Commit graph

1027 commits

Author SHA1 Message Date
Pedro Igor
8e48bac278 Ordering the group and role ids in the policy representation
Closes #28824

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-22 20:28:47 +02:00
Thomas Darimont
68617180a2 Show indicator for transient user in user sessions list in admin ui (28879)
For transient users a transient label is now shown in the realm sessions and client sessions list in the admin ui.

Fixes #28879

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-04-19 09:48:41 +02:00
Stian Thorgersen
0d60e58029
Restrict the token types that can be verified when not using the user info endpoint (#146) (#28866)
Closes #47

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	core/src/main/java/org/keycloak/util/TokenUtil.java
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-18 14:11:05 +02:00
Pedro Igor
61b1eec504 Prevent members with an email other than the domain set to an organization
Closes #28644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-12 08:33:18 -03:00
Stefan Guilhen
9a466f90ab Add ability to set one or more internet domain to an organization.
Closed #28274

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-10 13:18:12 -03:00
Martin Kanis
51fa054ba7 Manage organization attributes
Closes #28253

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-04-10 09:10:49 -03:00
rmartinc
41b706bb6a Initial security profile SPI to integrate default client policies
Closes #27189

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-10 11:19:56 +02:00
Giuseppe Graziano
c76cbc94d8 Add sub via protocol mapper to access token
Closes #21185

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-10 10:40:42 +02:00
vibrown
3fffc5182e Added ClientType implementation from Marek's prototype
Signed-off-by: vibrown <vibrown@redhat.com>

More updates

Signed-off-by: vibrown <vibrown@redhat.com>

Added client type logic from Marek's prototype

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

Testing to see if skipRestart was cause of test failures in MR
2024-04-08 20:20:37 +02:00
Justin Tay
e765932df3 Skip unsupported keys in JWKS
Closes #16064

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
2024-04-08 08:42:31 +02:00
Giuseppe Graziano
b4f791b632 Remove session_state from tokens
Closes #27624

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-08 08:12:51 +02:00
vramik
fa1571f231 Map organization metadata when issuing tokens for OIDC clients acting on behalf of an organization member
Closes #27993

Signed-off-by: vramik <vramik@redhat.com>
2024-03-26 14:02:09 -03:00
Stian Thorgersen
3f9cebca39
Ability to set the default provider for an SPI (#28135)
Closes #28134

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 07:45:08 +01:00
Pedro Igor
7fc2269ba5 The bare minimum implementation for organization
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: vramik <vramik@redhat.com>
2024-03-15 11:06:43 -03:00
Pedro Igor
fa8485e10e
User locale in server info has language and country switched around (#27680)
Closes #17154

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-15 13:30:32 +00:00
Stefan Wiedemann
6fc69b6a01
Issue Verifiable Credentials in the SD-JWT-VC format (#27207)
closes #25942

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>


Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-03-11 08:55:28 +01:00
Pedro Igor
d12711e858 Allow fetching roles when evaluating role licies
Closes #20736

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-05 15:54:02 +01:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm
Closes #25823

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-02-28 16:17:51 +01:00
Pedro Igor
604274fb76 Allow setting an attribute as multivalued
Closes #23539

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-02-22 12:56:44 +01:00
Douglas Palmer
b0ef746f39 Permanently lock users out after X temporary lockouts during a brute force attack
Closes #26172

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-22 09:34:51 +01:00
Francis Pouatcha
f7e60b4338
OID4VC: Keycloak native support of SD-JWT (#25829)
Closes #25638


Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-02-19 17:56:18 +01:00
vibrown
161d03efd2 Added SPIs for ClientType and ClientTypeManager
Grabbed the SPIs for ClientType and ClientTypeManager from Marek's Client Type prototype.

Closes #26431

Signed-off-by: vibrown <vibrown@redhat.com>

Cleaned up TODOs

Signed-off-by: vibrown <vibrown@redhat.com>

Added isSupported methods

Signed-off-by: vibrown <vibrown@redhat.com>
2024-02-13 19:26:19 +01:00
Takashi Norimatsu
b99f45ed3d Supporting EdDSA
closes #15714

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>

Co-authored-by: Muhammad Zakwan Bin Mohd Zahid <muhammadzakwan.mohdzahid.fg@hitachi.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-01-24 12:10:41 +01:00
MikeTangoEcho
c2b132171d Add X509 thumbprint to JWT when using private_key_jwt
Closes keycloak#12946

Signed-off-by: MikeTangoEcho <mathieu.thine@gmail.com>
2024-01-12 16:01:01 +01:00
remi
b22efeec78 Add a toggle to use context attributes on the regex policy provider
Signed-off-by: remi <remi.tuveri@gmail.com>
2024-01-10 16:15:25 -03:00
Ben Cresitello-Dittmar
057d8a00ac Implement Authentication Method Reference (AMR) claim from OIDC specification
This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens.

This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note.

The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens.

Closes #19190

Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>
2024-01-03 14:59:05 -03:00
Daniel Fesenmeyer
baafb670f7 Bugfix for: Removing all group attributes no longer works with keycloak-admin-client (java)
Closes #25677

Signed-off-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.com>
2023-12-20 14:03:35 +01:00
rmartinc
d841971ff4 Updating the UP configuration needs to trigger an admin event
Close #23896

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-18 19:24:30 +01:00
Yoshiyuki Tabata
b371deddb0 remove oauth2DeviceAuthorizationGrantEnabled from ClientRepresentation
Closes #25649

Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 08:39:46 +01:00
mposolda
c81b533cf6 Update UserProfileProvider.setConfiguration. Tuning of UserProfileProvider.getConfiguration
closes #25416

Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-14 14:43:28 +01:00
Pedro Igor
fa79b686b6 Refactoring user profile interfaces and consolidating user representation for both admin and account context
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-13 08:27:55 +01:00
Pedro Igor
78ba7d4a38 Do not allow removing username and email from user profile configuration
Closes #25147

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-11 08:30:28 +01:00
Pedro Igor
c7f63d5843 Add options to change behavior on how unmanaged attributes are managed
Closes #24934

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-11-30 06:58:21 -03:00
rmartinc
16afecd6b4 Allow automatic download of SAML certificates in the identity provider
Closes https://github.com/keycloak/keycloak/issues/24424

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 18:03:31 +01:00
Sebastian Schuster
1bbefca92e 24672 remove linebreaks from basicauth base64 encoding to comply to standard
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
2023-11-20 14:44:55 +01:00
Erik Jan de Wit
89abc094d1
userprofile shared (#23600)
* move account ui user profile to shared

* use ui-shared on admin same error handling

also introduce optional renderer for added component

* move scroll form to ui-shared

* merged with main

* fix lock file

* fixed merge error

* fixed merge errors

* fixed tests

* moved user profile types to admin client

* fixed more types

* pr comments

* fixed some types
2023-11-14 08:04:55 -03:00
mposolda
7863c3e563 Moving UPConfig and related classes from keycloak-services
closes #24535

Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-07 12:41:29 +01:00
rokkiter
e1735138cb
clean util * (#24174)
Signed-off-by: rokkiter <yongen.pan@daocloud.io>
2023-11-01 17:14:11 +01:00
Alice
69497382d8
Group scalability upgrades (#22700)
closes #22372 


Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-26 16:50:45 +02:00
ggraziano
84112f57b5 Verification of iss at refresh token request
Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method.

Closes #22191
2023-10-24 23:42:11 +02:00
Andrew
77c3e7190c
updates to method contracts and code impl to be more specific about providerAlias (#24070)
closes #24072
2023-10-18 08:33:06 +02:00
shigeyuki kabano
6112b25648 Enhancing Light Weight Token(#22148)
Closes #21183
2023-10-17 13:12:36 +02:00
Charley Wu
31759f9c37
WebAuthn support for native applications. Support custom FIDO2 origin validation (#23156)
Closes #23155
2023-10-13 15:25:10 +02:00
Sophie Tauchert
9df1c781eb Fix generated OpenAPI spec
Changes:
- update the smallrye openapi generator plugin to latest to correctly handle
  Stream<T> responses
- add annotations to RealmRepresentation.clientProfiles and .clientPolicies
2023-10-10 11:41:46 +02:00
Martin Bartoš
21a23ace1d Mark required config properties for LDAP Mappers
Closes #23685
2023-10-09 08:46:57 +02:00
Pedro Igor
290bee0787
Resolve several usability issues around User Profile (#23537)
Closes #23507, #23584, #23740, #23774

Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-06 10:15:39 -03:00
rmartinc
890600c33c Remove backward compatibility for ECDSA tokens
Closes https://github.com/keycloak/keycloak/issues/23734
2023-10-06 14:24:48 +02:00
Erik Jan de Wit
0789d3c1cc
better features overview (#22641)
Closes #17733
2023-09-12 16:03:13 +02:00
Thomas Darimont
3908537254
Show expiration date for certificates in Admin Console (#23025)
Closes #17743
2023-09-12 07:56:09 -04:00
rmartinc
8887be7887 Add a new identity provider for LinkedIn based on OIDC
Closes https://github.com/keycloak/keycloak/issues/22383
2023-09-06 16:13:31 +02:00
Pedro Igor
ea3225a6e1 Decoupling legacy and dynamic user profiles and exposing metadata from admin api
Closes #22532

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-08-29 08:14:47 -03:00
Arthur Chan
85cace1142 Fix NPE
Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
2023-08-14 04:03:23 -07:00
Takashi Norimatsu
9d0960d405 Using DPoP token type in the access-token and as token_type in introspection response
closes #21919
2023-08-07 10:40:18 +02:00
Takashi Norimatsu
6498b5baf3 DPoP: OIDC client registration support
closes #21918
2023-07-26 13:00:35 +02:00
Takashi Norimatsu
0ddef5dda8
DPoP support 1st phase (#21202)
closes #21200


Co-authored-by: Dmitry Telegin <dmitryt@backbase.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2023-07-24 16:44:24 +02:00
Takashi Norimatsu
2efd79f982 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
Closes #20584
2023-07-24 09:11:30 +02:00
ali_dandach
ef19e08814
Fix String comparisona (#21752)
Closes #21773
2023-07-21 10:37:24 +02:00
todor
897965f604 KEYCLOAK-20343 Add message bundle to export/import
Closes #20343
2023-07-20 23:00:28 +02:00
Patrick Jennings
399a23bd56
Find an appropriate key based on the given KID and JWA (#21160)
* keycloak-20847 Find an appropriate key based on the given KID and JWA. Prefers matching on both inputs but will match on partials if found. Or return the first key if a match is not found.

Mark Key as fallback if it is the singular client certificate to be used for signed JWT authentication.

* Update js/apps/admin-ui/public/locales/en/clients.json

Co-authored-by: Marek Posolda <mposolda@gmail.com>

* Updating boolean variable name based on suggestions by Marek.

* Adding integration test specifically for the JWT parameters for regression #20847.

---------

Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-07-10 13:28:55 +02:00
mposolda
dc3b037e3a Incorrect Signature algorithms presented by Client Authenticator
closes #15853

Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-06-21 08:55:58 +02:00
Pedro Igor
17c3804402 Tests for user property mapper
Closes #20534
2023-05-29 14:21:03 +02:00
Yoshiyuki Tabata
bd37875a66 allow specifying format of "permission" parameter in the UMA grant token
endpoint (#15947)
2023-05-29 08:56:39 -03:00
Pedro Igor
409e1c3581 Policy Enforcer built-in support for Elytron and Jakarta
Closes #19540
2023-04-05 17:03:15 +02:00
alwibrm
9f15cf432b
Respecting key use of EC keys in JWKS 2023-04-03 19:06:25 -03:00
Yoann GUION
ba66fe84fa
iterate any attribute in multi-valued RDN to find the correct one (#14283)
Closes #14280
2023-03-23 11:51:01 +01:00
Pedro Igor
a30b6842a6 Decouple the policy enforcer from adapters and provide a separate library
Closes keycloak#17353
2023-03-17 11:40:51 +01:00
Jon Koops
972ebb9650
Use a valid SemVer format for the SNAPSHOT version (#17334)
* Use a valid SemVer format for the SNAPSHOT version

* Update pom.xml

* Update pom.xml

---------

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
2023-03-03 11:11:44 +01:00
rmartinc
c9fdaf572b
jwks endpoint for X/Y coordinates in EC keypair can return less bytes than expected (#14952)
Closes #14933
2023-02-23 16:22:23 +01:00
laskasn
dc8b759c3d Use encryption keys rather than sig for crypto in SAML
Closes #13606

Co-authored-by: mhajas <mhajas@redhat.com>
Co-authored-by: hmlnarik <hmlnarik@redhat.com>
2023-02-10 12:06:49 +01:00
mposolda
7f017f540e BCFIPS approved mode: Some tests failing due the short secret for client-secret-jwt client authentication
Closes #16678
2023-01-30 08:40:46 +01:00
mposolda
3e9c729f9e X.509 authentication fixes for FIPS
Closes #14967
2022-11-25 11:50:30 +01:00
stianst
1de9c201c6 Refactor Profile
Closes #15206
2022-11-07 07:28:11 -03:00
Marek Posolda
c0c0d3a6ba
Short passwords with PBKDF2 mode working (#14437)
* Short passwords with PBKDF2 mode working
Closes #14314

* Add config option to Pbkdf2 provider to control max padding

* Update according to PR review - more testing for padding and for non-fips mode
2022-11-06 14:49:50 +01:00
Marek Posolda
2ba5ca3c5f
Support for multiple keys with same kid, which differ just by algorithm in the JWKS (#15114)
Closes #14794
2022-11-03 09:32:45 +01:00
mposolda
55c514ad56 More flexibility in keystore related tests, Make keycloak to notify which keystore types it supports, Support for BCFKS
Closes #14964
2022-10-24 08:36:37 +02:00
David Anderson
a8db79a68c
Introduce crypto module using Wildfly Elytron (#14415)
Closes #12702
2022-09-27 08:53:46 +02:00
mposolda
47340e9318 Initial GH actions unit tests for crypto modules
Closes #14241
2022-09-14 15:51:59 +02:00
Martin Bartoš
0fcf5d3936 Reuse of token in TOTP is possible
Fixes #13607
2022-09-09 08:56:02 -03:00
Marek Posolda
040e52cfd7
SAML javascript protocol mapper: disable uploading scripts through admin console by default (#14293)
Closes #14292
2022-09-09 13:47:51 +02:00
Lex Cao
1f197aa96b
Add basic auth compliant to RFC 6749 (#14179)
Closes #14179
2022-09-07 10:09:30 +02:00
Marek Posolda
19daf2b375
Not possible to login in FIPS enabled RHEL 8.6. Support for parsing PEM private keys in BCFIPS module in both traditional and PKCS8 format (#14008)
Closes #13994
2022-08-30 22:33:12 +02:00
Lex Cao
6b1c64a1a9
Add rememberMe to a user session representation(#13408) (#13765)
Closes #13408
2022-08-23 15:28:52 +02:00
Marek Posolda
7e925bfbff
Unit tests in "crypto/fips1402" passing on RHEL 8.6 with BC FIPS approved mode. Cleanup (#13406)
Closes #13128
2022-07-29 18:03:56 +02:00
Marek Posolda
4e4fc16617
Skip adding xmlsec security provider. Adding KeycloakFipsSecurityProvider to workaround 'Security.getInstance("SHA1PRNG")' (#12786)
Closes #12425 #12853
2022-07-26 16:40:36 +02:00
David Anderson
ee0c67c0c8
Remove BC dependancy from keycloak-core (#13235)
Closes #12856
2022-07-23 12:07:16 +02:00
Stian Thorgersen
a251d785db
Remove text based login flows (#13249)
* Remove text based login flows

Closes #8752

* Add display param back in case it's used by some custom authenticators
2022-07-22 15:15:25 +02:00
Douglas Palmer
adeef6c2a0 Partial import feature does not import Identity Provider mappers in Keycloak #12861 2022-07-21 18:04:15 +02:00
Lex Cao
f0988a62b8
Use base64 url decoded for client secret when authenticating with Basic Auth (#12486)
Closes #11908
2022-07-16 09:38:41 +02:00
kz-masa
d26cff270f
Delete unnecessary import statements (#12935) (#12936) 2022-07-12 19:37:15 -03:00
Marek Posolda
be1e31dc68
Introduce crypto/default module. Refactoring BouncyIntegration (#12692)
Closes #12625
2022-06-29 07:17:09 +02:00
Marek Posolda
3f5741e988
Possibility to switch between FIPS and non-FIPS during keycloak+quarkus seerver build (#12513)
* Possibility to switch between FIPS and non-FIPS during keycloak+quarkus server build

Closes #12522
2022-06-21 11:17:45 +02:00
Alexander Schwartz
850af55edc Ensure that only JDK 8 APIs are used where JDK 8 is still required.
Closes #10842
2022-06-20 14:44:33 -03:00
vramik
df41f233d5 Introduce unique index for enums stored by storages
Closes #12277
2022-06-15 09:12:10 +02:00
Stian Thorgersen
e49e8335e0
Refactor BouncyIntegration (#12244)
Closes #12243
2022-06-07 09:02:00 +02:00
rmartinc
5332a7d435 Issue #9194: Client authentication fails when using signed JWT, if the JWA signing algorithm is not RS256 2022-06-06 12:07:09 +02:00
Stian Thorgersen
e3f3e65ac5
Remove JDK7 support for adapters (#11607)
Closes #11606
2022-04-27 08:33:23 +02:00
Pedro Igor
2cb5d8d972
Removing upload scripts feature (#11117)
Closes #9865

Co-authored-by: Michal Hajas <mhajas@redhat.com>

Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-04-20 14:25:16 +02:00
Giacomo Altiero
3b7243cd47
Support for UserInfo response encrypted (#10519)
Close #10517
2022-04-12 14:01:14 +02:00
Marek Posolda
aacae9b9ac
Support for frontchannel_logout_session_required OIDC client parameter (#11009)
* Support for frontchannel_logout_session_required OIDC client parameter
Closes #10137
2022-03-31 14:25:24 +02:00
Marek Posolda
22a16ee899
OIDC RP-Initiated logout endpoint (#10887)
* OIDC RP-Initiated logout endpoint
Closes #10885

Co-Authored-By: Marek Posolda <mposolda@gmail.com>

* Review feedback

Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2022-03-30 11:55:26 +02:00