Alexander Schwartz
dd5a60c321
Allow a partial import to overwrite the default role
...
Closes #9891
2022-11-01 15:35:02 -03:00
Pedro Igor
f6985949b6
Close the session within resteasy boundaries ( #15193 )
...
Closes #15192
2022-11-01 11:06:34 +01:00
Michal Hajas
883e83e625
Remove deprecated methods from data providers and models
...
Closes #14720
2022-10-25 09:01:33 +02:00
mposolda
55c514ad56
More flexibility in keystore related tests, Make keycloak to notify which keystore types it supports, Support for BCFKS
...
Closes #14964
2022-10-24 08:36:37 +02:00
Alexander Schwartz
440077de42
Reduce number of calls to the storage for clients and realms
...
Closes #15038
2022-10-21 15:08:39 +02:00
Stefan Guilhen
acaf1724dd
Fix ComponentsTest failures with CockroachDB
...
- Component addition/edition/removal is now executed in a retriable transaction.
Closes #13209
2022-10-21 10:48:08 +02:00
Klaus Betz
76d9125c3f
feat: add DisplayIconClasses to IdentityProviderModel for third-party IDPs https://github.com/klausbetz/apple-identity-provider-keycloak/issues/10 ( #14826 )
...
Closes #14974
2022-10-18 15:54:06 +02:00
Stian Thorgersen
97ae90de88
Remove Red Hat Single Sign-On product profile from upstream ( #14697 )
...
* Remove Red Hat Single Sign-On product profile from upstream
Closes #14916
* review suggestions: Remove Red Hat Single Sign-On product profile from upstream
Closes #14916
Co-authored-by: Peter Skopek <pskopek@redhat.com>
2022-10-18 14:43:04 +02:00
Stian Thorgersen
31aefd1489
OTP Application SPI ( #14800 )
...
Closes #14800
2022-10-18 14:42:35 +02:00
Marek Posolda
0756ef9a75
Initial integration tests with BCFIPS distribution ( #14895 )
...
Closes #14886
2022-10-17 23:33:22 +02:00
Stian Thorgersen
f7490b7f7c
Fix issue where admin2 was not enabled by default if account2 was disabled ( #14914 )
...
Refactoring ThemeSelector and DefaultThemeManager to re-use the same logic for selecting default theme as there used to be two places where one had a broken implementation
Closes #14889
2022-10-17 15:17:54 +02:00
vramik
f49582cf63
MapUserProvider in KC20 needs to store username compatible with KC19 to be no-downtime-upgradable
...
Closes #14678
2022-10-14 09:32:38 +02:00
danielFesenmeyer
f80a8fbed0
Avoid login failures in case of non-existing group or role references and update references in case of renaming or moving
...
- no longer throw an exception, when a role or group cannot be found, log a warning instead
- update mapper references in case of the following events:
- moving a group
- renaming a group
- renaming a role
- renaming a client's Client ID (may affect role qualifiers)
- in case a role or group is removed, the reference still will not be changed
- extend and refactor integration tests in order to check the new behavior
Closes #11236
2022-10-13 13:23:29 +02:00
Martin Kanis
761929d174
Merge ActionTokenStoreProvider and SingleUseObjectProvider ( #13677 )
...
Closes #13334
2022-10-13 09:26:44 +02:00
Stian Thorgersen
ded52c6228
Move session iframe pages ( #14769 )
...
Closes #14767
2022-10-13 08:16:20 +02:00
Lex Cao
8ea3f30d82
Support profile projection parameter for LinkedIn IDP
...
Closes #13384
2022-10-11 15:22:00 -03:00
Alexander Schwartz
b67ce73227
Cleanup MapUserSessionAdapter.getAuthenticatedClientSessions()
...
Closes #14743
2022-10-10 13:01:14 +02:00
Stian Thorgersen
fda26385ec
Add profile feature for hosting keycloak.js on the server ( #14771 )
...
* Add profile feature for hosting keycloak.js on the server
Closes #14770
* Updated txt files for HelpCommandTest
2022-10-10 08:00:50 +02:00
Takashi Norimatsu
148c7695ff
Pluggable Features of Token Manager
...
Closes #12065
2022-10-07 08:43:34 +02:00
Hynek Mlnarik
36a1ce6a1a
Ensure map storage providers are closed upon session close
...
Fixes : #14730
2022-10-05 14:16:19 +02:00
Marek Posolda
425b6b8df2
Parameters 'client_id' and 'response_type' not strictly required in O… ( #14679 )
...
* Parameters 'client_id' and 'response_type' not strictly required in OIDC request object
Closes #14255
2022-10-05 11:20:15 +02:00
Douglas Palmer
44aae52fb4
Fixed locale switcher on error page ( #14728 )
...
Closes #14205
2022-10-05 10:30:07 +02:00
Marek Posolda
c59660ca86
KEYCLOAK_SESSION not working for some user federation setups when user ID has special chars ( #14560 )
...
closes #14354
2022-10-05 08:59:30 +02:00
Alice Wood
1eb7e95b97
enhance existing group search functionality allow exact name search keycloak/keycloak#13973
...
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
2022-09-30 10:37:52 +02:00
Marcelo Daniel Silva Sales
22713bc144
Incorrect error message OIDC client authentication ( #14656 )
...
closes #12162
Co-authored-by: Pedro Hos <pedro-hos@outlook.com>
2022-09-30 09:40:05 +02:00
David Anderson
a8db79a68c
Introduce crypto module using Wildfly Elytron ( #14415 )
...
Closes #12702
2022-09-27 08:53:46 +02:00
Alexander Schwartz
be2deb0517
Modify RealmsAdminResource.importRealm to work with InputStream
...
Closes #13609
2022-09-26 20:58:08 +02:00
Ivan Atanasov
4016dd95d2
Use temporary file to reduce the chance of serving partial gzipped resource ( #14511 )
...
Closes #14510
2022-09-23 07:51:41 +02:00
Alice Wood
55a660f50b
enhance group search to allow searching for groups via attribute keycloak/keycloak#12964
...
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-09-19 15:19:36 +02:00
Takashi Norimatsu
0a832fc744
Intent support before issuing tokens (UK OpenBanking)
...
Closes #12883
2022-09-19 12:15:00 +02:00
Dmitry Telegin
cc2117bf7c
UserInfo endpoint not fully standards compliant
...
Closes #14184
2022-09-16 10:15:08 +02:00
danielFesenmeyer
3af1134975
Update IDP link username when sync mode is "force"
...
Closes #13049
2022-09-14 08:02:17 -03:00
Václav Muzikář
e999aeeab8
Fix DefaultHostnameTest
on Undertow
2022-09-13 14:41:23 -03:00
Christoph Leistert
7e5b45f999
Issue #8749 : Add an option to control the order of the event query and admin event query
2022-09-11 21:30:12 +02:00
Alexander Schwartz
1d2d3e5ca5
Move UserFederatedStorageProvider into legacy module
...
Closes #13627
2022-09-11 18:37:45 +02:00
Thomas Darimont
962a685b7b
KEYCLOAK-15773 Control availability of admin api and admin-console via feature flags
...
Inline profile checks for enabled admin-console to avoid issues during
static initialization with quarkus.
Potentially Re-enable admin-api feature if admin-console is enabled
via the admin/admin2 feature flag.
Add legacy admin console as deprecated feature flag
Throw exception if admin-api feature is disabled but admin-console is enabled
Adapt ProfileTest
Consider adminConsoleEnabled flag in QuarkusWelcomeResource
Fix check for Admin-Console / Admin-API feature dependency.
Add new features to approved help output files
Co-authored-by: Stian Thorgersen <stian@redhat.com>
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2022-09-09 18:18:51 -03:00
Pedro Igor
3518362002
Validate auth time when max_age is sent to brokered OPs
...
Closes #14146
2022-09-09 10:30:51 -03:00
Martin Bartoš
0fcf5d3936
Reuse of token in TOTP is possible
...
Fixes #13607
2022-09-09 08:56:02 -03:00
Marek Posolda
040e52cfd7
SAML javascript protocol mapper: disable uploading scripts through admin console by default ( #14293 )
...
Closes #14292
2022-09-09 13:47:51 +02:00
Dominik Guhr
f2b02f19e6
Closes #13786
2022-09-07 18:29:26 +02:00
cgeorgilakis
07b0df8f62
View groups from account console ( #7933 )
...
Closes #8748
2022-09-07 11:25:31 +02:00
Lex Cao
1f197aa96b
Add basic auth compliant to RFC 6749 ( #14179 )
...
Closes #14179
2022-09-07 10:09:30 +02:00
evtr
4469bdc0a9
RelayState max length not respected
...
Fixes : #10227
2022-09-06 22:01:14 +02:00
Stu Tomlinson
f57560afd3
Improve error messages for invalid SAML responses
...
Closes #13534
2022-09-06 21:49:14 +02:00
Christoph Leistert
cc2bb96abc
Fixes #9482 : A user could be assigned to a parent group if he is already assigned to a subgroup.
2022-09-06 21:31:31 +02:00
Pedro Igor
a6137b9b86
Do not empty attributes if they are not provided when user profile is enabled
...
Closes #11096
2022-09-06 12:59:05 +02:00
Michal Hajas
f69497eb28
KEYCLOAK-12988 Deprecate getUsers* methods in favor of searchUsers* variants
...
Closes #14018
2022-09-06 10:38:28 +02:00
Youssef El Houti
7f58c1c570
KEYCLOAK-19138 nginx x509 client trusted certificate lookup
2022-09-01 15:02:56 -03:00
Thomas Darimont
43623ea9d0
KEYCLOAK-18499 Add max_age support to oauth2 brokered logins
...
Revise KcOidcBrokerPassMaxAgeTest to use setTimeOffset(...)
2022-09-01 09:24:44 -03:00
Joerg Matysiak
a8019d78e7
Fixed handling of required setting for email in user profile.
...
Resolves #13923
2022-08-31 17:19:19 -03:00
Nagy Vilmos
f6db484172
Keep the locale related authNotes through the IdentityBroker flow. ( #10444 )
...
Closes #8827
2022-08-31 09:37:26 +02:00
Martin Bartoš
e6a5f9c124
Default required action providers are still available after feature disabling
...
Closes #13189
2022-08-31 08:42:47 +02:00
Moritz H
c4971d179c
KEYCLOAK-18273 Display Idp displayName if available ( #8087 )
...
Co-authored-by: moritz.hilberg <moritz.hilberg@pwc.com>
2022-08-30 15:32:27 -03:00
Manato Takai
1cdc21f0ff
Add duplicate parameter check for UserInfo endpoint. ( #14024 )
...
Closes #14016
2022-08-30 14:39:15 +02:00
Réda Housni Alaoui
3f088bfd21
KEYCLOAK-17013 Brute force protection: Successfully logged in user should not have to wait up to 5 seconds for event processing ( #7748 )
2022-08-29 19:41:35 +02:00
Tero Saarni
4f199c7245
Fix compilation errors with Eclipse Java compiler
2022-08-29 19:33:12 +02:00
Nemanja Hiršl
b7309e86d9
Closes #8992 - Extending DefaultBruteForceProtector ( #8993 )
...
* Closes #8992 - Extending DefaultBruteForceProtector
* Update services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtectorFactory.java
* Update services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtectorFactory.java
Co-authored-by: Stian Thorgersen <stian@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-29 16:43:13 +02:00
Stian Thorgersen
aeba5e9f4b
Add FreeMarkerProvider to prevent multiple instances of FreeMarker templates ( #14062 )
...
* Add FreeMarkerProvider to prevent multiple instances of FreeMarker templates
Closes #19185
2022-08-29 08:42:53 -03:00
jsarem
f0397f33b4
Expose same common informational variables to all email body templates ( #13998 )
...
Closes #14017
2022-08-29 08:09:18 +02:00
Jason
c6c65ad10b
Check IdP display name length before capitalizing ( #13151 )
...
https://github.com/keycloak/keycloak/issues/13150
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-26 13:16:10 +02:00
Hawk Newton
b1487b9d72
Increase max size of additional request params ( #8382 )
...
Closes #14015
2022-08-26 09:34:43 +02:00
GQ
518d318f0c
Update CorsPreflightService.java ( #8387 )
...
Adding DELETE & PUT
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-26 08:00:55 +02:00
Joerg Matysiak
62790b8ce0
Allow permission configuration for username and email in user profile.
...
Enhanced Account API to respect access to these attributes.
Resolves #12599
2022-08-25 21:54:51 -03:00
supersoaker
e47bbba7ef
added possibility to use user
in terms.ftl ( #7831 )
2022-08-25 15:08:38 +02:00
Clay Risser
f145667144
Fixed spelling error ( #13595 )
...
Fixes issue #13594
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-25 12:46:43 +02:00
Christoph Leistert
5408d25e09
Fixes #10656 : Sub realm localization GET endpoints can be called using tokens issued by the master realm. ( #10660 )
...
* Fixes #10656 : Sub realm localization GET endpoints can be called using tokens issued by the master realm.
* Fixes #10656 : Added some tests
2022-08-25 09:02:07 +02:00
Erich Bremer
c98a760beb
remove javax.json and replace with FasterXML ( #11554 )
...
remove javax.json and replace with FasterXML to be consistent with the rest of the project.
Closes #11544
2022-08-25 08:49:22 +02:00
Pedro Igor
ddcf0f45f9
Run import within the context of the realm being imported
...
Closes #12289
2022-08-25 08:18:43 +02:00
Pedro Igor
25be07be17
Allow introspecting tokens issued during token exchange with delegation semantics
...
Closes #9337
2022-08-24 09:47:04 -03:00
Takashi Norimatsu
8c1ea4b47c
mTLS binding support for password grant
...
Closes #13662
2022-08-24 11:44:48 +02:00
Konstantinos Georgilakis
c5b9dc1e7b
set context session client equal to clientsession client (fromClientSessionAndScopeParameter method of DefaultClientSessionContext)
...
Closes #13162
2022-08-23 17:33:07 +02:00
Konstantinos Georgilakis
baa89debd9
Correct isValidScope method of TokenManager for Dynamic scopes
...
Closes #13158
2022-08-23 16:30:04 +02:00
Konstantinos Georgilakis
2002fd983b
Showing consent screen text instead of scope name in consent part of Application page in Account console
...
Closes #13109
2022-08-23 11:22:31 +02:00
rishabhsvats
c223291a1e
Adds REGISTER event when new user login through first broker flow
...
Updates KcOidcBrokerEventTest, AbstractFirstBrokerLoginTest to factor in REGISTER event in first broker flow
Closes #11646
Correcting Indentation of AbstractFirstBrokerLoginTest
2022-08-23 10:43:56 +02:00
Stefan Guilhen
6d99686220
Fix user session deadlock by enlisting broker logout request after main logout transaction commits. ( #13889 )
...
- This also fixes broker test failures with CockroachDB
Closes #13348
Closes #13212
Closes #13214
2022-08-23 09:57:40 +02:00
David Anderson
ce1331f550
Remove bouncycastle dependency from keycloak-services ( #13489 )
...
Closes #12857
Co-authored-by: mposolda <mposolda@gmail.com>
2022-08-22 15:43:59 +02:00
Sebastian Schuster
fb978de0d8
12653 check if fine-grained permissions are enabled before retrieving group memberships of users
2022-08-22 09:34:46 -03:00
Sebastian Schuster
916cfbbaf1
13647 Added null checks and some comments/questions for discussions. Will be squashed later if accepted.
2022-08-22 09:34:12 -03:00
Sebastian Schuster
53472e097c
13647 fixed wrong feature flag for checking admin fine-grained authz
2022-08-22 09:34:12 -03:00
Pedro Igor
5f2191813a
Remove unnecessary code paths during startup ( #13848 )
...
Closes #13847
2022-08-19 14:54:11 +02:00
Pedro Igor
841c65d24f
Return 404 when invoking authorization endpoints in case authz settings are disabled
...
Closes #10151
2022-08-16 16:37:44 -03:00
Markus Till
fa383bf76c
Suppress confirmation screen for logout in oidc ( #13471 )
...
Closes #13469
2022-08-10 18:25:50 +02:00
Marcelo Daniel Silva Sales
e44cea587f
NullPointer during OIDC logout client disabled ( #13424 )
...
closes #12624
2022-08-08 12:34:09 +02:00
Sebastian Knauer
21f700679f
KEYCLOAK-19866 Fix user-defined- and xml-fragment-parsing/Add XPathAttributeMapper
2022-08-03 13:07:12 +02:00
Marek Posolda
7e925bfbff
Unit tests in "crypto/fips1402" passing on RHEL 8.6 with BC FIPS approved mode. Cleanup ( #13406 )
...
Closes #13128
2022-07-29 18:03:56 +02:00
Pedro Hos
ee2c5391bd
Possible client enumeration in the authorization endpoint
...
Closes #12164
2022-07-26 09:10:06 +02:00
Stian Thorgersen
7158e781be
Update base URL for admin rest docs ( #13305 )
...
Closes #10464
2022-07-25 16:25:55 +02:00
Douglas Palmer
c00514d659
Support for post_logout_redirect_uris in OIDC client registration ( #12282 )
...
Closes #10135
2022-07-25 10:57:52 +02:00
Stian Thorgersen
a251d785db
Remove text based login flows ( #13249 )
...
* Remove text based login flows
Closes #8752
* Add display param back in case it's used by some custom authenticators
2022-07-22 15:15:25 +02:00
Pedro Igor
e14bd51656
Properly enable/disable metrics and health endpoints
...
Closes #11506
Co-authored-by: Dominik Guhr <dguhr@redhat.com>
2022-07-22 09:41:29 -03:00
Alexander Schwartz
cb81a17611
Disable Infinispan for map storage and avoid the component factory when creating a realm independent provider factory
...
Provide startup time in UserSessionProvider independent of Infinispan,
cleanup code that is not necessary for the map storage as it isn't using Clustering.
Move classes to the legacy module.
Closes #12972
2022-07-22 08:20:00 +02:00
Douglas Palmer
adeef6c2a0
Partial import feature does not import Identity Provider mappers in Keycloak #12861
2022-07-21 18:04:15 +02:00
Pedro Igor
3631a413d2
Allow token exchange when subjec_token is not associated with a session
...
Closes #12596
2022-07-20 15:42:26 -03:00
Alexander Schwartz
d30646b1f6
Refactor object locking for UserSessions
...
Closes #12717
2022-07-19 17:47:33 -03:00
Lex Cao
f0988a62b8
Use base64 url decoded for client secret when authenticating with Basic Auth ( #12486 )
...
Closes #11908
2022-07-16 09:38:41 +02:00
Vlasta Ramik
ec853a6b83
JPA map storage: User / client session no-downtime store ( #12241 )
...
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Closes #9666
2022-07-14 12:07:02 -03:00
Pedro Igor
5b48d72730
Upgrade Resteasy v4
...
Closes #10916
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2022-07-11 12:17:51 -03:00
Takashi Norimatsu
29aad9dc45
PAR logic affecting /auth endpoint
...
Closes #9289
2022-07-11 11:56:37 +02:00
Alexander Schwartz
29a501552e
Disable the JpaUserFederatedStorageProvider when map storage is enabled
...
Closes #12895
2022-07-07 10:47:42 -03:00
Alexander Schwartz
098d4dda0e
Split PublicKeyStorageProvider ( #12897 )
...
Split PublicKeyStorageProvider
- Extract clearCache() method to separate interface and move it to the legacy module
- Make PublicKeyProvider factories environment dependent
- Simple map storage for public keys that just delegates
Resolves #12763
Co-authored-by: Martin Kanis <mkanis@redhat.com>
2022-07-05 09:57:51 -03:00
Alexander Schwartz
4b20e90292
Move session persistence package to legacy-private module
...
Also, disabling the jpa session persister when map storage is enabled.
Closes #12712
2022-07-04 10:05:26 -03:00
Alexander Schwartz
d407a37ba3
Instead of returning instances with different semantics, throw an exception.
...
This exception points the caller to the migration guide of Keycloak 19.
Closes #12556
2022-07-01 14:12:39 -03:00
Konstantinos Georgilakis
32f8f30f36
Include 'urn:ietf:params:oauth:grant-type:token-exchange' in grant_types_supported field of Keycloak OP metadata, if token-exchange is enabled
...
closes #10888
2022-06-30 17:13:47 -03:00
Jon Koops
06d1b4faab
Restore enum variant of ResourceType
...
This reverts commit 3b5a578934
.
2022-06-30 12:20:51 -03:00
Pedro Igor
605b51890e
Enables the new store and the concurrenthashmap provider
...
Closes #12651
2022-06-30 10:55:22 -03:00
Alexander Schwartz
692ce0cd91
Moving ClientStorageProvider to the legacy modules
...
This prepares the move of CachedObject and CacheableStorageProviderModel
Closes #12531
fixup! Moving ClientStorageProvider to the legacy modules
2022-06-29 20:04:32 +02:00
vramik
3b5a578934
Change enum ResourceType to interface with String constants
...
Closes #12485
2022-06-29 13:35:11 +02:00
Lex Cao
c3c8b9f0c8
Add client_secret
to response when token_endpoint_auth_method
is not private_key_jwt
( #12609 )
...
Closes #12565
2022-06-29 10:19:18 +02:00
Konstantinos Georgilakis
ccc0449314
json device code flow error responses
...
closes #11438
2022-06-29 07:23:02 +02:00
Marek Posolda
be1e31dc68
Introduce crypto/default module. Refactoring BouncyIntegration ( #12692 )
...
Closes #12625
2022-06-29 07:17:09 +02:00
vramik
91335ebaad
Change returning type to Set in MapClientEntity when obtaining protocol mappers
...
Closes #11136
2022-06-28 21:47:56 +02:00
danielFesenmeyer
b6d8c27cac
OIDC logout: In "legacy mode", support post_logout_redirect_uri param without requiring id_token_hint param
...
Closes #12680
2022-06-28 14:36:03 +02:00
Alexander Schwartz
4b499c869c
Encapsulate MigrationModelManager in legacy module
...
Closes #12214
2022-06-28 10:53:04 +02:00
leandrobortoli
c5d5659100
Fixed bug on client credentials grant when encryption key not found
...
Closes #12348
2022-06-27 13:00:21 +02:00
Lex Cao
f8a7c8e160
Validate name of client scope ( #12571 )
...
Closes #12553
2022-06-27 12:26:18 +02:00
Pedro Igor
3d2c3fbc6a
Support JSON objects when evaluating claims in regex policy
...
Closes #11514
2022-06-23 14:04:09 -03:00
Pedro Igor
d3a40e8620
Use backend baseURL for UMA-related backend endpoints
...
Closes #12549
2022-06-23 10:35:26 -03:00
Takashi Norimatsu
a10eef882f
DeviceTokenRequestContext.getEvent returns a wrong ClientPolicyEvent
...
Closes #12455
2022-06-22 13:01:35 +02:00
Takashi Norimatsu
d396ee7d30
CIBA flow : no error on invalid scope
...
Closes #12589
2022-06-22 12:55:55 +02:00
rmartinc
711440e513
[ #11036 ] Identity Providers: Add support for elliptic curve signatures (ES256/ES384/ES512) using JWKS URL
2022-06-21 10:52:25 -03:00
Alexander Schwartz
ae7c01b719
Moving the CacheRealmProvider interface to the legacy module
2022-06-21 08:53:06 +02:00
Alexander Schwartz
7855b93390
Moving the UserCache interface to the legacy module
...
Co-Authored-By: hmlnarik@redhat.com
2022-06-21 08:53:06 +02:00
Alexander Schwartz
6376db0f9c
code cleanup
2022-06-21 08:53:06 +02:00
Alexander Schwartz
84d21f0230
for all added files in the PR, update the copyright header or add it if it was missing
2022-06-21 08:53:06 +02:00
Alexander Schwartz
3fe477885c
when userStorageManager() is called recursively, provided a meaningful exception to the caller.
2022-06-21 08:53:06 +02:00
Alexander Schwartz
d41764b19b
Inline deprecated methods in legacy code
2022-06-21 08:53:06 +02:00
Alexander Schwartz
30b5c646e1
Deprecated old KeycloakSession APIs
2022-06-21 08:53:06 +02:00
Alexander Schwartz
08bbb1fb92
Move LDAP REST Endpoints to LDAP package
...
- Thus remove implicit dependency on services on the legacy modules
- Disable tests for LDAP/Kerberos that won't work when map storage is enabled
2022-06-21 08:53:06 +02:00
Alexander Schwartz
a109e28be7
moving some functionality around imports
2022-06-21 08:53:06 +02:00
Alexander Schwartz
a43321c720
Moving logic to create service accounts in local storage only to legacy module
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
e396d0daa1
Renaming SingleUserCredentialManager and UserModel.getUserCredentialManager():
...
- class SingleUserCredentialManager to SingleEntityCredentialManager
- method UserModel.getUserCredentialManager() to credentialManager()
Renaming of API without "get" prefix to make it consistent with other APIs like for example with KeycloakSession
2022-06-21 08:53:06 +02:00
Alexander Schwartz
14a369a8cc
Added LegacySessionSupport SPI
...
While some methods around onCache() are still called from the legacy code, all other methods log a warning with a stacktrace.
2022-06-21 08:53:06 +02:00
Alexander Schwartz
6f287e7ded
Avoid using methods on UserCredentialStoreManager
2022-06-21 08:53:06 +02:00
Alexander Schwartz
bc8fd21dc6
SingleUserCredentialManager moving in
...
- UserStorageManager now handles authentication for old Kerberos+LDAP style
- new getUserByCredential method in MapUserProvider would eventually do the same.
2022-06-21 08:53:06 +02:00
Alexander Schwartz
82094d113e
Move User Storage SPI, introduce ExportImportManager
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
703e868a51
Preparation for moving User Storage SPI
...
- Introduction of new AdminRealmResource SPI
- Moving handler of /realm/{realm}/user-storage into model/legacy-service
- session.users() and userStorageManager() moved refers legacy module
IMPORTANT: Broken as UserStorageSyncManager is not yet moved
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
36f76a37ad
Move realms, clients, groups, roles, clientscopes into legacy module
...
- Introduces Datastore SPI for isolating data store methods
- Introduces implementation of the datastore for legacy storage
- Updates DefaultKeycloakSession to leverage Datastore SPI instead
of direct creating of area providers by the session
2022-06-21 08:53:06 +02:00
Lex Cao
06dfb45c39
Remove non-standard code_challenge_method
from token request for IDP ( #12473 )
...
Closes #12141
2022-06-14 20:46:35 +02:00
mposolda
3aefb59d40
Fix test failure in X509BrowserCRLTest on IBM JDK. Don't display details of exception message to the end user
...
Closes #12458
2022-06-14 10:44:31 +02:00
Christoph Leistert
442eff0169
Closes #11851 : Apply localization text from realm default locale when it is not defined for the requested language. ( #11852 )
2022-06-10 14:36:11 -04:00
Joerg Matysiak
3c19ad627f
Repsect permissions configured to firstName and lastName when configured in user profile
...
Resolves #12109
2022-06-09 10:10:15 -03:00
mposolda
5d2bf6ea33
Cannot find ScriptEngine for JDK8 and Wildfly
...
Closes #12247
2022-06-08 11:11:36 +02:00
Pedro Igor
243e63c9f3
Do not set empty permissions to username and email attributes
...
Closes #11647
2022-06-07 10:59:35 -03:00
Sebastian Schuster
a0c402b93a
11198 added event information to consent granting and revocation via REST API ( #11199 )
2022-06-07 11:29:20 +02:00
Stian Thorgersen
e49e8335e0
Refactor BouncyIntegration ( #12244 )
...
Closes #12243
2022-06-07 09:02:00 +02:00
rmartinc
5332a7d435
Issue #9194 : Client authentication fails when using signed JWT, if the JWA signing algorithm is not RS256
2022-06-06 12:07:09 +02:00
Takashi Norimatsu
3889eeda30
Client Policies: pkce-enforcer executor with client-access-type condition is not applied on client change via Admin API
...
Closes #12295
2022-06-06 11:30:48 +02:00
mposolda
f90fbb9c71
Changing locale on logout confirmation did not work
...
Closes #11951
2022-05-31 16:03:58 +02:00
Takashi Norimatsu
d083b6c484
ciba http auth channel sends client_id and client_secret via delegation request
...
Closes #10993
2022-05-31 08:22:50 +02:00
vramik
be28e866b9
JPA map storage: Authorization services no-downtime store
...
Closes #9669
2022-05-30 21:05:34 +02:00
mposolda
4222de8f41
OIDC RP-Initiated Logout POST method support
...
Closes #11958
2022-05-30 14:10:58 +02:00
Stefan Guilhen
808738220f
Change CodeGenerateUtil so that it doesn't add/remove the code in an inner transaction
...
Fixes #11617
2022-05-30 12:55:48 +02:00
Marek Posolda
cf386efa40
Support for client_id parameter in OIDC RP-Initiated logout endpoint ( #12202 )
...
Closes #12002
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2022-05-27 14:12:37 +02:00
Dmitry Telegin
86883fd68a
Remove org.keycloak.protocol.oidc.TokenManager.RefreshResult ( #12196 )
...
Closes #12194
2022-05-27 13:00:10 +02:00
Marek Posolda
eed944292b
Make script providers working on JDK 17 ( #11322 )
...
Closes #9945
2022-05-27 12:28:50 +02:00
Luca Leonardo Scorcia
27650ab816
Fix #10982 SAML Client - Introduce SAML Issuer validation
2022-05-27 10:58:10 +02:00
Yoshikazu Nojima
9fc6114ccd
Update webauth4j dependency version to 0.19.3.RELEASE ( #11927 )
...
Resolves #9506
2022-05-18 06:54:34 -03:00
Michal Hajas
0bda7e6038
Introduce map event store with CHM implementation
...
Closes #11189
2022-05-17 12:57:35 +02:00
Takashi Norimatsu
9541852a9b
ID token encryption without specifying id_token_encrypted_response_enc does not follow OIDC Dynamic Client Registration specification
...
Closes #11392
2022-05-16 09:05:22 +02:00
Takashi Norimatsu
7fa24d247a
Deprecated org.keycloak.jose.jws.Algorithm is used in OIDCAdvancedConfigWrapper
...
Closes #11394
2022-05-16 08:56:57 +02:00
Martin Kanis
0d6bbd437f
Merge single-use token providers into one
...
Fixes first part of: #11173
* Merge single-use token providers into one
* Remove PushedAuthzRequestStoreProvider
* Remove OAuth2DeviceTokenStoreProvider
* Delete SamlArtifactSessionMappingStoreProvider
* SingleUseTokenStoreProvider cleanup
* Addressing Michal's comments
* Add contains method
* Add revoked suffix
* Rename to SingleUseObjectProvider
2022-05-11 13:58:58 +02:00
Michal Hajas
d3b43a9f59
Make sure there is always Realm or ResourceServer when searching for authz entities
...
Closes #11817
2022-05-11 07:20:01 -03:00
Réda Housni Alaoui
5d87cdf1c6
KEYCLOAK-6455 Ability to require email to be verified before changing ( #7943 )
...
Closes #11875
2022-05-09 18:52:22 +02:00
Pedro Igor
eab2dff979
Loading message bundles using the flat-classpath theme provider ( #11711 )
...
Closes #11186
2022-05-05 15:34:54 +02:00
vramik
0d83b51b20
Enhance Map authz entities with REALM_ID (ResourceServer with CLIENT_ID) searchable field
...
Co-authored-by Michal Hajas <mhajas@redhat.com>
Closes #10883
2022-05-03 12:56:27 +02:00
vramik
2ecf250e37
Deletion of all objects when realm is being removed
...
Closes #11076
2022-04-28 11:09:17 +02:00
Guus der Kinderen
8d3a4803bb
Prevent service account lookup when feature is disabled on client ( #9579 )
...
Closes #9563
2022-04-26 09:12:46 +02:00
Hynek Mlnarik
0ce5dfc09c
Remove dependency of map on services
...
Fixes: 8903
2022-04-22 17:27:21 +02:00
Jeff Tian
b356618cc2
docs: Correct the base path for Admin REST APIs. #11007 ( #10933 )
2022-04-22 11:24:07 +02:00
Pedro Igor
76d83f46fa
Avoid clients exchanging tokens using tokens issued to other clients ( #11542 )
2022-04-20 19:14:55 +02:00
Stian Thorgersen
ac79fd0c23
Disallow special characters in usernames to prevent confusion with similarly looking usernames ( #11531 )
...
Closes #11532
Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2022-04-20 15:53:15 +02:00
Stefan Guilhen
b29b27d731
Ensure code does not rely on a particular format for the realm id or component id
2022-04-20 14:40:38 +02:00
Stefan Guilhen
ae90b232ff
Realms Map JPA implementation
...
Closes #9661
2022-04-20 14:40:38 +02:00
Pedro Igor
2cb5d8d972
Removing upload scripts feature ( #11117 )
...
Closes #9865
Co-authored-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-04-20 14:25:16 +02:00
Martin Bartoš
3aa3db16ea
Fix error response for invalid characters ( #11533 )
...
Fixes #11530
2022-04-20 11:26:08 +02:00
m-takai
5f0e27a792
Add duplicate parameters check process in Device Authz Endpoint.
...
AuthorizationEndpointRequest class already checks duplicated parameters but DeviceEndpoint class has not checked its error. Thus a check process is added in handleDeviceRequest()
Closes #11294
2022-04-19 14:20:39 +02:00
Pedro Igor
c5e4dc8cec
Associated permissions should only add resource type permissions if the resource is an instance ( #11220 )
...
Closes #11148
2022-04-19 09:10:14 +02:00
Pedro Igor
52d205ca91
Allow exposing some initial provider config options via web site ( #10572 )
...
* Allow exposing some initial provider config options via web site
Co-authored-by: Stian Thorgersen <stian@redhat.com>
Closes #10571
* Include type to provider options, and hide build-icon column as it's not relevant
Co-authored-by: stianst <stianst@gmail.com>
2022-04-19 08:01:42 +02:00
msvechla
820ab52dce
Add support for filtering by enabled attribute on users count endpoint ( #9842 )
...
Resolves #10896
2022-04-13 13:57:22 -03:00
Pedro Igor
7058a123b1
Avoid initializing the OWASP HTML Sanitizer at startup
...
Closes #11261
2022-04-13 08:21:53 -03:00
bamanuel
7652bbfcd1
Fix unmatched braces in error log formatter
...
Closes #11252
2022-04-13 08:03:29 -03:00
Giacomo Altiero
3b7243cd47
Support for UserInfo response encrypted ( #10519 )
...
Close #10517
2022-04-12 14:01:14 +02:00
mposolda
fb81242658
Script Mapper Performance Issues
...
Closes #11005
2022-04-08 09:47:43 -03:00
Neon Ngo
f11573eeb2
KEYCLOAK-13828 Allow override of baseUrl and apiUrl in GitHub identity provider ( #7021 )
...
Allow override of baseUrl & apiUrl in GitHub identity provider
Closes #11144
2022-04-06 13:45:11 +02:00
Tyler Andor
caebe50d7e
Updates patternfly libs and fixes breaking changes ( #10748 )
...
adding nvmrc
CIAM-1048 Device Activity screen PF updates
CIAM-1046: Personal Info sub-header update
Updates SigningInPage to use EmptyState component when there are no credentials.
rearanged some components used in signing in page
Displays ApplicationPage content in description list.
Updates refresh link on ContentPage, updates Resources screen.
CIAM-1049 Linked Accounts screen PF updates
CIAM-1043-General upstream updates
Updates AccountPage to display form errors.
fix: display Set up Authenticator Application link on large viewport
fix(page structure): rearranges page sections
CIAM-1254/Personal info PF4 updates & Sidebar text updates
updating layouts
updating layout on Signing in and Linked acounts
adding patternfly-additions
adding patternfly-addons styles
Updates Application page based on designs feedback.
moving page description
Updates status label on Applications page to be capitalized.
Updates the copy-fonts script for keycloak.v2 to copy all font directories instead of one.
update Personal info screen - set max width of 600px for form input fields
update Personal info - remove required indicator from input fields
General updates (#2 )
* removed the extra lines being shown
* tweaked general spacing
* general alignment and spacer application
* refactor to get proper alignments without css globals
* forgot to add the conditional on displaying the set up buttons
* try and adjust the alignments
Co-authored-by: zwitter <zwitter@redhat.com>
resolve merge conflicts
Device activity updates (#4 )
* update text to sentence case
* update device info columns to be dynamic across various viewport sizes
* update signed in device layout
* update based on feedback
Co-authored-by: Jon Szeto <jszeto@redhat.com>
Linked accounts update (#3 )
* linked accounts screen - updated icons & Linked/Unlinked Login Providers layout & update text to sentence case
Co-authored-by: Jon Szeto <jszeto@redhat.com>
fixing ts errors
cleaning up fonts and messages
final review updates
message update for Back to admin console link
fixing capitalization on 2fa
updating landing page welcome message
fix: reposition Back to... link
adjusting size for confirm modal
updating spacing and alignment issues
updating resources page
removing unused header class
fixes ts issues and updates node version to match the themes install
npm updates
fixing pf addons
adding chokidar to get babel:watch working
fixing issues from pull request feedback
fixing tests
fixes signingin page test
fixing tests
Co-authored-by: Tyler Andor <tandor@highereducation.com>
2022-04-06 13:00:38 +02:00
Stian Thorgersen
7c64f28934
Change admin console to load keycloak.js using a relative URL ( #11109 )
...
* Change admin console to load keycloak.js using a relative URL
Closes #11108
* fix tests
Co-authored-by: Dominik Guhr <dguhr@redhat.com>
2022-04-06 09:35:26 +02:00
Pedro Igor
2b5d68d645
Allow resoving theme resources from flat classpath ( #10989 )
...
Closes #10951
2022-04-05 09:16:20 +02:00
Douglas Palmer
f57d0dd100
Automated tests for session limits authenticator (browser, direct grant, reset password) ( #11046 )
...
Closes #11003
2022-04-01 18:44:38 +02:00
Michal Hajas
44000caaf5
KEYCLOAK-19177 Disable ECP flow by default for all Saml clients; ecp flow creates only transient users sessions
2022-03-31 16:06:44 +02:00
iingawal
6016b461db
Fix for "updatedAt" user attribute in "profile" client scope should use number instead of String ( #11020 )
...
Closes #10081
Co-authored-by: Indrajit Ingawale <iingawal@iingawal.pnq.csb>
2022-03-31 14:33:03 +02:00
Marek Posolda
aacae9b9ac
Support for frontchannel_logout_session_required OIDC client parameter ( #11009 )
...
* Support for frontchannel_logout_session_required OIDC client parameter
Closes #10137
2022-03-31 14:25:24 +02:00
Marek Posolda
22a16ee899
OIDC RP-Initiated logout endpoint ( #10887 )
...
* OIDC RP-Initiated logout endpoint
Closes #10885
Co-Authored-By: Marek Posolda <mposolda@gmail.com>
* Review feedback
Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2022-03-30 11:55:26 +02:00
Marcelo Daniel Silva Sales
2b996b12a1
update javadoc for client secret rotation REST service ( #10990 )
...
Closes #10610
2022-03-29 21:46:54 +02:00
Marcelo Daniel Silva Sales
091b1472ce
Introduce client secret rotation dynamic registration ( #10952 )
...
Closes #10609
2022-03-28 20:39:11 +02:00
Konstantinos Georgilakis
99fa6275c1
KEYCLOAK-19313 configure the name format in Attribute Importer IdP Mapper
2022-03-25 09:42:22 +01:00
Robin Windey
eaf7c515f2
Fix typo in exception message
2022-03-24 12:43:33 +01:00
Alexander Schwartz
3ebfc91b75
Reduce logging of errors due to the bounded queue
...
Closes #10588
2022-03-23 15:42:06 +01:00
Takashi Norimatsu
9c01d819cb
Client Policies : An executor rejecting all requests
...
Closes #9097
2022-03-23 12:45:38 +01:00
iingawal
b773857a80
Display email address in login-verify-email.ftl ( #10870 )
...
Closes #8873
2022-03-23 12:44:21 +01:00
Marcelo Daniel Silva Sales
6efa45f93e
Update secret rotation when the policy is enabled using jwt ( #10853 )
...
Closes #10666
2022-03-23 08:25:58 +01:00
Michal Hajas
99c06d1102
Authorization services refactoring
...
Closes : #10447
* Prepare logical layer to distinguish between ResourceServer id and client.id
* Reorder Authz methods: For entities outside of Authz we use RealmModel as first parameter for each method, to be consistent with this we move ResourceServer to the first place for each method in authz
* Prepare Logical (Models/Adapters) layer for returning other models instead of ids
* Replace resourceServerId with resourceServer model in PermissionTicketStore
* Replace resourceServerId with resourceServer model in PolicyStore
* Replace resourceServerId with resourceServer model in ScopeStore
* Replace resourceServerId with resourceServer model in ResourceStore
* Fix PermissionTicketStore bug
* Fix NPEs in caching layer
* Replace primitive int with Integer for pagination parameters
2022-03-22 20:49:40 +01:00
keycloak-bot
c71aa8b711
Set version to 999-SNAPSHOT ( #10784 )
2022-03-22 09:22:48 +01:00
Joaquim Fellmann
92c4e6d585
KEYCLOAK-16134 Allow webauthn idless login flow ( #7860 )
...
Closes #10832
2022-03-21 11:37:33 +01:00
mposolda
9e12587181
Protocol mapper and client scope for 'acr' claim
...
Closes #10161
2022-03-11 09:23:25 +01:00
Ivan Atanasov
5c6b123aff
Support for the Recovery codes ( #8730 )
...
Closes #9540
Co-authored-by: Zachary Witter <torquekma@gmail.com>
Co-authored-by: stelewis-redhat <91681638+stelewis-redhat@users.noreply.github.com>
2022-03-10 15:49:25 +01:00
rmartinc
a7c8aa1dd3
[ #10616 ] Incorrect username logged for federated accounts ( #10662 )
...
Closes #10616
2022-03-10 13:21:39 +01:00
Marcelo Daniel Silva Sales
0c25da542c
Update secret rotation when the policy is disabled ( #10674 )
...
Closes #10667
2022-03-10 13:03:09 +01:00
Marcelo Daniel Silva Sales
7335abaf08
Keycloak 10489 support for client secret rotation ( #10603 )
...
Closes #10602
2022-03-09 00:05:14 +01:00
mposolda
d394e51674
Introduce profile 'feature' for step-up authentication enabled by default
...
Closes #10315
2022-03-08 14:42:46 +01:00
mposolda
93bba8e338
Replace 'Store LoA in User Session' with 'Max Age'. Refactoring of step-up authentications related to that.
...
Closes #10205
2022-03-08 10:41:05 +01:00
Martin Bartoš
02d0fe82bc
Auth execution 'Condition - User Attribute' missing
...
Closes #9895
2022-03-08 08:24:48 +01:00
Michal Hajas
f77ce315bb
Disable Authz caching for new storage tests
...
Closes #10500
2022-03-07 10:22:55 -03:00
Takashi Norimatsu
201277b897
Handle OIDC authz request with "response_type" missing and "response_mode=form_post"
...
Closes #10144
2022-03-04 13:31:40 +01:00
Takashi Norimatsu
92f6c75328
Nonce parameter should be required in authorizationEndpoint only when "id_token" is included in response_type
...
Closes #10143
2022-03-03 13:26:39 +01:00
Daniel Gozalo
76101e3591
[ fixes #9225 ] - Get scopeIds from the AuthorizationRequestContext instead of session if DYNAMIC_SCOPES are enabled
...
Add a test to make sure ProtocolMappers run with Dynamic Scopes
Change the way we create the DefaultClientSessionContext with respect to OAuth2 scopes, and standardize the way we obtain them from the parameter
2022-03-01 13:47:58 +01:00
Vlasta Ramik
aa6a131b73
Change String client.id to ClientModel client in ResourceServerStore
...
Closes #10442
2022-02-24 12:46:26 +01:00
Alexander Volkov
91a51d276f
Realm translations are being added to the account console. ( #10329 )
...
For the account console translations are being fetched from the realm translations as well as from the theme properties.
Closes #10328
2022-02-23 08:35:10 -05:00
treydock
b26a1a4803
KEYCLOAK-18334 Fix null pointer exception when viewing flow executions ( #8121 )
...
* KEYCLOAK-18334 Fix null pointer exception when viewing flow executions
Closes #10371
2022-02-22 09:31:25 +01:00
Dominik Guhr
9358535161
Fix admin user creation message when calling quarkus welcomepage from remote ( #10362 )
...
For wildfly, everything is as before. For Quarkus, we check if http is enabled and provide the right port and scheme if so, and also we are relative-path aware.
Closes #10335
2022-02-22 08:19:45 +01:00
Marek Posolda
8c3fc5a60e
Option for client to specify default acr level ( #10364 )
...
Closes #10160
2022-02-22 07:54:30 +01:00
Marek Posolda
caf37b1f70
Support for acr_values_supported in OIDC well-known endpoint ( #10265 )
...
* Support for acr_values_supported in OIDC well-known endpoint
closes #10159
2022-02-18 11:33:31 +01:00
Filipe Bojikian Rissi
323c08c8cc
KEYCLOAK-19519 Encryption algorithm RSA-OAEP with A256GCM ( #8553 )
...
Closes #10300
2022-02-17 17:41:54 +01:00
Stian Thorgersen
2fd5a1f4fc
Revert "KEYCLOAK-19602 moved create/update admin console event after commit, to prevent false alarm to event listeners" ( #10278 )
...
This reverts commit 31d8a927ff
.
2022-02-17 10:16:32 +01:00
Satria Hu
31d8a927ff
KEYCLOAK-19602 moved create/update admin console event after commit, to prevent false alarm to event listeners
2022-02-16 19:53:29 -03:00
Pedro Igor
7da3953435
Path parameter is missing in the get account endpoint
...
Closes #10055
2022-02-15 15:44:05 -03:00
Pedro Igor
f3c3bb5001
Removing unnecessary code paths during startup ( #10131 )
...
Closes #10130
2022-02-15 12:09:14 +01:00
Marek Posolda
90d4e586b6
Show error in case of an unkown essential acr claim. Make sure correc… ( #10088 )
...
* Show error in case of an unkown essential acr claim. Make sure correct acr is set after authentication flow during step-up authentication
Closes #8724
Co-authored-by: Cornelia Lahnsteiner <cornelia.lahnsteiner@prime-sign.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2022-02-15 09:02:05 +01:00
Dominik Guhr
5d781304e7
Fix idelauncher resourceloading
...
caused by doubled slashes when getting the path for resources while running IDELauncher. So now we sanitize them. Tests by building and running wf and quarkus distribution, running from idelauncher and running using quarkus:dev, assets got always loaded.
closes #9942
2022-02-14 15:51:58 -03:00
keycloak-bot
d9f1a9b207
Set version to 18.0.0-SNAPSHOT ( #10165 )
2022-02-11 21:28:06 +01:00
Francis PEROT
623aaf1e8b
Fixes collection comparison ignoring order
...
Use of containsAll() does not permit to compare if 2 lists are equals
(ignoring order)
Previous implementation of CollectionUtil.collectionEquals(...) was not taking care of specific cases where you can have [ A, A, B ] and [ A, B, B ] and complexity was O(n²)
Using Map, complexity is now O(n)
Closes #9920
2022-02-11 10:01:41 +01:00
Martin Bartoš
6c09ec6de6
Hide 'unknown' transport media type label for WebAuthn authenticators
...
Closes #10036
2022-02-11 08:28:50 +01:00
Martin Bartoš
75c7491b85
Remove external Collection utility class for WebAuthn
...
Closes #10034
2022-02-09 11:53:03 +01:00
Mauro de Wit
2c238b9f04
session-limiting-feature ( #8260 )
...
Closes #10077
2022-02-08 19:16:06 +01:00
Alexander Schwartz
100dbb8781
Rework escaping of special characters in message properties for account console ( #9995 )
...
Closes #9503
2022-02-07 14:47:03 -05:00
Martin Bartoš
5494848f3f
Not possible to register webauthn key on Firefox
...
Closes #10020
2022-02-07 12:21:22 +01:00
Marek Posolda
d9c8cb30a5
Closes #9498 - Fix cases when user is forced to re-authenticate ( #9580 )
2022-02-07 09:02:08 +01:00
Martin Bartoš
d82122b982
Store information about transport media of WebAuthn authenticator
...
Closes #9800
2022-02-04 19:36:30 +01:00
Takashi Norimatsu
07d43f31f3
Expected Scopes of ClientScopesCondition created on Admin UI are not saved onto ClientScopesCondition.Configuration
...
Closes #9371
2022-02-04 18:02:15 +01:00
Martin Kanis
0471ec4941
Cross-site validation for lazy loading of offline sessions & Switch default offline sessions to lazy loaded
2022-02-03 21:43:47 +01:00
Konstantinos Georgilakis
a1f2f77b82
Device Authorization Grant with PKCE
...
Closes #9710
2022-02-03 08:37:07 +01:00
Daniel Gozalo
db4642d250
[ fixes #9919 ] - Enable Dynamic Scopes for the resource-owner-password-credentials grant
...
Change some calls to the new AuthorizationContextUtil class and add tests for the client-credentials grant
2022-02-03 08:19:44 +01:00
Marek Posolda
d27635fb1b
Fixing for token revocation checks only ( #9707 )
...
Closes #9705
2022-02-02 15:21:44 +01:00
Daniel Gozalo
3528e7ba54
[ fixes #9224 ] - Get consented scopes from AuthorizationContext
...
Always show the consent screen when a dynamic scope is requested and show the requested parameter
Improve the code that handles dynamic scopes consent and add some log traces
Add a test to check how we show dynamic scope in the consent screen and added missing template file change
Fix merge problem in comment and improve other comments
Fix the Dynamic Scope test by assigning it to the client as optional instead of default
Change how dynamic scopes are represented in the consent screen and adapt test
2022-02-02 09:10:20 +01:00
Martin Bartoš
c40e842b45
Verify the WebAuthn functionality and settings for authentication ( #9851 )
...
* Verify the WebAuthn functionality and settings for authentication
Closes #9504
2022-01-31 15:42:08 +01:00
Alexander Schwartz
df7ddbf9b3
Added ModelIllegalStateException to handle lazy loading exception.
...
Closes #9645
2022-01-31 10:10:41 +01:00
Stian Thorgersen
d1d656162d
Enable keycloak.v2 admin theme by default when admin2 feature is enabled ( #9859 )
...
Closes #9858
2022-01-28 13:24:50 +01:00
Takashi Norimatsu
ef134390c2
Client Policies : Condition's negative logic configuration is not shown in Admin Console's form view
...
Closes #9447
2022-01-27 09:55:22 +01:00
Daniel Gozalo
4136bf7700
[ fixes #9750 ] Make sure a Dynamic scope isn't assignable to a client as a default scope, and only show non-dynamic scopes in the available client scopes client menu
2022-01-26 13:32:04 +01:00
Daniel Gozalo
dad51773ea
[ fixes #9223 ] - Create an internal representation of RAR that also handles Static and Dynamic Client Scopes
...
Parse scopes to RAR representation and validate them against the requested scopes in the AuthorizationEndpointChecker
Parse scopes as RAR representation and add the created context on the different cache models in order to store the state and make it available for mappers in the ClientSessionContext
Create a new AuthorizationRequestSpi to provide different implementations for either dynamic scopes or RAR requests parsing
Move the AuthorizationRequest objects to server-spi
Add the AuthorizationRequestContext property to the MapAuthenticationSessionEntity and configure MapAuthenticationSessionAdapter to access it
Remove the AuthorizationRequestContext object from the cache adapters and entities and instead recalculate the RAR representations from scopes every time
Refactor the way we parse dynamic scopes and put everything behind the DYNAMIC_SCOPES feature flag
Added a login test and added a function to get the requested client scopes, including the dynamic one, behind a feature flag
Add a new filter to the Access Token dynamic scopes to avoid adding scopes that are not permitted for a user
Add tests around Dynamic Scopes: replaying existing tests while enabling the DYNAMIC_SCOPES feature and adding a few more
Test how the server genereates the AuthorizationDetails object
Fix formatting, move classes to better packages and fix parent test class by making it Abstract
Match Dynamic scopes to Optional scopes only and fix tests
Avoid running these tests on remote auth servers
2022-01-26 13:19:23 +01:00
Thomas Darimont
438fc2865f
Fix embedded theme-resources lookup in Keycloak.X
...
Previously lookups for embedded theme-resources did not work for Keycloak.X because of a missing
`ClasspathThemeResourceProvider` registration.
This PR ensures that a `ClasspathThemeResourceProvider` is registered in Keycloak.X based deployments.
Added empty constructors to ClasspathThemeResourceProvider to enable dynamic instantiation by Quarkus.
Fixes #9653
2022-01-21 09:52:26 -03:00
mposolda
3dd97f3f2f
Fix migration test
...
Closes #9550
2022-01-20 13:42:47 +01:00
Konstantinos Georgilakis
0c9ab32cf4
Fix scope bug in device authorization request
...
Closes #9617
2022-01-19 18:13:42 +01:00
Pedro Igor
4c747047ce
Backward compatibility for lower-case bearer type in token responses ( #9538 )
...
Closes #9537
2022-01-13 08:34:45 +01:00
Daniel Gozalo
8ea09d3816
[ fixes #9222 ] - Let users configure Dynamic Client Scopes ( #9327 )
2022-01-12 14:27:24 +01:00
Marek Posolda
8f221bb21e
Validation for CIBA binding_message parameter ( #9470 )
...
closes #9469
2022-01-11 11:19:15 +01:00
Martin Bartoš
d75d28468e
KEYCLOAK-19490 Add more details about 2FA to authenticate page ( #9252 )
...
Closes #9494
2022-01-11 09:16:22 +01:00
CorneliaLahnsteiner
dff79cee3c
KEYCLOAK-847 Add support for step up authentication ( #7897 )
...
KEYCLOAK-847 Fix behavior of unknown not essential acr claim
Co-authored-by: Georg Romstorfer <georg.romstorfer@gmail.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2021-12-22 12:43:12 +01:00
keycloak-bot
9f3d4a7d42
Set version to 17.0.0-SNAPSHOT
2021-12-20 10:50:39 +01:00
Stian Thorgersen
45e9243054
Verify fine-grained admin permissions feature is enabled before checking fine-grained permissions when creating users ( #9211 )
...
* Verify fine-grained admin permissions feature is enabled before checking fine-grained permissions when creating users
Co-authored-by: stianst <stianst@gmail.com>
* fixing test
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-12-17 14:45:56 +01:00
vramik
e61da278ba
When ternary conditional operator uses primitive type it could throw NPE in some cases
...
Closes #9137
2021-12-15 10:25:54 +01:00
Pedro Igor
7dc5556b40
[ fixes #9092 ] - Avoid failing when request is not a form-urlencoded
2021-12-14 03:32:43 -08:00
stianst
85240c9606
Remove deprecated kcinit from keycloak
...
Closes #9106
2021-12-13 15:51:51 +01:00
thomasmicro
c474e770fe
Clarify Admin UI Name of NoCookieFlowRedirectAuthenticator
...
In the Admin UI, the Authenticator was simply called Browser Redirect/Refresh which gives the impression that it is a generic redirector (which would be a cool validator).
This Quick Fix changes the Name to "Browser Redirect for Cookie free authentication" which should bring more clarity.
2021-12-13 13:14:49 +01:00
Martin Bartoš
3a2bf0c04b
WebAuthnAuthenticator add timeout property
2021-12-12 11:36:51 +01:00
Hynek Mlnarik
95614e8b40
Fix NPE for component creation when realm unset but config known
...
Fixes #9019
2021-12-07 20:15:05 +01:00
Yoshiyuki Tabata
b1eeb0626e
KEYCLOAK-13847 fix offline token refresh date
2021-12-01 08:30:08 +01:00
Andre Fucs de Miranda
b03b390dd2
KEYCLOAK-19228: Prevent user enumeration in FIPS mode
2021-11-24 18:11:27 +01:00
Nemanja Hiršl
c9e1e00b95
KEYCLOAK-19773 BFD and Direct Grant - inconsistent number of failures
...
Do not "failure" on temporary or permanently locked users, but "forceChallenge"
Failure increments number of failures, and forceChallenge doesn't
Test cases cover:
1. Already disabled users
2. Temporarily disabled users by BFD
3. Permanently disabled users by BFD
2021-11-24 15:28:18 +01:00
Martin Bartoš
1e1a6779be
Issue 8814: Replace deprecated hamcrest-all dependencies
2021-11-23 13:56:28 +01:00
bal1imb
661aca4452
KEYCLOAK-19283 Implemented new identity provider mapper "Advanced claim to group mapper" alongside tests.
2021-11-19 16:54:39 +01:00
Hiroyuki Wada
884471c729
KEYCLOAK-19237 Avoid using stream that has been operated
2021-11-18 17:46:35 +01:00
Takashi Norimatsu
10c3e149d3
KEYCLOAK-19699 RSA key provider with key use = enc cannot select corresponding algorithm on Admin Console
2021-11-18 13:24:50 +01:00
Olivier Boudet
ed6eea26ea
KEYCLOAK-19413 Allows to set login_hint on registration and reset-credentials pages
2021-11-18 13:17:10 +01:00
Konstantinos Georgilakis
63c9845cb9
KEYCLOAK-18276 client content screen enhancement
2021-11-18 13:15:02 +01:00
Martin Bartoš
b17f0695ee
8793 User Profile multiple implementations
2021-11-15 08:46:34 +01:00
David Perrenoud
36da2d20e9
KEYCLOAK-17039 Local file in a webview fails when requesting with "Origin: null" since 11.0.2
2021-11-11 10:55:33 +01:00
Yoshiyuki Tabata
9be4c289d8
KEYCLOAK-18440 Improve logging for token introspection
2021-11-08 15:26:52 +01:00
rmartinc
a4c4c00d00
[KEYCLOAK-14309] Duplicate sub claim at JSON level
2021-11-08 11:54:39 +01:00
Alec Henninger
cec6a8a884
KEYCLOAK-19700: Attempt to reuse denied device authorization code results in server error
2021-11-08 11:37:51 +01:00
Takashi Norimatsu
d0493b4306
KEYCLOAK-19723 Existing ECDSA key provider's key pair is not regenerated when its curve is changed on Admin Console
2021-11-05 10:05:40 +01:00
mposolda
5740e158e3
KEYCLOAK-18744 OpenBanking Brasil fix for X509 client authentication. More flexibility in Subject DN comparison.
2021-11-05 09:10:50 +01:00
Luca Leonardo Scorcia
e99b363ba0
KEYCLOAK-18879 Generate RequestedAttribute SP metadata for SAML Attribute Role Mappers
2021-11-04 11:15:32 +01:00
Bruno Oliveira da Silva
16db810b03
[KEYCLOAK-19754] - Update documentation files to remove problematic language in the main repository
2021-11-04 10:08:56 +01:00
Pedro Igor
eaa96f6147
[KEYCLOAK-18255] - Vault Support in Dist.X
2021-11-03 09:23:33 -03:00
Martin Bartoš
bfce612641
KEYCLOAK-18338 Fix update user account with configured SSSD
2021-11-02 08:42:07 +01:00
Joerg Matysiak
afc5cb4d14
KEYCLOAK-19617 Simplify creation of custom user profiles
...
* DeclarativeUserProfileProvider passes its ID to DeclarativeUserProfileModel, so this also works for derived classes.
* Moved creation of declarative user profile model to a protected factory method to allow subclasses to provide their own implementation.
* Added integration tests for custom user profile
* configured declarative-user-profile as default user profile provider in test servers
* Restore previously configured default provider after test with special provider settings
* Some refactoring in SpiProviderSwitchingUtils
2021-10-28 08:26:11 -03:00
Takashi Norimatsu
0d62c6d498
KEYCLOAK-19565 Client Policies : Wrong SecureLogoutExecutor's provider ID
2021-10-25 13:49:48 +02:00
Konstantinos Georgilakis
a5c8c45551
KEYCLOAK-19388 correct AttributeConsumingService bug in SAML SP metadata
2021-10-21 20:24:46 +02:00
Takashi Norimatsu
263161ff66
KEYCLOAK-19540 FAPI 2.0 Baseline : Reject Resource Owner Password Credentials Grant
2021-10-21 09:13:12 +02:00
Pham Hoang Nam
e87952d1ad
Fix logout-all enpoint return json format
2021-10-20 11:37:49 -03:00
Thomas Darimont
9857a04895
KEYCLOAK-16107 Enable ScriptBasedOIDCProtocolMapper to return JSON objects directly
...
We now allow to return JSON objects directly from a ScriptBasedOIDCProtocolMapper, by
adding support to turn objects that implement the java.util.Map into JsonNodes.
Previously returning JSON objects directly caused an exception during runtime.
2021-10-19 11:21:26 -03:00
Alec Henninger
c392538f69
KEYCLOAK-19575: Different user authenticated results in server error instead of bad request
2021-10-19 13:52:11 +02:00
Douglas Palmer
73f0474008
[KEYCLOAK-19422] ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader
2021-10-18 10:23:06 +02:00
Václav Muzikář
7d0af8519b
KEYCLOAK-19080 Simplify the RHSSO setup in an OpenShift Disconnected cluster
...
KEYCLOAK-19080 Simplify the RHSSO setup in an OpenShift Disconnected cluster
2021-10-18 09:35:32 +02:00
mposolda
7010017e0e
KEYCLOAK-19555 Improvements in ConsentRequiredExecutor of client policies
2021-10-16 14:11:18 +02:00
Dominik Guhr
a3b23700ea
KEYCLOAK-19553 Fix Resteasy Bug in Authenticators for Keycloak.X
2021-10-15 14:24:46 -03:00
Thomas Darimont
b1bcd5d66e
KEYCLOAK-12754 Honor nested composite roles when creating roles via REST API ( #7097 )
...
* KEYCLOAK-12754 Honor nested composite roles when creating roles via REST API
- Validate composite roles when creating roles via REST API
2021-10-15 10:33:19 -03:00
mposolda
acd00a492b
KEYCLOAK-19556 Avoid auto-creating invalid redirect URL for FAPI clients
2021-10-15 11:17:59 +02:00
Bart Monhemius
5b0986e490
[KEYCLOAK-18891] Add support for searching users by custom user attributes
...
Users can now be searched by custom attributes using 'q' in the query parameters. The implementation is roughly the same as search clients by custom attributes.
2021-10-12 13:08:47 +02:00
R Yamada
891c8e1a12
[KEYCLOAK-17653] - OIDC Frontchannel logout support
2021-10-07 15:27:19 -03:00
Dominik
97ee8832a3
KEYCLOAK-19079 Add special case for kubeadmin without uid and OCP4
2021-10-07 14:29:00 -03:00
Martin Kanis
30b3caee9f
KEYCLOAK-18445 Add support for cross-site model tests
2021-10-06 14:37:06 +02:00
Seth
90947404a5
KEYCLOAK-16380 Make IdP display name available to idp link email subject ( #7626 )
...
KEYCLOAK-16380 Make IdP display name available to idp link email subject
2021-10-04 11:10:18 +02:00
Michal Hajas
da0c945475
KEYCLOAK-18940 Add support for searching composite roles
2021-10-01 12:41:19 +02:00
Nathan Strobbe
64717f650b
KEYCLOAK-15167 Retrieve email from Twitter IdP
2021-10-01 09:45:20 +02:00
Luca Leonardo Scorcia
43a3c676f7
KEYCLOAK-16456 X509 Auth: add option for OCSP fail-open behavior
2021-10-01 08:37:01 +02:00
Luca Leonardo Scorcia
9838a47662
KEYCLOAK-16520 X509 Auth: Add option to verify certificate policy
2021-09-30 16:36:05 +02:00
Daniel Fesenmeyer
0a2f8f5b63
KEYCLOAK-17887 fix endpoint for creating or updating realm localization texts for a given locale (UnsupportedOperation was thrown because RealmAdapter tried to change unmodifiable map):
...
- fix RealmAdapter to create a new map instead of trying to change unmodifiable map
- only provide POST endpoints for creating or updating the texts (to have the endpoints consistent with other Admin API endpoints)
- add tests
2021-09-30 15:07:56 +02:00
stianst
f471a110cd
KEYCLOAK-19408 Better client secrets
2021-09-29 18:19:43 +02:00
stianst
12c7bc7350
KEYCLOAK-19410 Compile issues in IntelliJ due to imports of sun packages
2021-09-28 14:59:33 +02:00
Václav Muzikář
69a146db7e
KEYCLOAK-18128 Keycloak cannot fetch group claims from openshift
2021-09-27 08:05:43 -03:00
Daniel Fesenmeyer
339224578e
KEYCLOAK-10603 adjust assignments to roles (user-role and group-role assignments, client-scope and client "scope mappings"): allow assignments of roles which are already indirectly assigned (e.g. by composite role)
...
- extend RoleMapperModel with method hasDirectRole(RoleModel), which only checks for direct assignment in contrast to the existing method hasRole(RoleModel)
- extend ScopeContainerModel with method hasDirectScope(RoleModel), which only checks for direct scope mapping in contrast to the existing method hasScope(RoleModel)
- use the new hasDirectRole and hasDirectScope methods to check whether a role is in the "available" list and whether it can be assigned (previously, the hasRole method was used for this purpose)
- add hint to UI that available roles contain effectively assigned roles which are not directly assigned
- adjust and extend tests
2021-09-22 13:56:29 +02:00
Nikolas Laskaris
8f09d34272
KEYCLOAK-18288 ( #8096 )
...
RealmsAdminResource now returns also a brief representation (not by default, to be backwards compatible) for realms[] if the appropriate flag is sent.
2021-09-20 15:32:15 -04:00
Vlastimil Elias
28e220fa6d
KEYCLOAK-18497 - Support different input types in built-in dynamic forms
2021-09-20 09:14:49 -03:00
Takashi Norimatsu
375e47877e
KEYCLOAK-18558 Client Policy - Endpoint : support Device Authorization Endpoint
2021-09-20 11:22:58 +02:00
Jess Thrysoee
b4fe7bbda2
KEYCLOAK-19344 Add CORS to Device Authorization Request
...
Add CORS headers to the Device Authorization Request (OAuth 2.0 Device Authorization Grant)
to make it available for non-confidential public webbrowser based clients, e.g. SPA like
signage or kiosk webapps.
2021-09-20 10:32:10 +02:00
chen kqing
c9809f0151
KEYCLOAK-18873 href attribute of a "Unable to scan?" tag is wrong in "Configure TOTP" page
2021-09-20 10:09:58 +02:00
Sophie Tauchert
b5d477c421
[KEYCLOAK-18556] Check for federated credentials when resolving authenticators
2021-09-15 16:54:56 +02:00
Stan Silvert
93e229e45d
KEYCLOAK-18512: Integrate New Admin Console into Keycloak build ( #8366 )
...
* KEYCLOAK-18512: Integrate New Admin Console into Keycloak build
* KEYCLOAK-18512: Integrate New Admin Console into Keycloak build
* Change version to project version. Make experimental.
* Add PAT for reading packages (#12 )
* Add PAT for reading packages
* Encode token
* Use generic GH account for installation of packages
* Enable Github packages repo only for snapshots
* KEYCLOAK-18512: Make ADMIN2 experimental instead of preview
* KEYCLOAK-18512: Remove early return
* KEYCLOAK-18512: Fix formatting issue
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2021-09-15 10:09:06 -04:00
Vlastimil Elias
2be5f528e4
KEYCLOAK-18700 - consistently record User profile attribute changes in
...
UPDATE_PROFILE event
2021-09-15 08:26:01 -03:00
bohmber
4fe7d6d318
KEYCLOAK-17110
...
LDAP Connection Pool not used with org.keycloak.truststore.SSLSocketFactory
2021-09-15 10:55:59 +02:00
Luca Leonardo Scorcia
6d0708d263
KEYCLOAK-17368 Show forwarded errors when a default remote IdP is configured ( #7838 )
2021-09-14 09:44:59 +02:00
bal1imb
67e3df654f
KEYCLOAK-18740 Admin events trigger transaction rollback if exception is thrown.
2021-09-13 14:07:28 +02:00
Luca Leonardo Scorcia
af8354267b
KEYCLOAK-16462 X509 Auth: add option to revalidate certificate trust
2021-09-13 12:12:38 +02:00
David Hellwig
a6cd80c933
KEYCLOAK-16076 added new warining when cookies are disabled -with new branch- ( #7632 )
...
* KEYCLOAK-16076 added new warining when cookies are disabled
Co-authored-by: David Hellwig <david.hellwig@bosch.com>
Co-authored-by: Christoph Leistert <christoph.leistert@bosch-si.com>
2021-09-13 11:30:11 +02:00
Hynek Mlnarik
4518b3d3d1
KEYCLOAK-19143 Split note for broker and SP SAML request ID
2021-09-07 17:04:30 +02:00
Olivier Boudet
c7f8544b0c
KEYCLOAK-18454 Reset password : wrong email instructions when duplicates email is allowed
2021-09-02 14:44:18 +02:00
Thomas Darimont
e217e9a175
KEYCLOAK-18818 Add CORS preflight handler to token revocation endpoint
2021-08-31 10:07:32 +02:00
vramik
5fe675b612
KEYCLOAK-18841 prevent deletion of default role using RoleContainerResource
2021-08-20 12:02:07 +02:00
Thomas Darimont
f16eb4d8b9
KEYCLOAK-18954 Refactor user consent list retrieval to avoid ConcurrentModificationException
...
This avoids a ConcurrentModificationException to be thrown in UserResource.getConsents()
calls that got introduced in 4e8b18f560
by filtering
the resulting stream explicitly instead of removing items from the collection
that we iterate over, which triggered the CME in the first place.
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2021-08-18 10:39:44 +02:00
wuweixin
6431afe360
KEYCLOAK-18974 BitbucketIdentityProvider IdentityBrokerException message
...
github => bitbucket
2021-08-18 10:32:07 +02:00
rmartinc
5ff6ff57a8
[KEYCLOAK-18535] KeycloakSanitizerMethod causes java.lang.IndexOutOfBoundsException when there is more then one href in a sanitized message
2021-08-18 10:19:22 +02:00
bal1imb
269b661b8a
KEYCLOAK-16633 Prevent deletion of internal clients.
2021-08-09 11:45:03 -03:00
Martin Kanis
b42f765c2a
KEYCLOAK-18982 Token OIDC introspection endpoint should not update any of the timestamps
2021-08-05 18:21:16 +02:00
Yoshiyuki Tabata
b31b60fffe
KEYCLOAK-18341 Support JWKS OAuth2 Client Metadata in the "by value" key loading method
2021-08-05 16:52:55 +02:00
mposolda
b1d39aa136
KEYCLOAK-18949 DirectGrant login should fail if authenticationSession contains some required actions
2021-08-04 08:50:27 +02:00
carlChen
a0b01b6ef4
KEYCLOAK-16703 The username returned by token introspect endpoint is null when remove or modify username mapper
2021-08-03 17:38:37 +02:00
Florian Ritterhoff
65480cb5a1
Prevent security flaw using passwordless authentication
...
If you register without an password or delete your last token your account can be hijacked. This is can be done by simply trying to login in that moment where the account is without a token. You get the "normal" registration dialog and can capture the complete account.
2021-08-03 10:49:45 -03:00
Sebastian Kanzow
4e8e4592ca
[KEYCLOAK-18419] Support SAML 2.0 Encrypted IDs in Assertion
2021-08-03 11:55:36 +02:00
laskasn
f265d1d662
KEYCLOAK-18933
2021-08-02 15:27:08 +02:00
keycloak-bot
262ec3d031
Set version to 16.0.0-SNAPSHOT
2021-07-30 14:56:10 +02:00
Pedro Igor
afb0b16e43
[KEYCLOAK-18922] - Ignore empty values for internal attributes not set to user
2021-07-30 12:30:43 +02:00
Pedro Igor
ff70e2e04b
[KEYCLOAK-18916] - Do not consider empty values when checking read-only attributes
2021-07-29 08:46:16 +02:00
Vlastimil Elias
32f2f095fe
KEYCLOAK-7724 User Profile default validations
2021-07-29 08:42:37 +02:00
mposolda
4dacbb9e0b
KEYCLOAK-16996 User not able to revoke his offline token for directGrant clients
2021-07-29 08:04:16 +02:00
mposolda
9b0e1fff8d
KEYCLOAK-18903 More customizable OIDC WellKnown provider
2021-07-28 18:03:23 +02:00
mposolda
05dfed721a
KEYCLOAK-18636 The mtls_endpoint_aliases claim is not advertized in the discovery document
2021-07-28 13:32:31 +02:00
Pedro Igor
ef72343a6a
[KEYCLOAK-18882] - User Profile still tech preview
2021-07-28 08:45:35 +02:00
mposolda
4520cbd38c
KEYCLOAK-18904 Support cert-bound tokens when doing client credentials grant. Client policies support for client credentials grant
2021-07-28 07:24:30 +02:00
mposolda
643b3c4c5a
KEYCLOAK-18594 CIBA Ping Mode
2021-07-27 08:33:17 +02:00
Hynek Mlnarik
8889122dc1
KEYCLOAK-18845 Remove key type in map storage (simplify generics)
2021-07-23 17:04:20 +02:00
Takashi Norimatsu
9018fe9fad
KEYCLOAK-18863 Global client profile for FAPI CIBA
2021-07-23 14:30:26 +02:00
Joerg Matysiak
9dff21d0a7
KEYCLOAK-18552
...
* added group as attribute metadata
* validation for groups and references to groups
* adapted template to use show attribute groups
* test and integration tests for attribute groups
2021-07-23 09:26:21 -03:00
Takashi Norimatsu
6436716514
KEYCLOAK-18834 Client Policies : ClientScopesCondition needs to be evaluated on CIBA backchannel authentication request and token request
2021-07-23 10:06:02 +02:00
Martin Bartoš
036239a901
KEYCLOAK-18643 Generic Javascript failure in server and adapters test pipeline
2021-07-23 08:47:27 +02:00
Takashi Norimatsu
84e19f1c57
KEYCLOAK-18833 FAPI-CIBA-ID1 : need to only accept confidential client on Backchannel Authentication endpoint
2021-07-23 08:26:36 +02:00
Luca Leonardo Scorcia
6bd7420907
KEYCLOAK-17290 SAML Client - Generate AttributeConsumingService SP metadata section
2021-07-22 21:53:16 +02:00
Pedro Igor
8260c3c623
[KEYCLOAK-18860] - Fixing attributes returned from user api
2021-07-22 15:09:30 -03:00
Vlastimil Elias
f307c56fe1
KEYCLOAK-18812 UserProfile metadata in Account REST API
2021-07-22 08:46:30 -03:00
Pedro Igor
b4c940fe3f
[KEYCLOAK-18860] - Return attributes defined in user profile from user api
2021-07-22 08:32:47 -03:00
Robert Schuh
843bbf1bb3
KEYCLOAK-18852 Prevent NPE in case of missing truststore
...
even though the "return null" at the top of the method is called if no truststore is set, the finally block is still executed. And since the keystore is not there an NPE is thrown when calling the remove method.
2021-07-21 14:13:22 +02:00
Pedro Igor
d29d945cc4
[KEYCLOAK-18857] - Do not force default to RS256 when verifying tokens sent by clients and JWK does not hold an algorithm
2021-07-21 11:09:02 +02:00
Takashi Norimatsu
2c019c9ce5
KEYCLOAK-18832 FAPI-CIBA-ID1 conformance test : need to return 401 error=invalid_client if client authentication is not successfully completed on Backchannel Authentication endpoint
2021-07-21 10:13:55 +02:00
Takashi Norimatsu
8df36fbf28
KEYCLOAK-18828 FAPI-CIBA-ID1 conformance test : Additional checks of signed authentication request
2021-07-21 08:19:19 +02:00
Takashi Norimatsu
61fcbb307b
KEYCLOAK-18830 FAPI-CIBA-ID1 conformance test : HolderOfKeyEnforcerExecutor needs to be executed on CIBA token request
2021-07-21 08:07:50 +02:00
Pedro Igor
54a0e84070
[KEYCLOAK-18741] - Review error messages when validating PAR requests
2021-07-20 14:08:49 -03:00
Pedro Igor
7f34af4016
Revert "[KEYCLOAK-18425] - Allow mapping user profile attributes"
...
This reverts commit 3e07ca3c
2021-07-20 14:08:09 -03:00
mposolda
db7e247f7b
KEYCLOAK-18848 KEYCLOAK-18850 Enable CIBA and PAR by default
2021-07-20 15:59:06 +02:00
Takashi Norimatsu
f154b0b209
KEYCLOAK-18831 FAPI-CIBA-ID1 conformance test : need to return 400 if user authentication is not successfully completed
2021-07-20 10:46:16 +02:00
Takashi Norimatsu
e2c5fa20a2
KEYCLOAK-18849 Client Policy - Condition : ClientRolesCondition needs to be evaluated on PAR endpoint
2021-07-20 09:41:48 +02:00
Pedro Igor
396a78bcc4
[KEYCLOAK-18723] - Configurable constraints for request object encryption
2021-07-20 09:28:09 +02:00
Pedro Igor
730d4e8ac9
[KEYCLOAK-18807] - Fixing claims in JARM responses
2021-07-20 08:23:33 +02:00
Pedro Igor
13a08362d4
[KEYCLOAK-18819] - SecureResponseType executor shall allow response_type=code when using JARM and response_mode=jwt
2021-07-20 08:16:19 +02:00
Takashi Norimatsu
f76c07476c
KEYCLOAK-18827 FAPI-CIBA-ID1 conformance test : Client JWT authentication should allow Backchannel Authentication endpoint as audience
2021-07-20 06:39:28 +02:00
Takashi Norimatsu
02a9eb442d
KEYCLOAK-18829 FAPI-CIBA-ID1 conformance test : ClientRolesCondition needs to be evaluated on CIBA backchannel authentication request and token request
2021-07-20 06:31:10 +02:00
Pedro Igor
fe4e089e81
[KEYCLOAK-18745] - Client JWT authentication should allow PAR endpoint as audience
2021-07-19 14:23:53 -03:00
Vlastimil Elias
61aa4e6a70
KEYCLOAK-18750 - Set "Email Verified" to false when email changed in
...
UserProfile Provider
2021-07-19 11:19:29 -03:00
Takashi Norimatsu
f188f02d03
KEYCLOAK-18826 FAPI-CIBA-ID1 conformance test : ID Token needs to include auth_time claim
2021-07-19 15:11:23 +02:00
Takashi Norimatsu
63f04c1118
KEYCLOAK-18683 Client policy executor for check Backchannel signed request algorithms matching FAPI compliant algorithms
2021-07-19 14:48:31 +02:00
Pedro Igor
a79d28f115
[KEYCLOAK-18729] - Support JAR when using PAR
2021-07-19 11:42:20 +02:00
bal1imb
2c8d4ad9b4
KEYCLOAK-18590 Realm localizations of one realm must not affect themes displayed in context of other realms.
2021-07-16 16:12:58 +02:00
bal1imb
fbaeb18a5f
KEYCLOAK-18471 Added ID to admin event object.
2021-07-16 12:46:07 +02:00
Pedro Igor
f1face6973
[KEYCLOAK-18748] - Do not remove attributes when declarative provider is enabled
2021-07-15 12:00:39 -03:00
Vlastimil Elias
7618e66136
[KEYCLOAK-18541] separate template for IDP review page
2021-07-13 21:43:52 -03:00
vramik
00017b44a3
KEYCLOAK-18311 fix creation of roles during client registration
2021-07-12 11:39:47 +02:00
Pedro Igor
1baab67f3b
[KEYCLOAK-18630] - Request object encryption support
2021-07-09 11:27:30 -03:00
Vlastimil Elias
6686482ba5
[KEYCLOAK-18591] - Support a dynamic IDP user review form
2021-07-09 10:05:26 -03:00
Takashi Norimatsu
7cdcf0f93e
KEYCLOAK-18654 Client Policy - Endpoint : support Token Request by CIBA Backchannel Authentication
2021-07-09 11:24:12 +02:00
Takashi Norimatsu
43eb2b7c90
KEYCLOAK-18123 Client Policy - Executor : Enforce Backchannel Authentication Request satisfying high security level
2021-07-09 09:11:13 +02:00
Takashi Norimatsu
63b737545f
KEYCLOAK-18653 Client Policy - Endpoint : support Pushed Authorization Request Endpoint
2021-07-09 09:06:38 +02:00
Pedro Igor
4099833be8
[KEYCLOAK-18693] - Declarative profile validating read-only attribute if it exists
2021-07-08 15:22:02 -03:00
Takashi Norimatsu
dce163d3e2
KEYCLOAK-18587 CIBA signed request: Client must configure the algorithm
2021-07-08 10:16:22 +02:00
Dmitry Telegin
3b3a61dfba
KEYCLOAK-18639 Token Exchange SPI Milestone 1
2021-07-06 15:48:45 -03:00
Benjamin Weimer
8c1ea60b04
* Add sid claim to ID Token
...
* deprecate session state parameter in ID Token
* remove charset=UTF-8 from backchannel logout post request Content-Type header
2021-07-06 15:30:53 -03:00
Takashi Norimatsu
2b1624390a
KEYCLOAK-17937 Client Policy - Endpoint : support CIBA Backchannel Authentication Endpoint
2021-07-03 08:57:20 +02:00
Hryhorii Hevorkian
2803685cd7
KEYCLOAK-18353 Implement Pushed Authorization Request inside the Keycloak
...
Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2021-07-03 08:47:42 +02:00
lbortoli
e5ae113453
KEYCLOAK-18452 FAPI JARM: JWT Secured Authorization Response Mode for OAuth 2.0
2021-07-03 00:00:32 +02:00
Vlastimil Elias
04ff2c327b
[KEYCLOAK-18429] Support a dynamic update profile form
2021-07-02 10:22:47 -03:00
Vlastimil Elias
f32447bcc1
[KEYCLOAK-18424] GUI order for user profile attributes
2021-07-02 08:37:24 -03:00
Pedro Igor
b26b41332e
[KEYCLOAK-18626] - Avoid changing username when registration as email is enabled
2021-07-02 08:07:04 -03:00
Pedro Igor
3e07ca3c22
[KEYCLOAK-18425] - Allow mapping user profile attributes
2021-07-01 10:19:28 -03:00
lbortoli
164f3df080
KEYCLOAK-18502 - Support for additional parameters from the backchannel authentication request and backchannel authentication callback.
2021-07-01 00:31:26 +02:00
Valentin Hervieu
aab6782bae
KEYCLOAK-18603 Remove duplicated statement
...
This is super minor but saw this while reading this file.
2021-06-30 15:56:32 +02:00
Vlastimil Elias
bcfa6e4309
KEYCLOAK-18592 - put attribute validators configuration into freemarker
...
template for user profile pages
2021-06-30 09:01:12 -03:00
Václav Muzikář
eb3bd8bbb5
KEYCLOAK-18554 Make ErrorHandler to log all errors for debugging purposes
2021-06-30 08:58:09 +02:00
Takashi Norimatsu
cef742ee3f
KEYCLOAK-18583 Remove OIDCWellKnownProvider.isAsymmetricAlgorithm
2021-06-30 07:35:46 +02:00
Luca Leonardo Scorcia
ae98d8ea28
KEYCLOAK-18315 SAML Client - Add parameter to request specific AttributeConsumingServiceIndex
2021-06-29 16:22:38 +02:00
Takashi Norimatsu
57c80483bb
KEYCLOAK-17936 FAPI-CIBA : support Signed Authentication Request
...
Co-authored-by: Pritish Joshi <pritish@banfico.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2021-06-29 08:07:40 +02:00
Pedro Igor
948f453e2d
[KEYCLOAK-18427] - Allowing switching to declarative provider
2021-06-28 15:50:04 -03:00
Vlastimil Elias
512bcd14f7
[KEYCLOAK-18428] - dynamic registration form
2021-06-25 17:11:15 -03:00
Pedro Igor
faadb896ea
[KEYCLOAK-18426] - Support required by role and scopes in Admin UI
2021-06-24 10:43:49 -03:00
Vlastimil Elias
b7a4fd8745
KEYCLOAK-18423 - Support a user-friendly name property for user profile
...
attributes
2021-06-24 08:17:06 -03:00
Luca Leonardo Scorcia
cdf9621257
KEYCLOAK-18450 Add basic tests for the Identity Provider Redirector Default IdP feature
2021-06-23 08:42:14 +02:00
Vlastimil Elias
458c841c39
[KEYCLOAK-18447] Dynamically select attributes based on requested scopes
2021-06-22 08:54:03 -03:00
Vlastimil Elias
82491ae5d2
KEYCLOAK-17446 - Prefill username in "Forgot Your Password" form if
...
called from Login form
2021-06-22 08:48:43 -03:00
Vlastimil Elias
b87d764137
[KEYCLOAK-17443] Username and email form fields kept in registration
...
form when duplicate
2021-06-22 08:46:42 -03:00
Luca Leonardo Scorcia
f5123cb51b
KEYCLOAK-17935 SAML Client - Validate InResponseTo attribute
2021-06-21 12:25:18 +02:00
keycloak-bot
13f7831a77
Set version to 15.0.0-SNAPSHOT
2021-06-18 10:42:27 +02:00
vramik
e3c76035b2
KEYCLOAK-18359 Default role migration is not performed correctly when empty realm id
2021-06-14 20:54:37 +02:00
Davide Setti
74089a51b3
KEYCLOAK-18383 Update Group: don't check siblings if the name doesn't change
2021-06-14 12:58:45 +02:00
Pedro Igor
ef3a0ee06c
[KEYCLOAK-17399] - Declarative User Profile and UI
...
Co-authored-by: Vlastimil Elias <velias@redhat.com>
2021-06-14 11:28:32 +02:00
Martin Bartoš
7ffa2835ef
KEYCLOAK-18391 CIBATest failure
2021-06-11 10:36:56 +02:00
Yoshiyuki Tabata
4d1576b96a
KEYCLOAK-18328 "access_denied" instead of "interaction_required" should
...
be returned when a user cancels the login
2021-06-10 11:16:50 +02:00
mposolda
070c68e18a
KEYCLOAK-18069 Migration of client policies JSON from Keycloak 13
2021-06-10 10:40:14 +02:00
Douglas Palmer
aac0b6ec5f
[KEYCLOAK-17602] Email account verification link is wrongly encoded
2021-06-10 08:34:53 +02:00
mposolda
91865fa93e
KEYCLOAK-18368 Invalidate client session after refresh token re-use
2021-06-09 14:43:29 +02:00
Benjamin Weimer
f66354a80e
KEYCLOAK-16947 add error parameters to access token response & improve logging
2021-06-07 17:53:30 +02:00
Marek Posolda
7a81dfff7a
Update services/src/main/java/org/keycloak/services/clientpolicy/executor/FullScopeDisabledExecutorFactory.java
...
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
2021-06-04 15:46:33 +02:00
mposolda
3d16a1e8d3
KEYCLOAK-16811 Add executor for disable 'Full Scope Allowed' and add it to FAPI profiles
2021-06-04 15:46:33 +02:00
Douglas Palmer
986b69c03f
[KEYCLOAK-17405] Session auth time updated when user has not re-authenticated
2021-06-01 19:35:42 +02:00
stianst
c3a15cb368
KEYCLOAK-17796 Add options to http-builder to enable expect-continue, and to disable re-use of connections
2021-06-01 10:28:31 +02:00
mposolda
73a38997d8
KEYCLOAK-14208 Default client profiles for FAPI
2021-05-31 12:31:52 +02:00
Michito Okai
bc6a746780
KEYCLOAK-18112 Token introspection of the revoked refresh token
2021-05-31 11:01:01 +02:00
Michal Hajas
4dcb69596b
KEYCLOAK-18146 Search for clients by client attribute when doing saml artifact resolution
2021-05-27 23:02:22 +02:00
Stian Thorgersen
2cb59e2503
KEYCLOAK-17844 Add option to disable authorization services to workaround issues with many clients
2021-05-27 22:28:56 +02:00
Hynek Mlnarik
3d8f152787
KEYCLOAK-17747 KEYCLOAK-17754 Optimize getClients() calls
2021-05-27 22:12:56 +02:00
Martin Kanis
23aee6c210
KEYCLOAK-16616 Limit number of authSessios per rootAuthSession
2021-05-27 22:10:36 +02:00
Martin Kanis
122fbe1bc6
KEYCLOAK-18298 ClearExpiredUserSessions timeouts with large number of sessions
2021-05-27 16:31:10 +02:00
Takashi Norimatsu
669556af71
KEYCLOAK-18296 RefreshTokenRequest returns incorrect error code during failed HoK request
2021-05-27 15:28:29 +02:00
vramik
4e8b18f560
KEYCLOAK-17752 Avoid iterating over all clients in UserResource.getConsents()
2021-05-27 13:45:28 +02:00
vramik
3aa06c2721
KEYCLOAK-18073 avoid ModelDuplicateException during parallel starup of servers
2021-05-27 07:10:35 +02:00
Stefan Guilhen
eb631bf63b
[KEYCLOAK-8730] Ensure role mappers don't remove roles already granted by another mapper when updating a brokered user
2021-05-26 17:21:54 +02:00
mposolda
9b76b07144
KEYCLOAK-18284 WARNING in the log when login to public clients
2021-05-26 14:38:14 +02:00
stianst
962047e7ea
KEYCLOAK-17750 Check admin has view/query access first before listing clients
2021-05-25 16:14:35 +02:00
Luca Leonardo Scorcia
478319348b
KEYCLOAK-16450 X509 Direct Grant Auth does not verify certificate timestamp validity
2021-05-25 10:32:17 +02:00
Takashi Norimatsu
6e7898039b
KEYCLOAK-18139 SecureResponseTypeExecutor: polishing for FAPI 1 final
2021-05-25 08:32:43 +02:00
mposolda
d4374f37ae
KEYCLOAK-18258 Not possible to login with public client, which was confidential with custom client authenticator set
2021-05-24 13:17:14 +02:00
Takashi Norimatsu
6532baa9a7
KEYCLOAK-18127 Option for skip return user's claims in the ID Token for hybrid flow
2021-05-24 08:02:34 +02:00
Vlastimil Elias
4ad1687f2b
[KEYCLOAK-17399] UserProfile SPI - Validation SPI integration
2021-05-20 15:26:17 -03:00
Thomas Darimont
c49dbd66fa
KEYCLOAK-15437 Ensure at_hash is generated for IDTokens on token-refresh
2021-05-20 16:05:11 +02:00
Hynek Mlnarik
860fc4c06c
KEYCLOAK-17756 KEYCLOAK-17757 Optimize IdP-first lookup
2021-05-20 14:44:55 +02:00
Pedro Igor
a0f8d2bc0e
[KEYCLOAK-17399] - Review User Profile SPI
...
Co-Authored-By: Vlastimil Elias <vlastimil.elias@worldonline.cz>
2021-05-20 08:44:24 -03:00
Michal Hajas
3bb5bff8e0
KEYCLOAK-17495 Do not include principal in the reference to broker sessionId
2021-05-20 11:32:11 +02:00
mposolda
d3e9e21abd
KEYCLOAK-17906 Use auto-configure instead of is-augment. Use default-client-authenticator option in SecureClientAuthenticatorExecutor
2021-05-19 12:18:11 +02:00
Hynek Mlnarik
c02a706a86
KEYCLOAK-17748 Optimize validation of redirect URIs in logout endpoint
...
Reimplementation of KEYCLOAK-17718
2021-05-18 20:31:21 +02:00
Bastian Ike
5c3d7f186e
KEYCLOAK-17784: URL encode Keycloak's remember-me cookie to allow non-ascii usernames.
...
International users using non-ascii symbols such as the german `äöü`
will make Keycloak set the KEYCLOAK_REMEMBER_ME cookie without URL
encoding. This will trigger an java.lang.IllegalArgumentException:
UT000173 exception in undertow's cookie parser which does not
allow non-ascii characters.
Co-authored-by: Fabian Freyer <mail@fabianfreyer.de>
2021-05-18 16:15:30 +02:00
Václav Muzikář
65fbf3f68c
KEYCLOAK-18079 Client Policy UI Improvements: JSON error handling
2021-05-18 16:12:48 +02:00
Mathieu CLAUDEL
df714506cc
KEYCLOAK-17655 - Can't impersonate
2021-05-18 14:16:01 +02:00
mposolda
71dcbec642
KEYCLOAK-18108 Refactoring retrieve of condition/executor providers. Make sure correct configuration of executor/condition is used for particular provider
2021-05-18 12:20:47 +02:00
mposolda
b8a7750000
KEYCLOAK-18113 Refactor some executor/condition provider IDs
2021-05-18 09:17:41 +02:00
Gregor Tudan
10f7ea01d4
KEYCLOAK-16091: only persist webauthn-authentication count if the authenticator increments it beyond zero
...
Fixes an issue with Apple Keys stored in the secure enclave. They don's support counters and recommend attestation instead. This is a valid design choice according to the Webauthn-Spec (counters are mentioned as SHOULD)
2021-05-17 08:42:50 +02:00
Václav Muzikář
62e6883524
KEYCLOAK-17084 KEYCLOAK-17434 Support querying clients by client attributes
2021-05-14 13:58:53 +02:00
vramik
d78d4a8d47
KEYCLOAK-17760 deprecate ScopeMappedResource.getScopeMappings()
2021-05-13 16:56:42 +02:00
Marek Posolda
a6d4316084
KEYCLOAK-14209 Client policies admin console support. Changing of format of JSON for client policies and profiles. Remove support for default policies ( #7969 )
...
* KEYCLOAK-14209 KEYCLOAK-17988 Client policies admin console support. Changing of format of JSON for client policies and profiles. Refactoring based on feedback and remove builtin policies
2021-05-12 16:19:55 +02:00
mhajas
f37a24dd91
KEYCLOAK-17348 Add manual pagination into UserStorageManager#query
2021-05-12 15:09:36 +02:00
Takashi Norimatsu
355a5d65fb
KEYCLOAK-18052 Client Policies : Revise SecureRequestObjectExecutor to have an option for checking nbf claim
2021-05-11 14:29:33 +02:00
rmartinc
2539bd9ed3
[KEYCLOAK-17903] idp metadata describing one entity MUST have EntityDescriptor root element
2021-05-11 13:02:13 +02:00
Takashi Norimatsu
5dced05591
KEYCLOAK-18050 Client Policies : Rename "secure-redirecturi-enforce-executor" to indicate what this executor does
2021-05-11 07:42:18 +02:00
Takashi Norimatsu
b4e4e75743
KEYCLOAK-17928 Determine public client based on token_endpoint_auth_method during OIDC dynamic client registration
2021-05-10 08:24:18 +02:00
Takashi Norimatsu
624d300a55
KEYCLOAK-17938 Not possible to create client in the admin console when client policy with "secure-redirecturi-enforce-executor" condition is used
2021-05-07 17:52:09 +02:00
Takashi Norimatsu
b38b1eb782
KEYCLOAK-17895 SecureSigningAlgorithmEnforceExecutor: Ability to auto-configure default algorithm
2021-05-07 12:37:39 +02:00
Takashi Norimatsu
faab3183e0
KEYCLOAK-18034 Enforce SecureSigningAlgorithmForSignedJwtEnforceExecutor to private-key-jwt clients regardless their option
2021-05-07 12:26:46 +02:00
keycloak-bot
4b44f7d566
Set version to 14.0.0-SNAPSHOT
2021-05-06 14:55:01 +02:00
Hynek Mlnarik
6d97a573e6
KEYCLOAK-17696 Make MapStorageFactory amphibian
2021-05-06 11:38:41 +02:00
Takashi Norimatsu
0a4fdc64f3
KEYCLOAK-17929 SecureSigningAlgorithmForSignedJwtEnforceExecutor polishing for FAPI
2021-05-06 08:41:05 +02:00
Takashi Norimatsu
b78d151a23
KEYCLOAK-16808 Client Policy : Implement existing ConsentRequiredClientRegistrationPolicy as Client Policies' executor
...
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
2021-05-06 08:36:34 +02:00
Sam Dammers
e73c6103cf
KEYCLOAK-17888 This reverts [KEYCLOAK-14299] - Do not create keys during startup but on-demand
...
Restoring the original realm key provisioning process due to undesirable behaviour when using
on demand provisoning under load (duplicate keys created).
2021-05-05 08:43:44 -03:00
Václav Muzikář
57fca2a34f
KEYCLOAK-15170 Reset password link is not invalidated if email address is changed
2021-05-05 08:45:47 +02:00
Christoph Leistert
61bdc92ad9
KEYCLOAK-17387: 403 response on localization endpoint for cross realm users
...
- add ForbiddenPage class for the assertion at the selenium test
- add assertion to selenium test
- GET requests for localization texts require at least one role for the realm
- Make GET requests for localization texts public, to display the admin UI correctly, even if the role view-realm is missing
2021-05-03 13:29:11 -03:00
Hynek Mlnarik
96501760e0
KEYCLOAK-17501 Add support for map storage in WildFly
2021-05-03 16:00:30 +02:00
Hynek Mlnarik
32fb45eb5b
KEYCLOAK-17774 Implement equals method for work cache events
...
Co-Authored-By: stianst <stianst@gmail.com>
Co-Authored-By: Michal Hajas <mhajas@redhat.com>
2021-05-03 10:47:15 +02:00
Václav Muzikář
5a33ec2244
disabledReason as read-only attribute, AuthenticatorUtils
2021-05-03 09:39:34 +02:00
Václav Muzikář
315b9e3c29
KEYCLOAK-17835 Account Permanent Lockout and login error messages
2021-05-03 09:39:34 +02:00
Christoph Leistert
b75648bda2
KEYCLOAK-17284 Evaluate ID-Token and UserInfo-Endpoint:
...
- add additional REST endpoints for evaluation:
- for ID Token: GET /realm/clients/id/evaluate-scopes/generate-example-id-token
- for UserInfo-Endpoint: GET /realm/clients/id/evaluate-scopes/generate-example-userinfo
- extend UI: add additional tabs "Generated ID Token" and "Generated User Info" to the client scopes evaluation screen
Co-authored-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.io>
2021-04-29 16:45:30 +02:00
Takashi Norimatsu
65c48a4183
KEYCLOAK-12137 OpenID Connect Client Initiated Backchannel Authentication (CIBA) ( #7679 )
...
* KEYCLOAK-12137 OpenID Connect Client Initiated Backchannel Authentication (CIBA)
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
Co-authored-by: Christophe Lannoy <c4r1570p4e@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2021-04-29 15:56:39 +02:00
vramik
162043beec
KEYCLOAK-17615 Move database initialization from KeycloakApplication to JpaConnectionProviderFactory
2021-04-28 13:43:48 +02:00
Martin Kanis
515bfb5064
KEYCLOAK-16378 User / client session map store
...
Co-authored-by: Martin Kanis <mkanis@redhat.com>
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2021-04-28 09:09:15 +02:00
Ayat Bouchouareb
8255cba930
KEYCLOAK-17612- Invalid SAML Response : Invalid Destination
2021-04-26 11:15:28 +02:00
bohmber
455e93856c
KEYCLOAK-17829
...
Unnessary calls to session.users().getUserById in DefaultBruteForceProtector
2021-04-23 13:44:34 +02:00
Takashi Norimatsu
190b60c5cd
KEYCLOAK-17827 Client Policy - Condition : Client - Client Host : Removing Option
2021-04-21 15:16:00 +02:00
i7a7467
ada7f37430
KEYCLOAK-16918 Set custom user attribute to Name ID Format for a SAML client
...
https://issues.redhat.com/browse/KEYCLOAK-16918
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2021-04-20 10:29:17 +02:00
Michal Hajas
1e2db74d86
KEYCLOAK-16932 Authorization map storage
2021-04-16 17:26:16 +02:00
AlistairDoswald
8b3e77bf81
KEYCLOAK-9992 Support for ARTIFACT binding in server to client communication
...
Co-authored-by: AlistairDoswald <alistair.doswald@elca.ch>
Co-authored-by: harture <harture414@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2021-04-16 12:15:59 +02:00
Michal Hajas
64ccbda5d5
KEYCLOAK-17323 Compute token expiration using Time.currentTime() instead of userSession.getStarted()
2021-04-14 12:58:45 +02:00
Martin Bartoš
5a9068e732
KEYCLOAK-16401 Deny/Allow access in a conditional context
2021-04-09 12:04:45 +02:00
Michito Okai
d9ebbe4958
KEYCLOAK-17202 Restrict Issuance of Refresh tokens to specific clients
2021-04-08 11:51:25 +02:00
Takashi Norimatsu
8b0b657a8f
KEYCLOAK-17682 Client Policy - Executor : remove inner config class for executor without any config
2021-04-08 09:22:16 +02:00
Takashi Norimatsu
3221708499
KEYCLOAK-17667 Client Policy - Executor : Only Accept Confidential Client
2021-04-08 09:17:10 +02:00
Takashi Norimatsu
e9035bb7b3
KEYCLOAK-17681 Client Policy - Executor : Limiting available period of Request Object with its configuration
2021-04-08 09:12:20 +02:00
Daniel Fesenmeyer
a48d04bfe0
KEYCLOAK-16082 save attributes when role is created (with REST POST request)
...
- add missing mapping code to RoleContainerResource#createRole
- extend ClientRolesTest and RealmRolesTest to check that now the attributes are saved when a role is created
- remove no longer needed code which updated roles because attributes were not saved on creation
2021-04-07 14:08:49 -03:00
Takashi Norimatsu
7b227ae47c
KEYCLOAK-17666 Client Policy - Executor : Limiting available period of Request Object
2021-04-07 08:36:26 +02:00
Takashi Norimatsu
42dec08f3c
KEYCLOAK-16805 Client Policy : Support New Admin REST API (Implementation) ( #7780 )
...
* KEYCLOAK-16805 Client Policy : Support New Admin REST API (Implementation)
* support tests using auth-server-quarkus
* Configuration changes for ClientPolicyExecutorProvider
* Change VALUE of table REALM_ATTRIBUTES to NCLOB
* add author tag
* incorporate all review comments
Co-authored-by: mposolda <mposolda@gmail.com>
2021-04-06 16:31:10 +02:00
Stan Silvert
ca49840266
KEYCLOAK-17610: WhoAMI doesn't support CORS
2021-03-31 18:51:39 +02:00
vramik
185075d373
KEYCLOAK-14552 Realm Map Store
2021-03-31 15:49:03 +02:00
Konstantinos Georgilakis
ec5c256562
KEYCLOAK-5657 Support for transient NameIDPolicy and AllowCreate in SAML IdP
2021-03-31 14:45:39 +02:00
rmartinc
0a0caa07d6
KEYCLOAK-17215 Slowness issue while hitting /auth/admin/realms/$REALM/clients?viewableOnly=true after DELETE a role
2021-03-31 12:57:17 +02:00
vramik
c3b9c66941
KEYCLOAK-17460 invalidate client when assigning scope
2021-03-30 10:58:16 +02:00
sma1212
e10f3b3672
[KEYCLOAK-17484] OIDC Conformance - Authorization response with Hybrid flow does not contain token_type ( #7872 )
...
* [KEYCLOAK-17484] fix oidc conformance for hybrid-flow
* [KEYCLOAK-17484] add TokenType & ExpiresIn to OAuth2Constants
* [KEYCLOAK-17484] add request validation for oidc-flows automated tests
2021-03-30 08:59:30 +02:00
devopsix
590ee1b1a2
KEYCLOAK-15459 Fix serialization of locale in admin console's “whoami” ( #7397 )
...
call.
2021-03-29 18:37:26 -04:00
Alexandros Trifyllis
a60cb65252
KEYCLOAK-17444 Enlist the EventListenerTransaction with the Keycloak Transaction Manager
2021-03-26 12:47:15 +01:00
Thomas Darimont
7ec6a54e22
KEYCLOAK-17581 Prevent empty group names
...
Create / Update operations in `GroupResource ` and `GroupsResource#addTopLevelGroup`
did not validate the given group name. This allowed the creation of groups with empty names.
We now prevent the creation of groups with empty names.
2021-03-25 19:10:38 -03:00
Hynek Mlnarik
a36fafe04e
KEYCLOAK-17409 Support for amphibian (both component and standalone) provider
2021-03-25 13:28:20 +01:00
Xiangjiaox
ca81e6ae8c
KEYCLOAK-15015 Extend KeyWrapper to add whole certificate chain in x5c parameter ( #7643 )
...
* [KEYCLOAK-15015] - Publishing the x5c for JWK
Co-authored-by: Vetle Bergstad <vetle.bergstad@evry.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-03-23 08:37:50 -03:00
cgeorgilakis
18afdea392
KEYCLOAK-16048 SAML Client import - add md:RequestedAttribute as "User Attribute" ProtocolMapper
2021-03-22 21:55:32 +01:00
mposolda
853a6d7327
KEYCLOAK-17000 Adding server tmp directory inside the auth-server home directory
2021-03-17 10:06:48 +01:00
Andrew Elwell
c76ca4ad13
Correct "doesn't exists" typos - fixes KEYCLOAK-14986 ( #7316 )
...
* Correct "doesn't exists" typos
* Revert changes to imported package
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2021-03-16 11:52:36 +01:00
Yang Xie
db30b470c4
KEYCLOAK-17342 Make the default value of default signature algorithm show up in the admin console
2021-03-16 09:15:22 +01:00
Michito Okai
298ab0bc3e
KEYCLOAK-7675 Support for Device Authorization Grant
2021-03-15 10:09:20 -03:00
Łukasz Dywicki
f58bf0deeb
Make sure additional params are passed between device request and user authnetication.
2021-03-15 10:09:20 -03:00
Hiroyuki Wada
5edf14944e
KEYCLOAK-7675 SPI and default implementation for Device User Code.
...
Author: Hiroyuki Wada <h2-wada@nri.co.jp>
Date: Sun May 12 15:47:15 2019 +0900
Signed-off-by: Łukasz Dywicki <luke@code-house.org>
2021-03-15 10:09:20 -03:00
Hiroyuki Wada
9d57b88dba
KEYCLOAK-7675 Prototype Implementation of Device Authorization Grant.
...
Author: Hiroyuki Wada <h2-wada@nri.co.jp>
Date: Thu May 2 00:22:24 2019 +0900
Signed-off-by: Łukasz Dywicki <luke@code-house.org>
2021-03-15 10:09:20 -03:00
Hynek Mlnarik
4946484cb6
KEYCLOAK-17377 Fix invalidation cluster tests (do not hide failures)
2021-03-11 16:14:59 +01:00
Yang Xie
2605eddbe7
KEYCLOAK-17300 Add a method to check if the token revocation request has duplicate parameters
2021-03-09 18:27:38 +01:00
vramik
6e501946b1
KEYCLOAK-17021 Client Scope map store
2021-03-08 21:59:28 +01:00
Michal Hajas
fc29a39e5a
KEYCLOAK-16592 Do not require destination with SOAP binding
2021-03-05 19:52:00 +01:00
Douglas Palmer
852593310f
[KEYCLOAK-14913] GitLab Identity Provider shouldn't request for 'api' scope
2021-03-05 14:23:34 +01:00
mposolda
99c1ee7f5a
KEYCLOAK-16793 KEYCLOAK-16948 Cors on error responses for logoutEndpoint and tokenEndpoint
2021-03-05 14:14:53 +01:00
Pedro Igor
6c7f66d30c
[KEYCLOAK-17174] - Fxing not passing referrer param when reaching the account console ( #7818 )
2021-03-04 09:00:10 -05:00
Blake Smith
b122f31d2c
KEYCLOAK-17257 Fix NPEs when user storage doesn't implement the CredentialInputValidator interface
2021-03-04 09:49:12 +01:00
Denis
23bfaef4bb
KEYCLOAK-15535 Account Log of user login with realm not available details when update profile
2021-03-04 08:06:36 +01:00
Yang Xie
78754d1127
KEYCLOAK-17259 Add a method to check if the introspection request has duplicate parameters
2021-03-03 16:23:27 +01:00
Pedro Igor
2796f62899
[KEYCLOAK-17174] - New admin console using wrong base URI for redirection ( #7794 )
2021-03-03 10:15:24 -05:00
Takashi Norimatsu
882f5ffea4
KEYCLOAK-15533 Client Policy : Extends Policy Interface to Migrate Client Registration Policies
...
Co-authored-by: Hryhorii Hevorkian <hhe@adorsys.com.ua>
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
2021-03-02 09:26:04 +01:00
i7a7467
b83064b142
KEYCLOAK-16679 Add algorithm settings for client assertion signature in OIDC identity broker
2021-03-01 18:11:25 +01:00
Takashi Norimatsu
c4bf8ecdf0
KEYCLOAK-16880 Client Policy - Condition : Negative Logic Support
2021-03-01 14:27:39 +01:00
mposolda
41dc94fead
KEYCLOAK-14483 Broker state param fix
2021-02-24 19:07:58 -03:00
mposolda
6f409d088a
KEYCLOAK-15239 Reset Password Success Message not shown when Kerberos is Enabled
2021-02-23 16:15:50 -03:00
Pedro Igor
dbc6514bfc
[KEYCLOAK-17206] - Avoid removing attributes when updating user and profile
2021-02-23 08:41:41 +01:00
Juan Manuel Rodriguez Alvarado
6255ebe6b5
[KEYCLOAK-16536] Implement Audit Events for Authorization Services requests
2021-02-22 17:28:59 -03:00
mposolda
ed8d5a257f
KEYCLOAK-16517 Make sure that just real clients with standardFlow or implicitFlow enabled are considered for redirectUri during logout
2021-02-22 14:30:32 +01:00
mposolda
0058011265
KEYCLOAK-16006 User should not be required to re-authenticate after revoking consent to an application
2021-02-22 14:29:42 +01:00
Pedro Igor
ffadbc3ba3
[KEYCLOAK-17173] - Support for script providers in keycloak.x
2021-02-22 10:12:36 -03:00
Pedro Igor
1dc0b005fe
[KEYCLOAK-17087] - X509 OCSP Validation Not Checking Intermediate CAs
2021-02-22 13:50:19 +01:00
Pedro Igor
9356843c6c
[KEYCLOAK-16521] - Fixing secret for non-confidential clients
2021-02-19 08:38:49 +01:00
Torsten Roemer
00ee6bb9fa
KEYCLOAK-14577 OIDCIdentityProvider incorrectly sets firstName and lastName in BrokeredIdentityContext
2021-02-18 19:50:27 +01:00
rmartinc
056b52fbbe
KEYCLOAK-16800 userinfo fails with 500 Internal Server Error for service account token
2021-02-18 19:37:52 +01:00
Pedro Igor
431f137c37
[KEYCLOAK-17123] - Avoid validation and updates for read-only attributes during updates
2021-02-17 17:57:46 +01:00
stefvdwel
8f719885fd
Fixed tests. Removed styling changes.
2021-02-17 09:40:19 -03:00
stefvdwel
11b0c23937
Reduced code duplication
2021-02-17 09:40:19 -03:00
stefvdwel
ee28be982f
Reduced code duplication
2021-02-17 09:40:19 -03:00