Commit graph

3094 commits

Author SHA1 Message Date
Marek Posolda
90d4e586b6
Show error in case of an unkown essential acr claim. Make sure correc… (#10088)
* Show error in case of an unkown essential acr claim. Make sure correct acr is set after authentication flow during step-up authentication
Closes #8724

Co-authored-by: Cornelia Lahnsteiner <cornelia.lahnsteiner@prime-sign.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2022-02-15 09:02:05 +01:00
keycloak-bot
d9f1a9b207
Set version to 18.0.0-SNAPSHOT (#10165) 2022-02-11 21:28:06 +01:00
Martin Kanis
26ac142b99 Hot Rod map storage: Roles no-downtime store 2022-02-11 14:31:34 +01:00
Michal Hajas
b50b8f883b Implement HotRod storage for Users
Closes #9671
2022-02-11 10:20:36 +01:00
Martin Bartoš
6c09ec6de6 Hide 'unknown' transport media type label for WebAuthn authenticators
Closes #10036
2022-02-11 08:28:50 +01:00
Mauro de Wit
2c238b9f04
session-limiting-feature (#8260)
Closes #10077
2022-02-08 19:16:06 +01:00
Martin Bartoš
8573ea5fb2 KEYCLOAK-17690 Add missing test case for user email update 2022-02-07 10:56:11 +01:00
Marek Posolda
d9c8cb30a5
Closes #9498 - Fix cases when user is forced to re-authenticate (#9580) 2022-02-07 09:02:08 +01:00
Takashi Norimatsu
07d43f31f3 Expected Scopes of ClientScopesCondition created on Admin UI are not saved onto ClientScopesCondition.Configuration
Closes #9371
2022-02-04 18:02:15 +01:00
Martin Kanis
0471ec4941 Cross-site validation for lazy loading of offline sessions & Switch default offline sessions to lazy loaded 2022-02-03 21:43:47 +01:00
Konstantinos Georgilakis
a1f2f77b82 Device Authorization Grant with PKCE
Closes #9710
2022-02-03 08:37:07 +01:00
Daniel Gozalo
db4642d250 [fixes #9919] - Enable Dynamic Scopes for the resource-owner-password-credentials grant
Change some calls to the new AuthorizationContextUtil class and add tests for the client-credentials grant
2022-02-03 08:19:44 +01:00
Marek Posolda
d27635fb1b
Fixing for token revocation checks only (#9707)
Closes #9705
2022-02-02 15:21:44 +01:00
Daniel Gozalo
3528e7ba54 [fixes #9224] - Get consented scopes from AuthorizationContext
Always show the consent screen when a dynamic scope is requested and show the requested parameter

Improve the code that handles dynamic scopes consent and add some log traces

Add a test to check how we show dynamic scope in the consent screen and added missing template file change

Fix merge problem in comment and improve other comments

Fix the Dynamic Scope test by assigning it to the client as optional instead of default

Change how dynamic scopes are represented in the consent screen and adapt test
2022-02-02 09:10:20 +01:00
Daniel Gozalo
dc814b85c7 Pass the UserId to the function that runs the inner function in the server as it was losing its value when defined globally for Wildfly and Quarkus 2022-01-31 13:02:22 +01:00
Martin Bartoš
2919342f3a Add test scenarios for Passwordless Webauthn AIA
Closes #9795
2022-01-27 11:02:43 +01:00
bal1imb
9621d513b5 KEYCLOAK-18727 Improve user search query 2022-01-26 17:03:05 +01:00
Daniel Gozalo
4136bf7700 [fixes #9750] Make sure a Dynamic scope isn't assignable to a client as a default scope, and only show non-dynamic scopes in the available client scopes client menu 2022-01-26 13:32:04 +01:00
Daniel Gozalo
dad51773ea [fixes #9223] - Create an internal representation of RAR that also handles Static and Dynamic Client Scopes
Parse scopes to RAR representation and validate them against the requested scopes in the AuthorizationEndpointChecker

Parse scopes as RAR representation and add the created context on the different cache models in order to store the state and make it available for mappers in the ClientSessionContext

Create a new AuthorizationRequestSpi to provide different implementations for either dynamic scopes or RAR requests parsing

Move the AuthorizationRequest objects to server-spi

Add the AuthorizationRequestContext property to the MapAuthenticationSessionEntity and configure MapAuthenticationSessionAdapter to access it

Remove the AuthorizationRequestContext object from the cache adapters and entities and instead recalculate the RAR representations from scopes every time

Refactor the way we parse dynamic scopes and put everything behind the DYNAMIC_SCOPES feature flag

Added a login test and added a function to get the requested client scopes, including the dynamic one, behind a feature flag

Add a new filter to the Access Token dynamic scopes to avoid adding scopes that are not permitted for a user

Add tests around Dynamic Scopes: replaying existing tests while enabling the DYNAMIC_SCOPES feature and adding a few more

Test how the server genereates the AuthorizationDetails object

Fix formatting, move classes to better packages and fix parent test class by making it Abstract

Match Dynamic scopes to Optional scopes only and fix tests

Avoid running these tests on remote auth servers
2022-01-26 13:19:23 +01:00
Martin Kanis
ddcabe61b2 KEYCLOAK-19571 Add indices to HotRodClientEntity fields 2022-01-20 17:46:47 +01:00
Konstantinos Georgilakis
0c9ab32cf4 Fix scope bug in device authorization request
Closes #9617
2022-01-19 18:13:42 +01:00
vramik
22bcdcb630 MapRoleProvider could return also client roles when searching for realm roles
Closes #9587
2022-01-19 16:39:59 +01:00
Konstantinos Georgilakis
db0b36460f KEYCLOAK-19148 correct getGroupsCountByNameContaining of MapGroupProvider 2022-01-15 20:15:27 +01:00
Pedro Igor
4c747047ce
Backward compatibility for lower-case bearer type in token responses (#9538)
Closes #9537
2022-01-13 08:34:45 +01:00
Jon Koops
dea123169f
KEYCLOAK-14817 Allow JS adapter to be bundled as ES module (#9351) 2022-01-13 08:28:30 +01:00
Daniel Gozalo
8ea09d3816
[fixes #9222] - Let users configure Dynamic Client Scopes (#9327) 2022-01-12 14:27:24 +01:00
Martin Bartoš
8649ca3d50
Multiple active tabs when realm name equals name of the tab in Admin console (#9438)
Closes #9421
2022-01-11 16:01:28 -05:00
Marek Posolda
8f221bb21e
Validation for CIBA binding_message parameter (#9470)
closes #9469
2022-01-11 11:19:15 +01:00
Martin Bartoš
d75d28468e
KEYCLOAK-19490 Add more details about 2FA to authenticate page (#9252)
Closes #9494
2022-01-11 09:16:22 +01:00
vramik
dd3d7be2b4 Make JpaClientMapStorage generic
Closes #9244
2022-01-05 07:04:05 +01:00
Martin Bartoš
422ae0b3db CIAM-1693 WebAuthn tests failures on JBoss 2021-12-23 02:43:25 -08:00
Martin Bartoš
6d0b551b5e
CIAM-1692 OfflineTokenSpringBootTest is failing in pipeline due to Hamcrest dependency (#9300) 2021-12-22 13:59:29 +01:00
CorneliaLahnsteiner
dff79cee3c
KEYCLOAK-847 Add support for step up authentication (#7897)
KEYCLOAK-847 Fix behavior of unknown not essential acr claim

Co-authored-by: Georg Romstorfer <georg.romstorfer@gmail.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2021-12-22 12:43:12 +01:00
Ben Tatham
f201760a4a Fixed #8892 "does not exists" language 2021-12-21 20:24:13 +01:00
Pedro Igor
15d5a074b0 Avoid building configuration all the time when running tests
Closes #9262
2021-12-21 07:10:15 -08:00
keycloak-bot
9f3d4a7d42 Set version to 17.0.0-SNAPSHOT 2021-12-20 10:50:39 +01:00
Michal Hajas
30cef7aa68 Fix app-server addHttpListener failure 2021-12-20 10:40:42 +01:00
Stian Thorgersen
45e9243054
Verify fine-grained admin permissions feature is enabled before checking fine-grained permissions when creating users (#9211)
* Verify fine-grained admin permissions feature is enabled before checking fine-grained permissions when creating users

Co-authored-by: stianst <stianst@gmail.com>

* fixing test

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-12-17 14:45:56 +01:00
Stian Thorgersen
31345c49b1
Server-only upgrade to WildFly 25.0.1 (#9190)
* WF 25.0.1 upgrade light

* Re-enable adapters with old WF versions

* Put server-overlay and server-legacy-dist back to reduce size of PR changes

* Remove some more changes that are not needed

* Fix issues adding to provider properties

* Fix user-profile updates for tests

* tls fixes

* Set WF to 23 for adapter tests

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-12-17 12:12:41 +01:00
Michal Hajas
5f0b65e854 Fix Cross DC test failures caused by Keycloak not increasing failure counter for blocked users
Closes #9157
2021-12-15 19:13:54 +01:00
vramik
c6312e3308 KEYCLOAK-18717 KEYCLOAK-18716 KEYCLOAK-18715 KEYCLOAK-18713 KEYCLOAK-18712 KEYCLOAK-18711 JPA clients no-downtime store 2021-12-15 13:32:49 +01:00
Marcelo Sales
afeaa6f593 KEYCLOAK-19391: Fix ldap query search adding custom serach filter 2021-12-15 08:54:52 +01:00
stianst
85240c9606 Remove deprecated kcinit from keycloak
Closes #9106
2021-12-13 15:51:51 +01:00
thomasmicro
c474e770fe Clarify Admin UI Name of NoCookieFlowRedirectAuthenticator
In the Admin UI, the Authenticator was simply called Browser Redirect/Refresh which gives the impression that it is a generic redirector (which would be a cool validator).

This Quick Fix changes the Name to "Browser Redirect for Cookie free authentication" which should bring more clarity.
2021-12-13 13:14:49 +01:00
Martin Bartoš
8e8fab857e KEYCLOAK-19486 Verify the WebAuthn registration functionality 2021-12-13 09:46:07 +01:00
Pedro Igor
bf0f3d605c [fixes #9052] - Renaming cluster options to cache 2021-12-10 08:20:53 +01:00
Martin Bartoš
4f66087bf4 Fix for WebAuthn tests 2021-12-08 10:12:48 +01:00
Martin Bartoš
7dc01a5a6e KEYCLOAK-13319 Use newest WebDriver/Selenium for the WebAuthn testing 2021-12-06 09:42:10 +01:00
Alfredo Boullosa
a0b9e4f3eb KEYCLOAK-19853 Update Arquillian version 2021-12-04 06:45:43 +01:00
Pedro Igor
9a4ab82d08 [KEYCLOAK-19847] - Optimizations and refactoring for better/stable startup time 2021-12-02 08:57:23 -08:00