Igor	0c91fceaad	Allow setting if both 'client_id' and 'id_token_hint' params should be sent in logout requests Closes #27281 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-27 20:37:27 +09:00
Dmitry Telegin	c18c4bbeb8	Remove setContext() + minor cleanup Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>	2024-02-27 19:11:32 +09:00
Dmitry Telegin	87c2df0ea4	Fix UMA	2024-02-27 19:11:32 +09:00
Dmitry Telegin	be3d0b6202	Split OAuth2GrantType and OAuth2GrantTypeFactory	2024-02-27 19:11:32 +09:00
Dmitry Telegin	c73516ba5b	Revert dynamic grant type resolution	2024-02-27 19:11:32 +09:00
Dmitry Telegin	5f04ce310a	simplify OAuth2GrantType.Context creation	2024-02-27 19:11:32 +09:00
Dmitry Telegin	b81bf85a06	rebase	2024-02-27 19:11:32 +09:00
Dmitry Telegin	854ec17fd3	- rework grant type resolution to use supports() in addition to grant type - replace initialize() with setContext() - use EnvironmentDependentProviderFactory instead of runtime checks - move OAuth2GrantTypeManager to server-spi-private - javadocs, imports, minor fixes Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>	2024-02-27 19:11:32 +09:00
Dmitry Telegin	cc9c8fe78a	Use EnvironmentDependentProviderFactory for DeviceGrantType	2024-02-27 19:11:32 +09:00
Dmitry Telegin	983680ce0e	OAuth 2.0 Grant Type SPI Closes: #26250 Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>	2024-02-27 19:11:32 +09:00
rmartinc	562decde35	Perform internal introspect for the access token in the account app Closes #27243 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-27 09:19:20 +01:00
kaustubh-rh	03f6cda85a	Prevent user from removing built-in client scopes (#27134 ) Closes #26937 Signed-off-by: Kaustubh B <kbawanka@redhat.com>	2024-02-26 11:16:23 +01:00
Gilvan Filho	83af01c4c0	Add failedLoginNotBefore to AttackDetectionResource Closes #17574 Signed-off-by: Gilvan Filho <gfilho@redhat.com>	2024-02-26 09:35:51 +01:00
graziang	cecce40aa5	Avoid regenerating the totpSecret on every reload of the OTP configuration page Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload Closes #26052 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-02-22 19:09:09 +01:00
Pedro Igor	604274fb76	Allow setting an attribute as multivalued Closes #23539 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2024-02-22 12:56:44 +01:00
Takashi Norimatsu	1e12b15890	Supporting OAuth 2.1 for public clients closes #25316 Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com> Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-22 10:57:29 +01:00
Douglas Palmer	b0ef746f39	Permanently lock users out after X temporary lockouts during a brute force attack Closes #26172 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-02-22 09:34:51 +01:00
Takashi Norimatsu	9ea679ff35	Supporting OAuth 2.1 for confidential clients closes #25314 Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com> Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-22 08:34:21 +01:00
Sebastian Schuster	5e34769ee0	27031 ReadOnlyAttributeUnchangedValidator logs validation errors on debug not warning Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>	2024-02-22 08:24:08 +09:00
Peter Keuter	01d66a662b	Expose display name and locales when user has ANY admin role (#27160 ) * chore: expose display name and locales when user has view-realm Signed-off-by: Peter Keuter <github@peterkeuter.nl> * fix: supportedlocales are available as stream Signed-off-by: Peter Keuter <github@peterkeuter.nl> * fix: tests Signed-off-by: Peter Keuter <github@peterkeuter.nl> * fix: remove unnecessarily added ignore Signed-off-by: Peter Keuter <github@peterkeuter.nl> --------- Signed-off-by: Peter Keuter <github@peterkeuter.nl>	2024-02-21 13:30:31 -05:00
graziang	d13dc57a29	Removing duplicate claims in action tokens Using variables instead of otherClaims map for claims in action tokens to avoid duplicate claims in the jwt payload Closes #24980 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-02-21 11:30:49 +01:00
Takashi Norimatsu	1bdbaa2ca5	Client policies: executor for validate and match a redirect URI closes #25637 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-20 08:37:33 +01:00

... 3 4 5 6 7 ...

4834 commits