libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions
26531 commits 4 branches 5 tags 483 MiB
Commit graph

1028 commits

Author SHA1 Message Date
Mark Banierink
ad32896725
replaced and removed deprecated token methods (#27715) 
closes #19671 

Signed-off-by: Mark Banierink <mark.banierink@nedap.com>


Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-23 09:23:37 +02:00
Pedro Igor
8e48bac278 Ordering the group and role ids in the policy representation 
Closes #28824

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-22 20:28:47 +02:00
Thomas Darimont
68617180a2 Show indicator for transient user in user sessions list in admin ui (28879) 
For transient users a transient label is now shown in the realm sessions and client sessions list in the admin ui.

Fixes #28879

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2024-04-19 09:48:41 +02:00
Stian Thorgersen
0d60e58029
Restrict the token types that can be verified when not using the user info endpoint (#146) (#28866) 
Closes #47

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	core/src/main/java/org/keycloak/util/TokenUtil.java
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-18 14:11:05 +02:00
Pedro Igor
61b1eec504 Prevent members with an email other than the domain set to an organization 
Closes #28644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-12 08:33:18 -03:00
Stefan Guilhen
9a466f90ab Add ability to set one or more internet domain to an organization. 
Closed #28274

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-04-10 13:18:12 -03:00
Martin Kanis
51fa054ba7 Manage organization attributes 
Closes #28253

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2024-04-10 09:10:49 -03:00
rmartinc
41b706bb6a Initial security profile SPI to integrate default client policies 
Closes #27189

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-10 11:19:56 +02:00
Giuseppe Graziano
c76cbc94d8 Add sub via protocol mapper to access token 
Closes #21185

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-10 10:40:42 +02:00
vibrown
3fffc5182e Added ClientType implementation from Marek's prototype 
Signed-off-by: vibrown <vibrown@redhat.com>

More updates

Signed-off-by: vibrown <vibrown@redhat.com>

Added client type logic from Marek's prototype

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

Testing to see if skipRestart was cause of test failures in MR
 2024-04-08 20:20:37 +02:00
Justin Tay
e765932df3 Skip unsupported keys in JWKS 
Closes #16064

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
 2024-04-08 08:42:31 +02:00
Giuseppe Graziano
b4f791b632 Remove session_state from tokens 
Closes #27624

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-08 08:12:51 +02:00
vramik
fa1571f231 Map organization metadata when issuing tokens for OIDC clients acting on behalf of an organization member 
Closes #27993

Signed-off-by: vramik <vramik@redhat.com>
 2024-03-26 14:02:09 -03:00
Stian Thorgersen
3f9cebca39
Ability to set the default provider for an SPI (#28135) 
Closes #28134

Signed-off-by: stianst <stianst@gmail.com>
 2024-03-22 07:45:08 +01:00
Pedro Igor
7fc2269ba5 The bare minimum implementation for organization 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: vramik <vramik@redhat.com>
 2024-03-15 11:06:43 -03:00
Pedro Igor
fa8485e10e
User locale in server info has language and country switched around (#27680) 
Closes #17154

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-15 13:30:32 +00:00
Stefan Wiedemann
6fc69b6a01
Issue Verifiable Credentials in the SD-JWT-VC format (#27207) 
closes #25942

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>


Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
 2024-03-11 08:55:28 +01:00
Pedro Igor
d12711e858 Allow fetching roles when evaluating role licies 
Closes #20736

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-05 15:54:02 +01:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm 
Closes #25823

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2024-02-28 16:17:51 +01:00
Pedro Igor
604274fb76 Allow setting an attribute as multivalued 
Closes #23539

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2024-02-22 12:56:44 +01:00
Douglas Palmer
b0ef746f39 Permanently lock users out after X temporary lockouts during a brute force attack 
Closes #26172

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-02-22 09:34:51 +01:00
Francis Pouatcha
f7e60b4338
OID4VC: Keycloak native support of SD-JWT (#25829) 
Closes #25638


Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
 2024-02-19 17:56:18 +01:00
vibrown
161d03efd2 Added SPIs for ClientType and ClientTypeManager 
Grabbed the SPIs for ClientType and ClientTypeManager from Marek's Client Type prototype.

Closes #26431

Signed-off-by: vibrown <vibrown@redhat.com>

Cleaned up TODOs

Signed-off-by: vibrown <vibrown@redhat.com>

Added isSupported methods

Signed-off-by: vibrown <vibrown@redhat.com>
 2024-02-13 19:26:19 +01:00
Takashi Norimatsu
b99f45ed3d Supporting EdDSA 
closes #15714

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>

Co-authored-by: Muhammad Zakwan Bin Mohd Zahid <muhammadzakwan.mohdzahid.fg@hitachi.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
 2024-01-24 12:10:41 +01:00
MikeTangoEcho
c2b132171d Add X509 thumbprint to JWT when using private_key_jwt 
Closes keycloak#12946

Signed-off-by: MikeTangoEcho <mathieu.thine@gmail.com>
 2024-01-12 16:01:01 +01:00
remi
b22efeec78 Add a toggle to use context attributes on the regex policy provider 
Signed-off-by: remi <remi.tuveri@gmail.com>
 2024-01-10 16:15:25 -03:00
Ben Cresitello-Dittmar
057d8a00ac Implement Authentication Method Reference (AMR) claim from OIDC specification 
This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens.

This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note.

The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens.

Closes #19190

Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>
 2024-01-03 14:59:05 -03:00
Daniel Fesenmeyer
baafb670f7 Bugfix for: Removing all group attributes no longer works with keycloak-admin-client (java) 
Closes #25677

Signed-off-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.com>
 2023-12-20 14:03:35 +01:00
rmartinc
d841971ff4 Updating the UP configuration needs to trigger an admin event 
Close #23896

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-12-18 19:24:30 +01:00
Yoshiyuki Tabata
b371deddb0 remove oauth2DeviceAuthorizationGrantEnabled from ClientRepresentation 
Closes #25649

Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
 2023-12-18 08:39:46 +01:00
mposolda
c81b533cf6 Update UserProfileProvider.setConfiguration. Tuning of UserProfileProvider.getConfiguration 
closes #25416

Signed-off-by: mposolda <mposolda@gmail.com>
 2023-12-14 14:43:28 +01:00
Pedro Igor
fa79b686b6 Refactoring user profile interfaces and consolidating user representation for both admin and account context 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2023-12-13 08:27:55 +01:00
Pedro Igor
78ba7d4a38 Do not allow removing username and email from user profile configuration 
Closes #25147

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2023-12-11 08:30:28 +01:00
Pedro Igor
c7f63d5843 Add options to change behavior on how unmanaged attributes are managed 
Closes #24934

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2023-11-30 06:58:21 -03:00
rmartinc
16afecd6b4 Allow automatic download of SAML certificates in the identity provider 
Closes https://github.com/keycloak/keycloak/issues/24424

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-11-29 18:03:31 +01:00
Sebastian Schuster
1bbefca92e 24672 remove linebreaks from basicauth base64 encoding to comply to standard 
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
 2023-11-20 14:44:55 +01:00
Erik Jan de Wit
89abc094d1
userprofile shared (#23600) 
* move account ui user profile to shared

* use ui-shared on admin same error handling

also introduce optional renderer for added component

* move scroll form to ui-shared

* merged with main

* fix lock file

* fixed merge error

* fixed merge errors

* fixed tests

* moved user profile types to admin client

* fixed more types

* pr comments

* fixed some types
 2023-11-14 08:04:55 -03:00
mposolda
7863c3e563 Moving UPConfig and related classes from keycloak-services 
closes #24535

Signed-off-by: mposolda <mposolda@gmail.com>
 2023-11-07 12:41:29 +01:00
rokkiter
e1735138cb
clean util * (#24174) 
Signed-off-by: rokkiter <yongen.pan@daocloud.io>
 2023-11-01 17:14:11 +01:00
Alice
69497382d8
Group scalability upgrades (#22700) 
closes #22372 


Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2023-10-26 16:50:45 +02:00
ggraziano
84112f57b5 Verification of iss at refresh token request 
Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method.

Closes #22191
 2023-10-24 23:42:11 +02:00
Andrew
77c3e7190c
updates to method contracts and code impl to be more specific about providerAlias (#24070) 
closes #24072
 2023-10-18 08:33:06 +02:00
shigeyuki kabano
6112b25648 Enhancing Light Weight Token(#22148) 
Closes #21183
 2023-10-17 13:12:36 +02:00
Charley Wu
31759f9c37
WebAuthn support for native applications. Support custom FIDO2 origin validation (#23156) 
Closes #23155
 2023-10-13 15:25:10 +02:00
Sophie Tauchert
9df1c781eb Fix generated OpenAPI spec 
Changes:
- update the smallrye openapi generator plugin to latest to correctly handle
  Stream<T> responses
- add annotations to RealmRepresentation.clientProfiles and .clientPolicies
 2023-10-10 11:41:46 +02:00
Martin Bartoš
21a23ace1d Mark required config properties for LDAP Mappers 
Closes #23685
 2023-10-09 08:46:57 +02:00
Pedro Igor
290bee0787
Resolve several usability issues around User Profile (#23537) 
Closes #23507, #23584, #23740, #23774

Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2023-10-06 10:15:39 -03:00
rmartinc
890600c33c Remove backward compatibility for ECDSA tokens 
Closes https://github.com/keycloak/keycloak/issues/23734
 2023-10-06 14:24:48 +02:00
Erik Jan de Wit
0789d3c1cc
better features overview (#22641) 
Closes #17733
 2023-09-12 16:03:13 +02:00
Thomas Darimont
3908537254
Show expiration date for certificates in Admin Console (#23025) 
Closes #17743
 2023-09-12 07:56:09 -04:00
rmartinc
8887be7887 Add a new identity provider for LinkedIn based on OIDC 
Closes https://github.com/keycloak/keycloak/issues/22383
 2023-09-06 16:13:31 +02:00
Pedro Igor
ea3225a6e1 Decoupling legacy and dynamic user profiles and exposing metadata from admin api 
Closes #22532

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2023-08-29 08:14:47 -03:00
Arthur Chan
85cace1142 Fix NPE 
Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
 2023-08-14 04:03:23 -07:00
Takashi Norimatsu
9d0960d405 Using DPoP token type in the access-token and as token_type in introspection response 
closes #21919
 2023-08-07 10:40:18 +02:00
Takashi Norimatsu
6498b5baf3 DPoP: OIDC client registration support 
closes #21918
 2023-07-26 13:00:35 +02:00
Takashi Norimatsu
0ddef5dda8
DPoP support 1st phase (#21202) 
closes #21200


Co-authored-by: Dmitry Telegin <dmitryt@backbase.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2023-07-24 16:44:24 +02:00
Takashi Norimatsu
2efd79f982 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification 
Closes #20584
 2023-07-24 09:11:30 +02:00
ali_dandach
ef19e08814
Fix String comparisona (#21752) 
Closes #21773
 2023-07-21 10:37:24 +02:00
todor
897965f604 KEYCLOAK-20343 Add message bundle to export/import 
Closes #20343
 2023-07-20 23:00:28 +02:00
Patrick Jennings
399a23bd56
Find an appropriate key based on the given KID and JWA (#21160) 
* keycloak-20847 Find an appropriate key based on the given KID and JWA. Prefers matching on both inputs but will match on partials if found. Or return the first key if a match is not found.

Mark Key as fallback if it is the singular client certificate to be used for signed JWT authentication.

* Update js/apps/admin-ui/public/locales/en/clients.json

Co-authored-by: Marek Posolda <mposolda@gmail.com>

* Updating boolean variable name based on suggestions by Marek.

* Adding integration test specifically for the JWT parameters for regression #20847.

---------

Co-authored-by: Marek Posolda <mposolda@gmail.com>
 2023-07-10 13:28:55 +02:00
mposolda
dc3b037e3a Incorrect Signature algorithms presented by Client Authenticator 
closes #15853

Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2023-06-21 08:55:58 +02:00
Pedro Igor
17c3804402 Tests for user property mapper 
Closes #20534
 2023-05-29 14:21:03 +02:00
Yoshiyuki Tabata
bd37875a66 allow specifying format of "permission" parameter in the UMA grant token 
endpoint (#15947)
 2023-05-29 08:56:39 -03:00
Pedro Igor
409e1c3581 Policy Enforcer built-in support for Elytron and Jakarta 
Closes #19540
 2023-04-05 17:03:15 +02:00
alwibrm
9f15cf432b
Respecting key use of EC keys in JWKS 2023-04-03 19:06:25 -03:00
Yoann GUION
ba66fe84fa
iterate any attribute in multi-valued RDN to find the correct one (#14283) 
Closes #14280
 2023-03-23 11:51:01 +01:00
Pedro Igor
a30b6842a6 Decouple the policy enforcer from adapters and provide a separate library 
Closes keycloak#17353
 2023-03-17 11:40:51 +01:00
Jon Koops
972ebb9650
Use a valid SemVer format for the SNAPSHOT version (#17334) 
* Use a valid SemVer format for the SNAPSHOT version

* Update pom.xml

* Update pom.xml

---------

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
 2023-03-03 11:11:44 +01:00
rmartinc
c9fdaf572b
jwks endpoint for X/Y coordinates in EC keypair can return less bytes than expected (#14952) 
Closes #14933
 2023-02-23 16:22:23 +01:00
laskasn
dc8b759c3d Use encryption keys rather than sig for crypto in SAML 
Closes #13606

Co-authored-by: mhajas <mhajas@redhat.com>
Co-authored-by: hmlnarik <hmlnarik@redhat.com>
 2023-02-10 12:06:49 +01:00
mposolda
7f017f540e BCFIPS approved mode: Some tests failing due the short secret for client-secret-jwt client authentication 
Closes #16678
 2023-01-30 08:40:46 +01:00
mposolda
3e9c729f9e X.509 authentication fixes for FIPS 
Closes #14967
 2022-11-25 11:50:30 +01:00
stianst
1de9c201c6 Refactor Profile 
Closes #15206
 2022-11-07 07:28:11 -03:00
Marek Posolda
c0c0d3a6ba
Short passwords with PBKDF2 mode working (#14437) 
* Short passwords with PBKDF2 mode working
Closes #14314

* Add config option to Pbkdf2 provider to control max padding

* Update according to PR review - more testing for padding and for non-fips mode
 2022-11-06 14:49:50 +01:00
Marek Posolda
2ba5ca3c5f
Support for multiple keys with same kid, which differ just by algorithm in the JWKS (#15114) 
Closes #14794
 2022-11-03 09:32:45 +01:00
mposolda
55c514ad56 More flexibility in keystore related tests, Make keycloak to notify which keystore types it supports, Support for BCFKS 
Closes #14964
 2022-10-24 08:36:37 +02:00
David Anderson
a8db79a68c
Introduce crypto module using Wildfly Elytron (#14415) 
Closes #12702
 2022-09-27 08:53:46 +02:00
mposolda
47340e9318 Initial GH actions unit tests for crypto modules 
Closes #14241
 2022-09-14 15:51:59 +02:00
Martin Bartoš
0fcf5d3936 Reuse of token in TOTP is possible 
Fixes #13607
 2022-09-09 08:56:02 -03:00
Marek Posolda
040e52cfd7
SAML javascript protocol mapper: disable uploading scripts through admin console by default (#14293) 
Closes #14292
 2022-09-09 13:47:51 +02:00
Lex Cao
1f197aa96b
Add basic auth compliant to RFC 6749 (#14179) 
Closes #14179
 2022-09-07 10:09:30 +02:00
Marek Posolda
19daf2b375
Not possible to login in FIPS enabled RHEL 8.6. Support for parsing PEM private keys in BCFIPS module in both traditional and PKCS8 format (#14008) 
Closes #13994
 2022-08-30 22:33:12 +02:00
Lex Cao
6b1c64a1a9
Add rememberMe to a user session representation(#13408) (#13765) 
Closes #13408
 2022-08-23 15:28:52 +02:00
Marek Posolda
7e925bfbff
Unit tests in "crypto/fips1402" passing on RHEL 8.6 with BC FIPS approved mode. Cleanup (#13406) 
Closes #13128
 2022-07-29 18:03:56 +02:00
Marek Posolda
4e4fc16617
Skip adding xmlsec security provider. Adding KeycloakFipsSecurityProvider to workaround 'Security.getInstance("SHA1PRNG")' (#12786) 
Closes #12425 #12853
 2022-07-26 16:40:36 +02:00
David Anderson
ee0c67c0c8
Remove BC dependancy from keycloak-core (#13235) 
Closes #12856
 2022-07-23 12:07:16 +02:00
Stian Thorgersen
a251d785db
Remove text based login flows (#13249) 
* Remove text based login flows

Closes #8752

* Add display param back in case it's used by some custom authenticators
 2022-07-22 15:15:25 +02:00
Douglas Palmer
adeef6c2a0 Partial import feature does not import Identity Provider mappers in Keycloak #12861 2022-07-21 18:04:15 +02:00
Lex Cao
f0988a62b8
Use base64 url decoded for client secret when authenticating with Basic Auth (#12486) 
Closes #11908
 2022-07-16 09:38:41 +02:00
kz-masa
d26cff270f
Delete unnecessary import statements (#12935) (#12936) 2022-07-12 19:37:15 -03:00
Marek Posolda
be1e31dc68
Introduce crypto/default module. Refactoring BouncyIntegration (#12692) 
Closes #12625
 2022-06-29 07:17:09 +02:00
Marek Posolda
3f5741e988
Possibility to switch between FIPS and non-FIPS during keycloak+quarkus seerver build (#12513) 
* Possibility to switch between FIPS and non-FIPS during keycloak+quarkus server build

Closes #12522
 2022-06-21 11:17:45 +02:00
Alexander Schwartz
850af55edc Ensure that only JDK 8 APIs are used where JDK 8 is still required. 
Closes #10842
 2022-06-20 14:44:33 -03:00
vramik
df41f233d5 Introduce unique index for enums stored by storages 
Closes #12277
 2022-06-15 09:12:10 +02:00
Stian Thorgersen
e49e8335e0
Refactor BouncyIntegration (#12244) 
Closes #12243
 2022-06-07 09:02:00 +02:00
rmartinc
5332a7d435 Issue #9194: Client authentication fails when using signed JWT, if the JWA signing algorithm is not RS256 2022-06-06 12:07:09 +02:00
Stian Thorgersen
e3f3e65ac5
Remove JDK7 support for adapters (#11607) 
Closes #11606
 2022-04-27 08:33:23 +02:00
Pedro Igor
2cb5d8d972
Removing upload scripts feature (#11117) 
Closes #9865

Co-authored-by: Michal Hajas <mhajas@redhat.com>

Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2022-04-20 14:25:16 +02:00
Giacomo Altiero
3b7243cd47
Support for UserInfo response encrypted (#10519) 
Close #10517
 2022-04-12 14:01:14 +02:00
Marek Posolda
aacae9b9ac
Support for frontchannel_logout_session_required OIDC client parameter (#11009) 
* Support for frontchannel_logout_session_required OIDC client parameter
Closes #10137
 2022-03-31 14:25:24 +02:00