keycloak-scim

Author	SHA1	Message	Date
rmartinc	8042cd5d4f	Set client in the context for docker protocol Fix to execute again the docker test Closes #28649 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-30 10:17:17 +02:00
Pedro Igor	51352622aa	Allow adding realm users as an organization member Closes #29023 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-29 08:37:47 -03:00
Alexander Schwartz	d55a8b0b17	Run validation of email addresses only for new and changed email addresses Closes #29133 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-04-29 07:38:26 -03:00
Stefan Guilhen	bfabc291cc	28843 - Introduce filtered (and paginated) searches for organizations Closes #28843 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-25 12:38:20 -03:00
Stefan Guilhen	8fa2890f68	28818 - Reintroduce search by name for subgroups Closes #28818 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-25 12:06:07 -03:00
vramik	d65649d5c0	Make sure organization are only manageable by the admin users with the manage-realm role Closes #28733 Signed-off-by: vramik <vramik@redhat.com>	2024-04-23 12:16:57 -03:00
Steven Hawkins	9486432f3f	fix: removing httpclient override (#28304 ) we need to have a dependency on commons-logging-jboss-logging closes: #21392 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-04-23 10:09:06 +02:00
Mark Banierink	ad32896725	replaced and removed deprecated token methods (#27715 ) closes #19671 Signed-off-by: Mark Banierink <mark.banierink@nedap.com> Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-23 09:23:37 +02:00
mposolda	337a337bf9	Grant urn:ietf:params:oauth:grant-type:pre-authorized_code was enabled even if oid4vc_vci feature is disabled closes #28968 Signed-off-by: mposolda <mposolda@gmail.com>	2024-04-22 18:31:46 +02:00
Tero Saarni	64862d568e	Convert database errors to 500 instead of 400. Signed-off-by: Tero Saarni <tero.saarni@est.tech>	2024-04-22 11:42:18 -03:00
Stefan Guilhen	f1532565b6	Don't use no-arg version of GroupModel.getSubGroupsStream() when fetching the subgroups from the GroupResource endpoint. - prevents pre-loading all groups; instead use the stream from the JPA adapter to load subgroups one by one and then filter based on the user permissions. Closes #28935 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-22 11:27:29 -03:00
Marek Posolda	b553fc2ae0	Fix compilation error (#28965 ) closes #28964 Signed-off-by: mposolda <mposolda@gmail.com>	2024-04-22 11:19:33 +00:00
Erwin Rohde	10544a5a93	socketTimeoutUnits and establishConnectionTimeoutUnits use TimeUnit set in HttpClientBuilder Closes #28881 Signed-off-by: Erwin Rohde <erwin@rohde.nu>	2024-04-22 08:11:11 -03:00
Douglas Palmer	ed22530d16	Failure reset time is applied to Permanent Lockout Closes #28821 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-04-22 11:47:22 +02:00
Stefan Wiedemann	b08c644601	Support credentials issuance through oid4vci (#27931 ) closes #25940 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-04-22 11:37:55 +02:00
Lex Cao	7e034dbbe0	Add IdpConfirmOverrideLinkAuthenticator to handle duplicate federated identity (#26393 ) Closes #26201. Signed-off-by: Lex Cao <lexcao@foxmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2024-04-22 11:30:14 +02:00
etiksouma	1afd20e4c3	return proper error message for admin users endpoint closes #28416 Signed-off-by: etiksouma <al@mouskite.com>	2024-04-20 12:17:53 +02:00
Pedro Ruivo	3e0a185070	Remove deprecated EnvironmentDependentProviderFactory.isSupported method Closes #26280 Signed-off-by: Pedro Ruivo <pruivo@redhat.com>	2024-04-19 16:36:49 +02:00
Giuseppe Graziano	f6071f680a	Avoid the same userSessionId after re-authentication Closes keycloak/keycloak-private#69 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-19 14:44:39 +02:00
mposolda	c427e65354	Secondary factor bypass in step-up authentication closes #34 Signed-off-by: mposolda <mposolda@gmail.com> (cherry picked from commit e632c03ec4dbfbb7c74c65b0627027390b2e605d)	2024-04-19 14:43:53 +02:00
Giuseppe Graziano	897c44bd1f	Validation of providerId during required action registration Closes #26109 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-19 13:06:51 +02:00
Joerg Matysiak	76a5a27082	Refactored StripSecretsUtils in order to make it unit-testable, added unit tests for it Don't mask secrets at realm export Closes #21562 Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>	2024-04-18 18:26:47 -03:00
Pedro Igor	7483bae130	Make sure admin events are not referencing sensitive data from their representation Closes #21562 Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>	2024-04-18 18:26:47 -03:00
cgeorgilakis-grnet	89263f5255	Fix refresh token scope in refresh token flow with scope request parameter Closes #28463 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-04-18 16:17:46 -03:00
Ricardo Martin	4c2542b91f	Better management of domains in TrustedHostClientRegistrationPolicy (#139 ) (#28876 ) Closes keycloak/keycloak-private#63 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-18 16:06:50 +02:00
Ricardo Martin	8daace3f69	Validate Saml URLs inside DefaultClientValidationProvider (#135 ) (#28873 ) Closes keycloak/keycloak-private#62 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-18 16:04:13 +02:00
Ricardo Martin	fc6b6f0d94	Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#131 ) (#28872 ) Closes keycloak/keycloak-private#113 Closes keycloak/keycloak-private#134 Signed-off-by: rmartinc <rmartinc@redhat.com> Co-authored-by: Stian Thorgersen <stianst@gmail.com>	2024-04-18 16:02:24 +02:00
Hynek Mlnarik	9d1433d266	Update URL builder Fixes: keycloak/keycloak-quickstarts#548 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2024-04-18 14:50:10 +02:00
vramik	860f3b7320	Prevent updating IdP via organization API not linked with the organization Closes #28833 Signed-off-by: vramik <vramik@redhat.com>	2024-04-18 09:14:54 -03:00
Stian Thorgersen	0d60e58029	Restrict the token types that can be verified when not using the user info endpoint (#146 ) (#28866 ) Closes #47 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Conflicts: core/src/main/java/org/keycloak/util/TokenUtil.java testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-18 14:11:05 +02:00
Stian Thorgersen	cbc4a8c305	Limit requests sent through session status iframe (#132 ) (#28864 ) Closes #116 Signed-off-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-04-18 14:02:37 +02:00
rmartinc	ddacfbdefd	Remove deprecated LinkedIn social provider Closes #23127 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-18 10:10:58 +02:00
Pedro Igor	f0f8a88489	Automatically fill username when authenticating to through a broker Closes #28848 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-18 08:24:34 +02:00
Pedro Igor	1e3837421e	Organization member onboarding using the organization identity provider Closes #28273 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-17 07:24:01 -03:00
Jon Koops	3216e7c781	Only allow a known refferer URI for the Account Console (#28743 ) Closes #27628 Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-04-16 17:24:22 +02:00
Pedro Ruivo	63cb137b37	Remove usages of EnvironmentDependentProviderFactory.isSupported Closes #28751 Signed-off-by: Pedro Ruivo <pruivo@redhat.com>	2024-04-16 09:43:23 +02:00
Stefan Guilhen	2ab8bf852d	Add validation for the organization's internet domains. Closes #28634 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-15 09:03:52 -03:00
Patrick Jennings	5e0d323304	Log exception when failure to augment client and re-throw instead of returning the raw client. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Patrick Jennings	551a3db987	Updating validation logic to match our expectations on what applicable should mean. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Patrick Jennings	03db2e8b56	Integration tests around client type parameter validation. Throw common ClientTypeException with invalid params requested during client creation/update requests. This gets translated into ErrorResponseException in the Resource handlers. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Patrick Jennings	9814733dd3	DefaultClientType service will now validate all client type default values and respond with bad request message with the affending parameters that attempt to override readonly in the client type config. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Patrick Jennings	c0f5dab209	If client cannot be augmented due to error, we shall return the un-augmented client entity. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Patrick Jennings	42202ae45e	Translate client type exception during client create into bad request response. Signed-off-by: Patrick Jennings <pajennin@redhat.com>	2024-04-15 09:39:34 +02:00
Giuseppe Graziano	4672366eb9	Simplified checks in IntrospectionEndpoint (#28642 ) Closes #24466 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com> Co-authored-by: mposolda <mposolda@gmail.com>	2024-04-12 21:19:04 +02:00
Marek Posolda	e6747bfd23	Adjust priority of SubMapper (#28663 ) closes #28661 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2024-04-12 14:13:03 +02:00
Pedro Igor	61b1eec504	Prevent members with an email other than the domain set to an organization Closes #28644 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-12 08:33:18 -03:00
rmartinc	6d74e6b289	Escape slashes in full group path representation but disabled by default Closes #23900 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-12 10:53:39 +02:00
Douglas Palmer	69ba92808d	DefaultBruteForceProtector leverages a single thread to write success/failed events Closes #14084 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-04-12 09:53:40 +02:00
Pedro Igor	8f8094408e	Encapsulate the logic to set attributes into the domain model Closes #28646 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-11 15:32:21 -03:00
Marek Posolda	74faddec8e	Release notes for lightweight access tokens and group together relate… (#28622 ) closes #28460 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2024-04-11 20:02:33 +02:00
Giuseppe Graziano	33b747286e	Changed userId value for refresh token events Closes #28567 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-11 07:46:44 +02:00
Stefan Guilhen	9a466f90ab	Add ability to set one or more internet domain to an organization. Closed #28274 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-10 13:18:12 -03:00
devjos	cccddc0810	Fix brute force detection for LDAP read-only users Closes #28579 Signed-off-by: devjos <github_11837948@feido.de>	2024-04-10 16:36:11 +02:00
vramik	00ce3e34bd	Manage a single identity provider for an organization Closes #28272 Signed-off-by: vramik <vramik@redhat.com>	2024-04-10 09:47:51 -03:00
Martin Kanis	51fa054ba7	Manage organization attributes Closes #28253 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-04-10 09:10:49 -03:00
rmartinc	41b706bb6a	Initial security profile SPI to integrate default client policies Closes #27189 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-10 11:19:56 +02:00
Giuseppe Graziano	c76cbc94d8	Add sub via protocol mapper to access token Closes #21185 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-10 10:40:42 +02:00
mposolda	aa619f0170	Redirect error to client right-away when browser tab detects that another browser tab authenticated closes #27880 Signed-off-by: mposolda <mposolda@gmail.com>	2024-04-09 17:59:34 +02:00
Václav Muzikář	e4987f10f5	Hostname SPI v2 (#26345 ) * Hostname SPI v2 Closes: #26084 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Fix HostnameV2DistTest#testServerFailsToStartWithoutHostnameSpecified Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Address review comment Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Partially revert the previous fix Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Do not polish values Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Remove filtering of denied categories Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> --------- Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>	2024-04-09 11:25:19 +02:00
vibrown	3fffc5182e	Added ClientType implementation from Marek's prototype Signed-off-by: vibrown <vibrown@redhat.com> More updates Signed-off-by: vibrown <vibrown@redhat.com> Added client type logic from Marek's prototype Signed-off-by: vibrown <vibrown@redhat.com> updates Signed-off-by: vibrown <vibrown@redhat.com> updates Signed-off-by: vibrown <vibrown@redhat.com> updates Signed-off-by: vibrown <vibrown@redhat.com> Testing to see if skipRestart was cause of test failures in MR	2024-04-08 20:20:37 +02:00
Pedro Igor	52ba9b4b7f	Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user Closes #28248 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-08 09:05:16 -03:00
rmartinc	2b769e5129	Better management of the CSP header Closes https://github.com/keycloak/keycloak/issues/24568 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-08 08:19:57 +02:00
Giuseppe Graziano	b4f791b632	Remove session_state from tokens Closes #27624 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-08 08:12:51 +02:00
Alexander Schwartz	647bce49c8	Add error details to events to be able to track down root causes Closes #28429 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-04-04 20:28:45 +02:00
Justin Tay	30cd40e097	Use realm default signature algorithm for id_token_signed_response_alg Closes #9695 Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>	2024-04-04 11:37:28 +02:00
Justin Tay	89a5da1afd	Allow empty key use in JWKS for client authentication Closes #28004 Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>	2024-04-04 10:42:37 +02:00
Marek Posolda	335a10fead	Handle 'You are already logged in' for expired authentication sessions (#27793 ) closes #24112 Signed-off-by: mposolda <mposolda@gmail.com>	2024-04-04 10:41:03 +02:00
Anar Sultanov	6708f1f12d	Update method for sending identity broker link confirmation Signed-off-by: Anar Sultanov <anar.sultanov@assessio.se>	2024-04-03 19:08:51 -03:00
Hynek Mlnarik	8ef3423f4a	Present effective sync mode value When sync mode value is missing in the config of newly created identity provider, the provider does not store any. When no value is found, the identity provider behaves as if `LEGACY` was used (#6705). This PR ensures the correct sync mode is returned from the REST endpoint, regardless of whether it has been stored in the database or not. Fixes: #26019 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2024-04-03 15:49:18 +02:00
Pedro Igor	fefeb83588	Changes the contract to make it simpler and rely on the realm available from the current session Closes #28403 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-03 14:45:31 +02:00
Nicola Beghin	a7e5c861cc	fixes SAMLIdentityProvider not honoring SamlAuthenticationPreprocessor (keycloak/keycloak#27875 ) Signed-off-by: Nicola Beghin <nicolabeghin@gmail.com>	2024-04-02 10:58:15 +02:00
Giuseppe Graziano	fe06df67c2	New default client scope for 'basic' claims with 'auth_time' protocol mapper Closes #27623 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-02 08:44:28 +02:00
Pedro Igor	b9a7152a29	Avoid commiting the transaction prematurely when creating users through the User API Closes #28217 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-27 19:16:09 -03:00
Lex Cao	a53cacc0a7	Fire logout event when logout other sessions (#26658 ) Closes #26658 Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-03-27 11:13:48 +01:00
Jon Koops	3382e16954	Remove Account Console version 2 (#27510 ) Closes #19664 Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-03-27 10:53:28 +01:00
Steven Hawkins	be32f8b1bf	fix: limit the use of Resteasy to the KeycloakSession (#28150 ) * fix: limit the use of Resteasy to the KeycloakSession contextualizes other state to the KeycloakSession close: #28152	2024-03-26 13:43:41 -04:00
vramik	fa1571f231	Map organization metadata when issuing tokens for OIDC clients acting on behalf of an organization member Closes #27993 Signed-off-by: vramik <vramik@redhat.com>	2024-03-26 14:02:09 -03:00
vramik	e7bc796553	When the realm has registrationEmailAsUsername set to false (default) it's not possible to add a member to an org Closes #28216 Signed-off-by: vramik <vramik@redhat.com>	2024-03-26 14:02:09 -03:00
Pedro Igor	a470711dfb	Resolve the user federation link as null when decorating the user profile metadata in the LDAP provider Closes #28100 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-26 10:14:49 -03:00
Stian Thorgersen	8cbd39083e	Default password hashing algorithm should be set to default password hash provider (#28128 ) Closes #28120 Signed-off-by: stianst <stianst@gmail.com>	2024-03-22 12:44:11 +01:00
Stian Thorgersen	3f9cebca39	Ability to set the default provider for an SPI (#28135 ) Closes #28134 Signed-off-by: stianst <stianst@gmail.com>	2024-03-22 07:45:08 +01:00
Reda Bourial	a41d865600	fix for SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY (#27756 ) Signed-off-by: Reda Bourial <reda.bourial@gmail.com>	2024-03-21 17:06:42 +01:00
Steven Hawkins	7eab019748	task: deprecate WILDCARD and STRICT options (#26833 ) closes: #24893 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-03-21 16:22:41 +01:00
Steven Hawkins	35b9d8aa49	task: remove usage of resteasy-core-spi (#27387 ) closes: #27242 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-03-21 15:28:34 +01:00
Giuseppe Graziano	939420cea1	Always include offline_access scope when refreshing with offline token Closes #27878 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-03-21 14:32:31 +01:00
Pedro Igor	32541f19a3	Allow managing members for an organization Closes #27934 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-21 10:26:30 -03:00
Martin Kanis	4154d27941	Invalidating offline token is not working from client sessions tab Closes #27275 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-03-21 09:04:58 -03:00
Pedro Igor	f970deac37	Do not grant scopes not granted for resources owned the resource server itself Closes #25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-20 18:36:41 +01:00
René Zeidler	83a3500ccf	Attributes without a group should appear first In the login theme, user profile attributes that are not assigned to an attribute group should appear before all other attributes. This aligns the login theme (registration, verify profile, etc.) with the account and admin console. Fixes #27981 Signed-off-by: René Zeidler <rene.zeidler@gmx.de>	2024-03-19 18:40:01 +01:00
Peter Skopek	b77e228be4	Fix javadoc generation failure introduced with new dependencies for OID4VCI support (#28038) Fixes #28038 Signed-off-by: Peter Skopek <pskopek@redhat.com>	2024-03-19 14:14:53 +01:00
Stefan Wiedemann	67d3e1e467	Issue Verifiable Credentials in the VCDM format #25943 (#27071 ) closes #25943 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-03-18 17:05:53 +01:00
cgeorgilakis-grnet	24f105e8fc	successful SAML IdP Logout Request with BaseID or EncryptedID and SessionIndex Closes #23528 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-03-18 08:19:13 -03:00
Alexander Schwartz	62d24216e3	Remove offline session preloading Closes #27602 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-03-15 15:19:27 +01:00
Pedro Igor	7fc2269ba5	The bare minimum implementation for organization Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: vramik <vramik@redhat.com>	2024-03-15 11:06:43 -03:00
Peter Keuter	e26a261e4e	Filter subgroups before paginating Closes #27512 Signed-off-by: Peter Keuter <github@peterkeuter.nl>	2024-03-15 10:57:57 +01:00
sebastien-helbert	e33bf39055	Review log message (#23962 ) missing spaces added in log message	2024-03-14 13:44:22 +01:00
Alexander Schwartz	6de5325d1c	Limit the received content when handling the content as a String Closes #27293 Co-authored-by: rmartinc <rmartinc@redhat.com> Signed-off-by: rmartinc <rmartinc@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-03-13 16:43:03 +01:00
Réda Housni Alaoui	1bf90321ad	"Allowed Protocol Mapper Types" prevents clients from self-updating via client registration api (#27578 ) closes #27558 Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-03-13 14:00:34 +01:00
rmartinc	43a5779f6e	Do not challenge inside spnego authenticator is FORKED_FLOW Closes #20637 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-12 14:23:03 +01:00
Pedro Igor	1e48cce3ae	Make sure empty configuration resolves to the system default configuration Closes #27611 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-11 09:01:38 -03:00
Stefan Wiedemann	6fc69b6a01	Issue Verifiable Credentials in the SD-JWT-VC format (#27207 ) closes #25942 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>	2024-03-11 08:55:28 +01:00
Hynek Mlnarik	26468e11f2	Use correct path to account console Fixes: #27709 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2024-03-08 14:31:32 +01:00
Ricardo Martin	299118c45a	Change oidcScopeMissing from WARN to DEBUG (#27439 ) Closes #27391 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-08 10:50:21 +00:00
Erik Jan de Wit	7d104dbe9d	no result to parse on success (#27336 ) * no result to parse on success fixes: #27245 Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * translate error message Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> --------- Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2024-03-08 09:56:23 +01:00
Pedro Igor	40385061f7	Make sure refresh token expiration is based on the current time when the token is issued Closes #27180 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-07 15:23:19 +01:00
rmartinc	ea4155bbcd	Remove recursively when deleting an authentication executor Closes #24795 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-07 14:43:23 +01:00
graziang	54b40d31b6	Revoked token cache expiration fix Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token. Closes #26113 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-07 13:33:37 +01:00
Alexander Schwartz	595959398b	Instead of an InputStream that doesn't know about its encoding, use a String Closes #20916 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-03-07 10:24:36 +00:00
rmartinc	dea15e25da	Only add the nonce claim to the ID Token (mapper for backwards compatibility) Closes #26893 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-07 09:56:57 +01:00
Theresa Henze	653d09f39a	trigger REMOVE_TOTP event on removal of an OTP credential Closes #15403 Signed-off-by: Theresa Henze <theresa.henze@bare.id>	2024-03-06 17:12:50 +01:00
graziang	39299eeb38	Encode role name parameter in the location header uri The role is encoded to avoid template resolution by the URIBuilder. This fix avoids the exception when creating roles with names containing {patterns}. Closes #27514 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-06 15:59:26 +01:00
rmartinc	82af0b6af6	Initial client policies integration for SAML Closes #26654 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-06 15:18:35 +01:00
graziang	4fa940a31e	Device verification flow always requires consent Force consent for device verification flow when there are no client scopes to approve by adding a default client scope to approve Closes #26100 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-05 14:14:19 +01:00
Tero Saarni	e06fcbe6ae	Change supported criteria for Google Authenticator List Google Authenticator as supported when - hash algorithm is SHA256 or SHA512 - number of digits is 8 - OTP type is hotp Signed-off-by: Tero Saarni <tero.saarni@est.tech>	2024-03-05 11:19:06 +01:00
Jon Koops	7afd75ba08	Use browser router for Account Console (#22192 ) Closes #27442 Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-03-04 12:38:28 +00:00
Steven Hawkins	be3e2fabc4	fix: remove the reliance on allowed classes (#27368 ) closes: #25038 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-03-04 12:17:53 +00:00
Lucy Linder	aa6771205a	Update ReCAPTCHA and add support for ReCAPTCHA Enterprise Closes #16138 Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>	2024-03-04 20:28:06 +09:00
vramik	032bb8e9cc	Map Store Removal: Remove obsolete `KeycloakModelUtils.isUsernameCaseSensitive` method Closes #27438 Signed-off-by: vramik <vramik@redhat.com>	2024-03-02 04:40:46 +09:00
rmartinc	f970803738	Check email and username for duplicated if isLoginWithEmailAllowed Closes #27297 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-02 00:14:27 +09:00
Andy	137907f5ef	Roles admin REST API: Don't expand composite roles Additionally: - Import clean-up - Added requireMapComposite as in RoleResource.addComposites Closes #26951 Signed-off-by: synth3 <19573241+synth3@users.noreply.github.com>	2024-03-02 00:03:03 +09:00
Takashi Norimatsu	1792af6850	OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor closes #27412 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-03-01 14:49:23 +01:00
graziang	082f9ec15b	Update client scopes in Client Update Request in DCR Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation. Add updateClientScopes method to set client scopes in Client Update Request in DCR. Closes #24361 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-01 12:32:45 +01:00
Albrecht Scheidig	cad34cbb04	Restore support for locales with extensions (#27285 ) Closes #27284 Signed-off-by: Albrecht Scheidig <albrecht.scheidig@hype.de>	2024-02-29 17:16:44 +00:00
Marek Posolda	ae0a0ea30b	SecureRedirectUrisEnforcerExecutor fixes (#27369 ) closes #27344 Signed-off-by: mposolda <mposolda@gmail.com>	2024-02-29 17:24:20 +01:00
Steven Hawkins	8d9439913c	fix: removal of resteasy-core (#27032 ) * fix: partial removal of resteasy-core Signed-off-by: Steve Hawkins <shawkins@redhat.com> * fix: fully removing resteasy-core closes: #26315 Signed-off-by: Steve Hawkins <shawkins@redhat.com> --------- Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-02-29 11:43:13 +00:00
Réda Housni Alaoui	a3b3ee4b87	Ability to declare a default "First broker login flow" per Realm Closes #25823 Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-02-28 16:17:51 +01:00
Pedro Igor	788d146bf2	Use the target client when processing scopes for internal exchanges Closes #19183 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-28 15:18:43 +01:00
graziang	16a854c91b	Add option to clients to use lightweight access token Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute. The attribute value is used to enable or disable the lightweight access token. Closes #27238 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-02-28 10:18:26 +01:00
Pedro Igor	0c91fceaad	Allow setting if both 'client_id' and 'id_token_hint' params should be sent in logout requests Closes #27281 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-27 20:37:27 +09:00
Dmitry Telegin	c18c4bbeb8	Remove setContext() + minor cleanup Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>	2024-02-27 19:11:32 +09:00
Dmitry Telegin	87c2df0ea4	Fix UMA	2024-02-27 19:11:32 +09:00
Dmitry Telegin	be3d0b6202	Split OAuth2GrantType and OAuth2GrantTypeFactory	2024-02-27 19:11:32 +09:00
Dmitry Telegin	c73516ba5b	Revert dynamic grant type resolution	2024-02-27 19:11:32 +09:00
Dmitry Telegin	5f04ce310a	simplify OAuth2GrantType.Context creation	2024-02-27 19:11:32 +09:00
Dmitry Telegin	b81bf85a06	rebase	2024-02-27 19:11:32 +09:00
Dmitry Telegin	854ec17fd3	- rework grant type resolution to use supports() in addition to grant type - replace initialize() with setContext() - use EnvironmentDependentProviderFactory instead of runtime checks - move OAuth2GrantTypeManager to server-spi-private - javadocs, imports, minor fixes Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>	2024-02-27 19:11:32 +09:00
Dmitry Telegin	cc9c8fe78a	Use EnvironmentDependentProviderFactory for DeviceGrantType	2024-02-27 19:11:32 +09:00
Dmitry Telegin	983680ce0e	OAuth 2.0 Grant Type SPI Closes: #26250 Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>	2024-02-27 19:11:32 +09:00
rmartinc	562decde35	Perform internal introspect for the access token in the account app Closes #27243 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-27 09:19:20 +01:00
kaustubh-rh	03f6cda85a	Prevent user from removing built-in client scopes (#27134 ) Closes #26937 Signed-off-by: Kaustubh B <kbawanka@redhat.com>	2024-02-26 11:16:23 +01:00
Gilvan Filho	83af01c4c0	Add failedLoginNotBefore to AttackDetectionResource Closes #17574 Signed-off-by: Gilvan Filho <gfilho@redhat.com>	2024-02-26 09:35:51 +01:00
graziang	cecce40aa5	Avoid regenerating the totpSecret on every reload of the OTP configuration page Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload Closes #26052 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-02-22 19:09:09 +01:00
Pedro Igor	604274fb76	Allow setting an attribute as multivalued Closes #23539 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2024-02-22 12:56:44 +01:00
Takashi Norimatsu	1e12b15890	Supporting OAuth 2.1 for public clients closes #25316 Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com> Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-22 10:57:29 +01:00
Douglas Palmer	b0ef746f39	Permanently lock users out after X temporary lockouts during a brute force attack Closes #26172 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-02-22 09:34:51 +01:00
Takashi Norimatsu	9ea679ff35	Supporting OAuth 2.1 for confidential clients closes #25314 Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com> Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-22 08:34:21 +01:00
Sebastian Schuster	5e34769ee0	27031 ReadOnlyAttributeUnchangedValidator logs validation errors on debug not warning Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>	2024-02-22 08:24:08 +09:00
Peter Keuter	01d66a662b	Expose display name and locales when user has ANY admin role (#27160 ) * chore: expose display name and locales when user has view-realm Signed-off-by: Peter Keuter <github@peterkeuter.nl> * fix: supportedlocales are available as stream Signed-off-by: Peter Keuter <github@peterkeuter.nl> * fix: tests Signed-off-by: Peter Keuter <github@peterkeuter.nl> * fix: remove unnecessarily added ignore Signed-off-by: Peter Keuter <github@peterkeuter.nl> --------- Signed-off-by: Peter Keuter <github@peterkeuter.nl>	2024-02-21 13:30:31 -05:00
graziang	d13dc57a29	Removing duplicate claims in action tokens Using variables instead of otherClaims map for claims in action tokens to avoid duplicate claims in the jwt payload Closes #24980 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-02-21 11:30:49 +01:00
Takashi Norimatsu	1bdbaa2ca5	Client policies: executor for validate and match a redirect URI closes #25637 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-20 08:37:33 +01:00
Stefan Wiedemann	aa6b102e3d	Support EC Key-Imports for the JavaKeystoreKeyProvider #26936 (#27030 ) closes #26936 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-02-19 17:41:40 +01:00
Pedro Hos	6b3fa8b7a7	Invalid redirect uri when identity provider alias has spaces (#22840 ) closes #22836 Co-authored-by: Marek Posolda <mposolda@gmail.com>	2024-02-19 14:40:42 +01:00
Takashi Norimatsu	2f35d0e346	Add EdDSA/Ed25519 to WebAuthn Signature algorithms closes #15000 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-19 14:08:04 +01:00
graziang	1f57fc141c	UPDATED_PASSWORD required-action triggered only when login using password `UpdatePassword.evaluateTriggers` adds the required-action to the user by evaluating the expiration password policy. Added a check that skips the evaluation if no password used during auth flow. This check uses the value of an auth note set in the `validatePassword` method of the `AbstractUsernameFormAuthenticator`. Manually adding UPDATED_PASSWORD required-action to the user continues to trigger the action regardless of the authentication method. Closes #17155 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-02-16 18:16:36 +01:00
Marek Posolda	c94f9f5716	Remove random redirect after password reset (#27076 ) closes #20867 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: Ricardo Martin <rmartinc@redhat.com>	2024-02-16 18:13:27 +01:00
mposolda	eff6c3af78	During password reset, the baseURL is not shown on the info page after browser restart closes #21127 Signed-off-by: mposolda <mposolda@gmail.com>	2024-02-15 18:48:53 +01:00
Michal Hajas	e55ba5dcdc	Make sure pagination is used even when first is null for getGroups endpoint Closes #25731 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2024-02-15 19:46:04 +09:00
rmartinc	4ff4c3f897	Increase internal algorithm security using HS512 and 128 byte hmac keys Closes #13080 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-15 08:16:45 +01:00
Steven Hawkins	df38081fe8	fix: add an info message, and converts info to debug on non-pem files (#26939 ) * fix: add an info message, and converts info to debug on non-pem files closes: #26929 Signed-off-by: Steve Hawkins <shawkins@redhat.com> * Update services/src/main/java/org/keycloak/truststore/TruststoreBuilder.java Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> --------- Signed-off-by: Steve Hawkins <shawkins@redhat.com> Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>	2024-02-14 19:55:53 +01:00
rmartinc	bc82929e3a	Cors modifications for UserInfo endpoint Closes #26782 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-14 18:24:06 +01:00
vibrown	161d03efd2	Added SPIs for ClientType and ClientTypeManager Grabbed the SPIs for ClientType and ClientTypeManager from Marek's Client Type prototype. Closes #26431 Signed-off-by: vibrown <vibrown@redhat.com> Cleaned up TODOs Signed-off-by: vibrown <vibrown@redhat.com> Added isSupported methods Signed-off-by: vibrown <vibrown@redhat.com>	2024-02-13 19:26:19 +01:00
rmartinc	bb12f3fb82	Do not require non-builtin attributes for service accounts Closes #26716 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-13 17:42:59 +01:00
Steven Hawkins	6bbf8358b4	task: addressing build warnings (#26877 ) Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-02-13 17:04:43 +01:00
Steven Hawkins	3a04acab51	fix: adds pfx as a recognized extension (#26876 ) closes #24661 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-02-13 15:38:12 +01:00
Pedro Igor	e50642ac32	Allow setting a default user profile configuration Closes #26489 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-12 11:16:48 +01:00
Réda Housni Alaoui	67718c653a	UPDATE_EMAIL action token handling should allow the user to resume its navigation to the redirect uri Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-02-08 18:32:38 -03:00
Michal Hajas	de598577b1	Fix confusing SAML NameId mapper format tooltip Closes #26051 Signed-off-by: Michal Hajas <mhajas@redhat.com> Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>	2024-02-08 11:21:11 +01:00
Tero Saarni	ac1780a54f	Added event for temporary lockout for brute force protector (#26630 ) This change adds event for brute force protector when user account is temporarily disabled. It also lowers the priority of free-text log for failed login attempts. Signed-off-by: Tero Saarni <tero.saarni@est.tech> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2024-02-07 14:13:33 +00:00
Kamontat Chantrachirathumrong	516bfbe896	Support custom common path (#22717 ) Signed-off-by: Kamontat Chantrachirathumrong <14089557+kamontat@users.noreply.github.com>	2024-02-06 20:41:39 -05:00
Dmitry Telegin	da69beed4d	CORS SPI - code review Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>	2024-02-06 15:27:53 -03:00
Dmitry Telegin	b0403e2268	CORS SPI Closes #25446 Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>	2024-02-06 15:27:53 -03:00
mposolda	f468885fdd	Empty error message when validation issue due the PersonNameProhibitedValidator validation closes #26750 Signed-off-by: mposolda <mposolda@gmail.com>	2024-02-06 12:56:50 -03:00
Stian Thorgersen	c4b1fd092a	Use code from RestEasy to create and set cookies (#26558 ) Closes #26557 Signed-off-by: stianst <stianst@gmail.com>	2024-02-06 15:14:04 +01:00
rmartinc	720c5c6576	PKCE should return error if code_verifier sent but no code_challenge in the authorization request Closes #26430 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-06 08:31:56 -03:00
Michal Hajas	00742a62dd	Remove RealmModel from authorization services interfaces (#26708 ) Closes #26530 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2024-02-02 16:51:32 +01:00
Thomas Darimont	277af021d7	Improve ScheduledTask task-name handling This PR introduces a String getTaskName() default method to the ScheduledTask interface and adjusts call sites to use the implementation derived task name where possible. Previously, ScheduledTask names were passed around separately, which lead to unhelpful debug messages. We now give ScheduledTask implementations control over their task-name which allows for more flexible naming. Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database. Ensure that Realm is already committed before updating sync via UserStorageSyncManager Align Sync task name generation for cancellation to support SyncFederationTest Only log a message if sync task was actually canceled. Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2024-02-02 09:57:03 -03:00
ShefeeqPM	65c7cd6008	removing duplicate open id scope (#26542 ) Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com> Signed-off-by: Michal Hajas <mhajas@redhat.com> Co-authored-by: Michal Hajas <mhajas@redhat.com>	2024-02-02 09:08:18 +00:00
alcalin	59b2dd69e3	Update AuthenticationManager.java (#26586 ) Fix typo in log message for unlogged clients Signed-off-by: alcalin <alexcalin02@gmail.com>	2024-02-01 13:56:26 +00:00
Pedro Igor	3a7ce54266	Allow formating numbers when rendering attributes Closes keycloak#26320 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-01 08:14:58 -03:00
Stian Thorgersen	64b5f42c4a	Revert new behaviour around setting secure flag for cookies (#26650 ) Closes #26649 Signed-off-by: stianst <stianst@gmail.com>	2024-01-31 19:33:56 +01:00
Lex Cao	a43ba73b93	Skip link only when client is not system when logout (#24595 ) Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-31 17:50:26 +01:00
rmartinc	01be4032d8	Enable verify-profile required action by default Closes #25985 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-31 13:32:53 +01:00
Lex Cao	f83756b177	Error handle for the Json request in createErrorPage Closes #13368 These changes introduce a new error handler for building error based on the media type. - It should create error form response when it is valid HTML request - It could create error response with JSON if content type matches Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-31 09:31:30 -03:00
mposolda	10ba70c972	Possibility to email being not required closes #26552 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-01-31 10:57:10 +01:00
Thomas Darimont	346c2926f6	Fix error type in SAML response on missing destination We now use INVALID_SAML_RESPONSE insteadof INVALID_LOGOUT_RESPONSE. Added proposed test case. Closes #11178 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: Michal Hajas <mhajas@redhat.com> Co-authored-by: Chris Dolphy <cdolphy@redhat.com>	2024-01-31 09:32:14 +01:00
Stefan Wiedemann	fa948f37e0	Issue Verifiable Credentials in jwt_vc format #25941 (#26484 ) closes #25941 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-01-30 18:35:20 +01:00
mposolda	1213556eff	Fixes for UsernameIDNHomographValidator closes #26564 Signed-off-by: mposolda <mposolda@gmail.com>	2024-01-30 14:30:28 +01:00
Chris Tanaskoski	5373f3c97a	Don't fail reset credentials action upon first broker login without `EXISTING_USER_INFO` (#26324 ) The ResetCredentialsActionTokenHandler depends upon the `EXISTING_USER_INFO` through `AbstractIdpAuthenticator.getExistingUser` solely to log the username. However, if the first broker login flow does not include a `IdpCreateUserIfUniqueAuthenticator` or `IdpDetectExistingBrokerUserAuthenticator`, the `EXISTING_USER_INFO` is never set. This commit does not attempt to fetch the existing user if we don't have this info set. Closes #26323 Signed-off-by: Chris Tanaskoski <chris@devristo.com>	2024-01-30 11:16:52 +00:00
Stian Thorgersen	0fb6bdfcac	Cookie Provider - move remaining cookies (#26531 ) Closes #26500 Signed-off-by: stianst <stianst@gmail.com>	2024-01-29 11:06:37 +01:00
Stian Thorgersen	bc3c27909e	Cookie Provider (#26499 ) Closes #26500 Signed-off-by: stianst <stianst@gmail.com>	2024-01-26 10:45:00 +01:00
Marek Posolda	651d99db25	Allow selecting attributes from user profile when managing token mappers (#26415 ) * Allow selecting attributes from user profile when managing token mappers closes #24250 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-01-25 17:01:02 +01:00
Martin Kanis	7797f778d1	Map Store Removal: Rename legacy modules Closes #24107 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-01-25 16:29:16 +01:00
Erik Jan de Wit	28c9f98930	moved login screen to patternfly 5 (#25340 ) * moved login screen to patternfly 5 Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added Feature flag to enable login v2 Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * removed the old css and only include logo and background styles Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * changed to experimental Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added login2 Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added windows help texts Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> --------- Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2024-01-25 13:45:53 +01:00
Ricardo Martin	b58f35fb47	Revert "Enable verify profile required action by default for new realms" (#26495 ) This reverts commit `7f195acc14`. Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-25 12:28:16 +01:00
Stefan Wiedemann	efa6ddc41e	Create SPI and Provider for Verifiable Credentials Signing #25937 (#26263 ) * implement oid4vci service interfaces Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * add oid4vc to the disabled features test Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * fix test and add doc Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * add the new preview feature Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * add class-level doc remove wildcard imports Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * add license headers Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * fix year Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * fix teste Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * two additional test fixes Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * make the feature experimental Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * remove clock Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * remove usage of var Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * fix tests Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> --------- Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-01-25 07:36:28 +01:00
Stian Thorgersen	cbfdae5e75	Remove support for multiple AUTH_SESSION_ID cookies (#26462 ) Closes #26457 Signed-off-by: stianst <stianst@gmail.com>	2024-01-25 06:58:42 +01:00
rmartinc	7f195acc14	Enable verify profile required action by default for new realms Closes #25985 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-24 20:28:06 +01:00
Florian Garcia	af0b9164e3	fix: hardcoded conditional rendering of client secret input field (#25776 ) Closes #22660 Signed-off-by: ImFlog <garcia.florian.perso@gmail.com> Co-authored-by: useresd <yousifmagdi@gmail.com>	2024-01-24 16:30:22 +01:00
Stian Thorgersen	85ddac26ed	Remove code that expires old cookie paths (#26444 ) Closes #26416 Signed-off-by: stianst <stianst@gmail.com>	2024-01-24 13:43:03 +01:00
Lex Cao	142c14138f	Add verify email required action for IdP email verification Closes #26418 Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-24 12:15:09 +01:00
Takashi Norimatsu	b99f45ed3d	Supporting EdDSA closes #15714 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com> Co-authored-by: Muhammad Zakwan Bin Mohd Zahid <muhammadzakwan.mohdzahid.fg@hitachi.com> Co-authored-by: rmartinc <rmartinc@redhat.com>	2024-01-24 12:10:41 +01:00
Martin Kanis	84603a9363	Map Store Removal: Rename Legacy* classes (#26273 ) Closes #24105 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-01-23 13:50:31 +00:00
Douglas Palmer	ffa069a33b	Invalidate authentication session on repeated Recovery Code failures Closes #26180 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-01-22 11:57:47 +01:00
Stian Thorgersen	656e680019	Remove unused HttpResponse.setWriteCookiesOnTransactionComplete (#26326 ) Closes #26325 Signed-off-by: stianst <stianst@gmail.com>	2024-01-20 11:31:10 +01:00
Martin Bartoš	98be32d9ff	Parse default UserProfile configuration in the build time Closes #24890 Signed-off-by: Martin Bartoš <mabartos@redhat.com>	2024-01-19 17:05:59 -03:00
Douglas Palmer	e7d842ea32	Invalidate session secretly Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-01-19 15:44:35 -03:00
Douglas Palmer	18d0105de0	Invalidate authentication session on repeated OTP failures Closes #26177 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-01-19 15:44:35 -03:00
Pedro Igor	62020ffc68	Make sure the component resolves to a UPConfig before cloning it Closes #26308	2024-01-18 19:11:48 +01:00
rmartinc	2f0a0b6ad8	Remove deprecated mode for saml encryption Closes #26291 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-18 16:52:10 +01:00
cgeorgilakis-grnet	ccade62289	Enhance error logs and error events during UserInfo endpoint and Token Introspection failure Closes #24344 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-01-16 11:26:29 +01:00
Alexander Schwartz	b9498b91cb	Deprecating the offline session preloading (#26160 ) Closes #25300 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-01-16 09:29:01 +01:00
cgeorgilakis-grnet	a3257ce08f	OIDC Protocol Mappers with same claim Closes #25774 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-01-15 09:16:12 -03:00
rmartinc	e162974a8d	Integrate registration with terms and conditions required action Closes #25891 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-15 10:19:30 +01:00
MikeTangoEcho	c2b132171d	Add X509 thumbprint to JWT when using private_key_jwt Closes keycloak#12946 Signed-off-by: MikeTangoEcho <mathieu.thine@gmail.com>	2024-01-12 16:01:01 +01:00
Lex Cao	47f7e3e8f1	Use email verification instead of executing action for `send-verify-email` endpoint Closes #15190 Add support for `send-verify-email` endpoint to use the `email-verification.ftl` instead of `executeActions.ftl` Also introduce a new parameter `lifespan` to be able to override the default lifespan value (12 hours) Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-11 16:28:02 -03:00
mposolda	692aeee17d	Enable user profile by default closes #25151 Signed-off-by: mposolda <mposolda@gmail.com>	2024-01-11 12:48:44 -03:00
Patrick Hamann	d36913a240	Ensure protocol forced reauthentication is correctly mapped during SAML identity brokering Closes #25980 Signed-off-by: Patrick Hamann <patrick@fastly.com>	2024-01-10 20:46:35 +01:00
rmartinc	179ca3fa3a	Sanitize logs in JBossLoggingEventListenerProvider Closes #25078 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-10 16:50:27 +01:00
Réda Housni Alaoui	3c05c123ea	On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-01-09 16:04:52 -03:00
shigeyuki kabano	67e73d3d4e	Enhancing Lightweight access token M2(keycloak#25716) Closes keycloak#23724 Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>	2024-01-09 09:42:30 +01:00
Ricardo Martin	097d68c86b	Escape action in the form_post.jwt and only decode path in RedirectUtils (#93 ) (#25995 ) Closes #90 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-09 08:20:14 +01:00
Steven Hawkins	d1d1d69840	fix: adds a general error message and descriptions for some exceptions (#25806 ) closes: #25746 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-01-08 18:19:40 +00:00
Felix Gustavsson	0f47071a29	Check if UMA is enabled on resource, if not reject the request. Closes #24422 Signed-off-by: Felix Gustavsson <felix.gustavsson@topgolf.com>	2024-01-08 11:28:57 -03:00
agagancarczyk	768231d950	Localization tabs (#25532 ) * Add new localization tabs to Administration Console Closes #23057 Signed-off-by: Agnieszka <agancarc@redhat.com> Signed-off-by: Jon Koops <jonkoops@gmail.com> * css cleanup Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com> * css cleanup Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com> --------- Signed-off-by: Agnieszka <agancarc@redhat.com> Signed-off-by: Jon Koops <jonkoops@gmail.com> Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com> Co-authored-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Agnieszka Gancarczyk <agancarc@redhat.com>	2024-01-08 14:03:26 +00:00
atharva kshirsagar	d7542c9344	Fix for empty realm name issue Throw ModelException if name is empty when creating/updating a realm Closes #17449 Signed-off-by: atharva kshirsagar <atharva4894@gmail.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2024-01-05 14:23:42 +01:00
Pedro Igor	8ff9e71eae	Do not allow verifying email from a different account Closes #14776 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-05 12:45:07 +01:00
Pedro Igor	f476a42d66	Fixing the registration_client_uri to point to a valid URI after updating a client Closes #23229 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-05 12:41:36 +01:00
Pedro Igor	986b6af4f5	Make sure the context path from the base URI is respected when building TOTP URIs Closes #21542 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-05 07:10:49 -03:00
Réda Housni Alaoui	a21e95c5ae	In UserProfileContext.IDP_REVIEW, NPE on UserModel#getEmail because UserModelDelegate#delegate is null Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-01-03 15:00:30 -03:00
Ben Cresitello-Dittmar	057d8a00ac	Implement Authentication Method Reference (AMR) claim from OIDC specification This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens. This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note. The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens. Closes #19190 Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>	2024-01-03 14:59:05 -03:00
Jon Koops	07f9ead128	Upgrade Welcome theme to PatternFly 5 Closes #21343 Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-01-03 14:46:01 -03:00
Pedro Igor	15b10f58fc	Make the user attribute available to the idp-review-user-profile.ftl template Closes #25872 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-03 13:26:33 -03:00
Réda Housni Alaoui	5287500703	@NoCache is not considered anymore Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-01-02 09:06:55 -03:00
Alexander Schwartz	9e890264df	Adding a test case to check that the expiration time is set on logout tokens Closes #25753 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2023-12-22 20:13:40 +01:00
Niko Köbler	5e623f42d4	add the exp claim to the backchannel logout token This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4. As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time. resolves #25753 Signed-off-by: Niko Köbler <niko@n-k.de>	2023-12-22 20:13:40 +01:00
DAHAG-ArisNourbakhsh	b52d97475a	Add raw OpenApi documentation files to rest-api documentation (#22940 ) Add raw OpenApi documentation files to rest-api documentation Closes #21559 Signed-off-by: Aris Nourbakhsh <aris.nourbakhsh@dahag.de> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-12-21 12:07:33 +01:00
Pedro Igor	ceb085e7b8	Update the UPDATE_EMAIL feature to rely on the user profile configuration when rendering templates and validating the email Closes #25704 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-20 15:15:06 -03:00
rmartinc	c2e41b0eeb	Make Locale updater generate an event and use the user profile Closes #24369 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-20 15:26:45 +01:00
Konstantinos Georgilakis	cf57af1d10	scope parameter in refresh flow Closes #12009 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2023-12-20 14:00:10 +01:00
mposolda	eb184a8554	More info on UserProfileContext closes #25691 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-19 13:00:31 -03:00
Ricardo Martin	32a70cbedd	Strip off user-info from redirect URI when validating using wildcard (#61 ) Closes keycloak/keycloak-private#58 Closes https://issues.redhat.com/browse/RHBK-679 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-19 10:13:36 -03:00
Joshua Sorah	d411eafc42	Ensure 'iss' is returned when 'prompt=none' and user is not authenticated, per RFC9207 Closes keycloak/keycloak#25584 Signed-off-by: Joshua Sorah <jsorah@redhat.com>	2023-12-19 10:38:05 +01:00
Ricardo Martin	2ba7a51da6	Escape action in the form_post response mode (#60 ) Closes keycloak/keycloak-private#31 Closes https://issues.redhat.com/browse/RHBK-652 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-18 18:10:41 -03:00
Konstantinos Georgilakis	ba8c22eaf0	Scope parameter in Oauth 2.0 token exchange Closes #21578 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2023-12-18 15:44:26 -03:00
Pedro Igor	778847a3ce	Updating theme templates to render user attributes based on the user profile configuration Closes #25149 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-18 15:35:52 -03:00
rmartinc	d841971ff4	Updating the UP configuration needs to trigger an admin event Close #23896 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-18 19:24:30 +01:00
mposolda	cd154cf318	User Profile: If required roles ('user') and reqired scopes are set, the required scopes have no effect closes #25475 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-18 11:32:27 +01:00
Takashi Norimatsu	59536becec	Client policies : executor for enforcing DPoP closes #25315 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2023-12-18 10:45:18 +01:00
Yoshiyuki Tabata	0ca73829d0	Fix OpenAPI spec POST /admin/realms/{realm}/clients Closes #21536 Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>	2023-12-18 10:08:54 +01:00
Yoshiyuki Tabata	66ee27f413	Fix OpenAPI spec POST /admin/realms/{realm}/clients-initial-access Closes #25656 Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>	2023-12-18 09:12:02 +01:00
Joshua Sorah	a10149bbe9	For post logout redirect URI - Make '+' represent existing redirect URIs and merge with existing post logout redirect URIs Closes keycloak#25544 Signed-off-by: Joshua Sorah <jsorah@redhat.com>	2023-12-18 09:05:51 +01:00
Yoshiyuki Tabata	5bdadaacbc	Modify OpenAPI spec POST /admin/realms Closes #25565 Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>	2023-12-18 08:41:23 +01:00
Sophie Tauchert	3ab24afe93	Add response annotations to resourceserver Closes: #25604 Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>	2023-12-15 19:45:39 +01:00
Erwin Rooijakkers	860978b15a	Change arg of getSubGroups to briefRepresentation Parameter name briefRepresentation should mean briefRepresentation, not full. This way callers will by default get the full representation, unless true is passed as value for briefRepresentation. Fixes #25096 Signed-off-by: Erwin Rooijakkers <erwin@rooijakkers.software>	2023-12-14 17:23:27 +01:00
Steven Hawkins	08751001db	enhance: adds truststores to the keycloak cr (#25215 ) also generally correcting the misspelling trustore closes: #24798 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2023-12-14 11:15:06 -03:00
mposolda	c81b533cf6	Update UserProfileProvider.setConfiguration. Tuning of UserProfileProvider.getConfiguration closes #25416 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-14 14:43:28 +01:00
Douglas Palmer	4b11afa87b	NullPointerException when key is not available in the database (#25395 ) * NullPointerException when key is not available in the database Closes #24485 Signed-off-by: Douglas Palmer <dpalmer@redhat.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net> Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>	2023-12-14 09:57:53 +01:00
Václav Muzikář	e4c348e99e	Add new `--proxy-headers` option (#25178 ) * Add new `--proxy-headers` option Closes #23431 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> Co-authored-by: Martin Bartoš <mabartos@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> * Address review comments vol. 03 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Address review comments vol. 04 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> --------- Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> Co-authored-by: Martin Bartoš <mabartos@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-12-13 10:48:12 -03:00
Pedro Igor	fa79b686b6	Refactoring user profile interfaces and consolidating user representation for both admin and account context Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-13 08:27:55 +01:00
Pedro Igor	78ba7d4a38	Do not allow removing username and email from user profile configuration Closes #25147 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-11 08:30:28 +01:00
Sophie Tauchert	1d56e0371e	Make sure authz endpoints are documented in openapi spec Closes: #25259 Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>	2023-12-08 16:45:13 +01:00
mposolda	90bf88c540	Introduce ProtocolMapper.getEffectiveModel to make sure values displayed in the admin console UI are 'effective' values used when processing mappers closes #24718 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-12-08 12:26:35 +01:00
saumeen prajapati	d829534237	Remove single quote from log string Closes #25060 Signed-off-by: saumeen prajapati <psaumeen@gmail.com>	2023-12-07 20:08:07 +00:00
wojnarfilip	925c5572ad	Re-enable Federated Access Token in user sessions Closes #25290 Signed-off-by: wojnarfilip <fwojnar@redhat.com>	2023-12-07 19:55:20 +01:00
Vlasta Ramik	df465456b8	Map Store Removal: Remove `LockObjectsForModification` (#25323 ) Signed-off-by: vramik <vramik@redhat.com> Closes #24793	2023-12-07 12:43:43 +00:00
Fouad Almalki	0e535d2bbe	Retrieve ClientConnection by invoking getConnection() instead of getContextObject() Signed-off-by: Fouad Almalki <me@fouad.io>	2023-12-07 13:11:54 +01:00
Stefan Guilhen	7b63d6d500	Remove ResponseSessionTask - this was tightly related to retriable transactions added to map store and is no longer needed. Closes #25309 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2023-12-06 19:53:53 +01:00
Stefan Guilhen	8e918c2ebf	Revert changes to OIDCIdentityProvider that enlisted the client logout requests in a separate transaction. Closes #25308 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2023-12-06 19:47:04 +01:00
rmartinc	522e8d2887	Workaround to allow percent chars in getGroupByPath via PathSegment Closes #25111 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-06 14:22:34 -03:00
rmartinc	d004e9295f	Do not allow remove a credential in account endpoint if provider marks it as not removable Closes #25220 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-05 17:11:57 +01:00
Michal Hajas	ec061e77ed	Remove GlobalLockProviderSpi (#25206 ) Closes #24103 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2023-12-01 16:40:56 +00:00
Ricardo Martin	3b26e5d489	Add active RSA key to decryption if deprecated mode (#25205 ) Closes https://github.com/keycloak/keycloak/issues/24652 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-01 13:40:47 +00:00
mposolda	3fa2d155ca	Decouple factory methods from the provider methods on UserProfileProvider implementation closes #25146 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-01 10:30:57 -03:00
Pedro Igor	c7f63d5843	Add options to change behavior on how unmanaged attributes are managed Closes #24934 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-11-30 06:58:21 -03:00
Steven Hawkins	8c3df19722	feature: add option for creating a global truststore (#24473 ) closes #24148 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Martin Bartoš <mabartos@redhat.com>	2023-11-30 08:57:17 +01:00
Douglas Palmer	d0b86d2f64	Register event not triggered on external to internal token exchange Closes #9684 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-29 15:30:47 -03:00
mposolda	479e6bc86b	Update Kerberos provider for user-profile closes #25074 Signed-off-by: mposolda <mposolda@gmail.com>	2023-11-29 15:21:26 -03:00
rmartinc	16afecd6b4	Allow automatic download of SAML certificates in the identity provider Closes https://github.com/keycloak/keycloak/issues/24424 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-29 18:03:31 +01:00
rmartinc	3bc028fe2d	Remove lowercase for the hostname as recommended/advised by OAuth spec Closes https://github.com/keycloak/keycloak/issues/25001 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-29 10:26:00 -03:00
rmartinc	b6cdcb3c27	Revert "Fix lowerCaseHostname to lower-case scheme and host properly" This reverts commit `1241bd2919`. Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-29 10:26:00 -03:00
Douglas Palmer	5ce41a462b	NPE in HardcodedUserSessionAttributeMapper on Token Exchange Closes #11996 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-29 09:35:49 -03:00
Douglas Palmer	7e78d29f8d	NPE in User Session Note mapper on Token Exchange Closes #24200 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-29 09:35:49 -03:00
hokuda	a83b9d11fa	Fix typo in the balloon help of SAML Username Template Importer closes #25033 Signed-off-by: hokuda <hisanobu.okuda@gmail.com>	2023-11-29 09:32:16 -03:00
Douglas Palmer	e99bd4aa3a	External to Internal Token exchange fails with Null pointer Exception if the user is not yet registered (first time token exchange) Closes #16059 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-29 09:16:14 -03:00
Michal Hajas	2b2207af93	Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled Closes #25077 Signed-off-by: Michal Hajas <mhajas@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Pedro Ruivo <pruivo@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-11-29 11:06:41 +00:00
Jon Koops	0b9dd21b0a	Attempt to request storage access for cookies (#25055 ) Closes #23872 Signed-off-by: Jon Koops <jonkoops@gmail.com>	2023-11-27 18:23:40 +00:00
Pedro Igor	2c611cb8fc	User profile configuration scoped to user-federation provider closes #23878 Co-Authored-By: mposolda <mposolda@gmail.com> Signed-off-by: mposolda <mposolda@gmail.com>	2023-11-27 14:45:44 +01:00
Stian Thorgersen	a32b58d337	Escape ldap id when using normal attribute syntax (#25 ) (#25036 ) Closes https://github.com/keycloak/security/issues/46 Co-authored-by: Ricardo Martin <rmartinc@redhat.com>	2023-11-27 11:38:14 +01:00
Takashi Norimatsu	1f5ee9bf80	NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token closes #25022 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2023-11-27 08:49:48 +01:00
Sophie Tauchert	855aebabc2	Rename clientUuid path parameter to client-uuid for consistency Closes #24960 Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>	2023-11-23 16:08:58 +01:00
Sophie Tauchert	496c0e7f03	Rename some path parameter placeholders to avoid duplicating {id} in the path Closes #24960 Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>	2023-11-23 16:08:58 +01:00
Sophie Tauchert	3e17cb0452	Add correct annotation for 204 responses to POST methods returning void Closes #24960 Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>	2023-11-23 16:08:58 +01:00
Douglas Palmer	efde3adf60	Wrong value for VALIDATED_ID_TOKEN stored in the brokered identity context for external token exchange Closes #23985 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-23 11:52:37 -03:00
Douglas Palmer	2ec1d2f7ea	Fix logic error in AbstractOAuth2IdentityProvider Closes #24943 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-23 11:43:42 -03:00
Tero Saarni	fd58cb1bec	Attempt to remove warning about not using inference Signed-off-by: Tero Saarni <tero.saarni@est.tech>	2023-11-23 10:49:58 -03:00
Tero Saarni	e35f3d7e87	Fix compilation error with ServerInfoAdminResource This change fixes following type inference error: * Type mismatch: cannot convert from Map<Boolean,Object> to Map<Boolean,List<String>> The error comes when opening and compiling on vscode or Eclipse, which uses Eclipse JDT compiler. Signed-off-by: Tero Saarni <tero.saarni@est.tech>	2023-11-23 10:49:58 -03:00
Sebastian Schuster	030f42ec83	More efficient listing of assigned and available client role mappings Closes #23404 Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io> Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>	2023-11-22 14:10:11 +01:00
Thomas Darimont	d30d692335	Introduce MaxAuthAge Password policy (#12943 ) This policy allows to specify the maximum age of an authentication with which a password may be changed without re-authentication. Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible. A value of 0 will always require reauthentication to update the password. Add documentation for MaxAuthAgePasswordPolicy to server_admin Fixes #12943 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2023-11-20 14:48:17 +01:00
rmartinc	1241bd2919	Fix lowerCaseHostname to lower-case scheme and host properly Closes https://github.com/keycloak/keycloak/issues/24792 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-20 10:00:50 +01:00
Erik Jan de Wit	941457b805	added theme name as parameter moved messages to theme bundle Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2023-11-17 08:35:54 +01:00
rmartinc	5fad76070a	Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience Closes https://github.com/keycloak/keycloak/issues/24659 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-16 18:22:16 +01:00
Hynek Mlnarik	70d0f731f5	Use session ID rather than broker session ID Closes: #24455 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2023-11-16 17:01:40 +01:00
Vlasta Ramik	d86e062a0e	Removal of retry blocks introduced for CRDB Closes #24095 Signed-off-by: vramik <vramik@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-11-16 13:50:56 +01:00
rmartinc	cca33baac3	Avoid NPE if RelayState is null and return a proper error Closes https://github.com/keycloak/keycloak/issues/24079 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-16 12:56:49 +01:00
Erik Jan de Wit	89abc094d1	userprofile shared (#23600 ) * move account ui user profile to shared * use ui-shared on admin same error handling also introduce optional renderer for added component * move scroll form to ui-shared * merged with main * fix lock file * fixed merge error * fixed merge errors * fixed tests * moved user profile types to admin client * fixed more types * pr comments * fixed some types	2023-11-14 08:04:55 -03:00
Erik Jan de Wit	fe7833c957	Load Admin Console localizations from resource bundles (#24316 ) Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2023-11-13 12:39:46 -05:00
Hynek Mlnařík	0ceaed0e2e	Transient users: Consents (#24496 ) closes #24494	2023-11-10 11:18:27 +01:00
mposolda	7863c3e563	Moving UPConfig and related classes from keycloak-services closes #24535 Signed-off-by: mposolda <mposolda@gmail.com>	2023-11-07 12:41:29 +01:00
Joshua Sorah	7ca00975d4	Feature flag DPoP metadata in OIDC Well Known endpoint Closes keycloak/keycloak#24547 Signed-off-by: Joshua Sorah <jsorah@gmail.com>	2023-11-06 03:13:57 -08:00
Oliver	563ae104fd	[issue-14134] test partial import user with id Fix #14134	2023-11-02 05:56:12 -07:00
rmartinc	d7bb59461d	Escape $ sign when replacing clientId in the role mappers Closes https://github.com/keycloak/keycloak/issues/23692	2023-11-01 20:47:15 +01:00
rokkiter	e1735138cb	clean util * (#24174 ) Signed-off-by: rokkiter <yongen.pan@daocloud.io>	2023-11-01 17:14:11 +01:00
Pedro Igor	be65ba8689	Make sure optional default attributes are removed when decorating the user-define user profile configuration Closes #24420	2023-11-01 14:54:09 +01:00
mposolda	0bd2b342d7	Update per review	2023-10-31 12:56:46 -07:00
mposolda	6f992915d7	Move some UserProfile and Validation classes into keycloak-server-spi closes #24387	2023-10-31 12:56:46 -07:00
Justin Tay	3ff0476cc3	Allow customization of aud claim with JWT Authentication Closes #21445	2023-10-31 11:33:47 -07:00
rmartinc	7deb4ca545	Group count and PartialExport permission fixes Closes https://github.com/keycloak/keycloak/issues/12171	2023-10-31 01:40:21 -07:00
rmartinc	6484a3e705	Add userProfileEnabled attribute to realm response if admin can view users closes https://github.com/keycloak/keycloak/issues/19093	2023-10-30 07:39:03 -07:00
Alice	69497382d8	Group scalability upgrades (#22700 ) closes #22372 Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com> Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: Michal Hajas <mhajas@redhat.com>	2023-10-26 16:50:45 +02:00
Hynek Mlnarik	2c4d58f5af	Fix KcOidcBrokerTransientSessionsTest Closes: #24313	2023-10-26 14:36:01 +02:00
rmartinc	faf398e3c3	Add openapi annotations to the UserProfileResource Closes https://github.com/keycloak/keycloak/issues/9318	2023-10-25 07:44:24 -07:00
Hynek Mlnarik	a668c2cb2b	Support for transient brokering in admin console Part-of: Add support for not importing brokered user into Keycloak database Closes: #11334	2023-10-25 12:02:35 +02:00
Hynek Mlnarik	26328a7c1e	Support for transient sessions via lightweight users Part-of: Add support for not importing brokered user into Keycloak database Closes: #11334	2023-10-25 12:02:35 +02:00
ggraziano	84112f57b5	Verification of iss at refresh token request Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method. Closes #22191	2023-10-24 23:42:11 +02:00
Marek Posolda	1bd6aca629	Remove RegistrationProfile class and handle migration (#24215 ) closes #24182 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2023-10-24 20:19:33 +02:00
Thomas Darimont	e567210ed1	Add dedicated feature flag for oauth device grant flow (#23892 ) Closes #23891	2023-10-24 10:09:26 +02:00
Erik Jan de Wit	e4632c9e78	move to theme resource	2023-10-23 15:17:18 -07:00
Erik Jan de Wit	f3d387172e	changed to realm, because that is the source	2023-10-23 15:17:18 -07:00
Erik Jan de Wit	0f878566ab	add new locale endpoint that returns the messages	2023-10-23 15:17:18 -07:00
vramik	a0f04fa2be	Declarative User Profile export Closes #12062 Resolves #20885	2023-10-21 19:21:20 +02:00
Pedro Igor	e47389f199	Username now shown when creating a user and edit username is not allowed Closes #24183	2023-10-20 10:22:31 -07:00
Pedro Igor	55a5a8c0eb	Ignore custom attributes when processing attributes in verify profile action Closes #24077	2023-10-20 17:51:40 +02:00
mposolda	c18e8ff535	User profile tweaks in registration forms closes #24024	2023-10-20 06:31:21 -07:00
kaustubh-rh	1ac2c0997d	Inconsistent handling of parenthesis in auth flow name (#24113 ) closes #16379	2023-10-20 10:00:46 +02:00
mposolda	04777299b0	After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly closes #23880	2023-10-19 19:23:50 +02:00
Andrew	77c3e7190c	updates to method contracts and code impl to be more specific about providerAlias (#24070 ) closes #24072	2023-10-18 08:33:06 +02:00
Pedro Igor	e91a0afca2	The username in account is required and don't change when email as username is enabled Closes #23976	2023-10-17 16:43:44 -03:00
shigeyuki kabano	6112b25648	Enhancing Light Weight Token(#22148 ) Closes #21183	2023-10-17 13:12:36 +02:00
Pedro Igor	9c19a8972b	Removing the default cache metadata Closes #23910	2023-10-13 16:32:55 +02:00
Charley Wu	31759f9c37	WebAuthn support for native applications. Support custom FIDO2 origin validation (#23156 ) Closes #23155	2023-10-13 15:25:10 +02:00
Moritz Becker	e9f08b6500	Do not return empty scope field in token introspection response Closes #16526	2023-10-13 08:36:12 +02:00
duckboy81	197b39492e	Update TokenManager.java Fixed minor spelling typos	2023-10-12 14:56:24 +02:00
ici-dev-gb	32b373f05f	Don't use top-level `await` for storage access checks (#23793 ) Closes #23743	2023-10-12 09:28:01 +00:00
Vojtěch Boček	8871983b33	Add support for single-tenant mode to Microsoft Identity Provider (#20699 ) * Add support for single-tenant mode to Microsoft Identity Provider Fixes #20695 Closes #11207 * Add SocialLoginTest for Microsoft single-tenant variant	2023-10-10 16:35:36 -04:00
Marek Posolda	a6609bd969	Remove "You are already logged in" during authentication. Make other browser tabs to authenticate automatically when some browser tab successfully authenticate (#23517 ) Closes #12406 Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-10-10 21:54:37 +02:00
Pedro Igor	7385ed56c7	Avoid creating the component when there is no component and configuration is not provided Closes #20970 Co-authored-by: Pedro Igor <psilva@redhat.com>	2023-10-10 13:28:48 +02:00
Daniel Fesenmeyer	dd37e02140	Improve logging in case of OIDC Identity provider errors: - log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter - log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response Closes #23690	2023-10-06 19:03:41 +02:00
mposolda	cdb61215c9	UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed closes #23749	2023-10-06 11:27:48 -03:00
Pedro Igor	290bee0787	Resolve several usability issues around User Profile (#23537 ) Closes #23507, #23584, #23740, #23774 Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-10-06 10:15:39 -03:00
rmartinc	890600c33c	Remove backward compatibility for ECDSA tokens Closes https://github.com/keycloak/keycloak/issues/23734	2023-10-06 14:24:48 +02:00

... 5 6 7 8 9 ...

4834 commits