Commit graph

4494 commits

Author SHA1 Message Date
Stefan Wiedemann
67d3e1e467
Issue Verifiable Credentials in the VCDM format #25943 (#27071)
closes #25943


Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-03-18 17:05:53 +01:00
cgeorgilakis-grnet
24f105e8fc successful SAML IdP Logout Request with BaseID or EncryptedID and SessionIndex
Closes #23528

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-03-18 08:19:13 -03:00
Alexander Schwartz
62d24216e3 Remove offline session preloading
Closes #27602

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-15 15:19:27 +01:00
Pedro Igor
7fc2269ba5 The bare minimum implementation for organization
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: vramik <vramik@redhat.com>
2024-03-15 11:06:43 -03:00
Peter Keuter
e26a261e4e
Filter subgroups before paginating
Closes #27512

Signed-off-by: Peter Keuter <github@peterkeuter.nl>
2024-03-15 10:57:57 +01:00
sebastien-helbert
e33bf39055
Review log message (#23962)
missing spaces added in log message
2024-03-14 13:44:22 +01:00
Alexander Schwartz
6de5325d1c Limit the received content when handling the content as a String
Closes #27293

Co-authored-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-13 16:43:03 +01:00
Réda Housni Alaoui
1bf90321ad
"Allowed Protocol Mapper Types" prevents clients from self-updating via client registration api (#27578)
closes #27558 

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-03-13 14:00:34 +01:00
rmartinc
43a5779f6e Do not challenge inside spnego authenticator is FORKED_FLOW
Closes #20637

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-12 14:23:03 +01:00
Pedro Igor
1e48cce3ae Make sure empty configuration resolves to the system default configuration
Closes #27611

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-11 09:01:38 -03:00
Stefan Wiedemann
6fc69b6a01
Issue Verifiable Credentials in the SD-JWT-VC format (#27207)
closes #25942

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>


Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-03-11 08:55:28 +01:00
Hynek Mlnarik
26468e11f2 Use correct path to account console
Fixes: #27709

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-03-08 14:31:32 +01:00
Ricardo Martin
299118c45a
Change oidcScopeMissing from WARN to DEBUG (#27439)
Closes #27391

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-08 10:50:21 +00:00
Erik Jan de Wit
7d104dbe9d
no result to parse on success (#27336)
* no result to parse on success

fixes: #27245
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* translate error message

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

---------

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-03-08 09:56:23 +01:00
Pedro Igor
40385061f7 Make sure refresh token expiration is based on the current time when the token is issued
Closes #27180

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-07 15:23:19 +01:00
rmartinc
ea4155bbcd Remove recursively when deleting an authentication executor
Closes #24795

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 14:43:23 +01:00
graziang
54b40d31b6 Revoked token cache expiration fix
Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.

Closes #26113

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-07 13:33:37 +01:00
Alexander Schwartz
595959398b
Instead of an InputStream that doesn't know about its encoding, use a String
Closes #20916

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-07 10:24:36 +00:00
rmartinc
dea15e25da Only add the nonce claim to the ID Token (mapper for backwards compatibility)
Closes #26893

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 09:56:57 +01:00
Theresa Henze
653d09f39a trigger REMOVE_TOTP event on removal of an OTP credential
Closes #15403

Signed-off-by: Theresa Henze <theresa.henze@bare.id>
2024-03-06 17:12:50 +01:00
graziang
39299eeb38 Encode role name parameter in the location header uri
The role is encoded to avoid template resolution by the URIBuilder. This fix avoids the exception when creating roles with names containing {patterns}.

Closes #27514

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-06 15:59:26 +01:00
rmartinc
82af0b6af6 Initial client policies integration for SAML
Closes #26654

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-06 15:18:35 +01:00
graziang
4fa940a31e Device verification flow always requires consent
Force consent for device verification flow when there are no client scopes to approve by adding a default client scope to approve

Closes #26100

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-05 14:14:19 +01:00
Tero Saarni
e06fcbe6ae Change supported criteria for Google Authenticator
List Google Authenticator as supported when
- hash algorithm is SHA256 or SHA512
- number of digits is 8
- OTP type is hotp

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2024-03-05 11:19:06 +01:00
Jon Koops
7afd75ba08
Use browser router for Account Console (#22192)
Closes #27442

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-03-04 12:38:28 +00:00
Steven Hawkins
be3e2fabc4
fix: remove the reliance on allowed classes (#27368)
closes: #25038

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-04 12:17:53 +00:00
Lucy Linder
aa6771205a Update ReCAPTCHA and add support for ReCAPTCHA Enterprise
Closes #16138

Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>
2024-03-04 20:28:06 +09:00
vramik
032bb8e9cc Map Store Removal: Remove obsolete KeycloakModelUtils.isUsernameCaseSensitive method
Closes #27438

Signed-off-by: vramik <vramik@redhat.com>
2024-03-02 04:40:46 +09:00
rmartinc
f970803738 Check email and username for duplicated if isLoginWithEmailAllowed
Closes #27297

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-02 00:14:27 +09:00
Andy
137907f5ef Roles admin REST API: Don't expand composite roles
Additionally:
- Import clean-up
- Added requireMapComposite as in RoleResource.addComposites

Closes #26951

Signed-off-by: synth3 <19573241+synth3@users.noreply.github.com>
2024-03-02 00:03:03 +09:00
Takashi Norimatsu
1792af6850 OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor
closes #27412

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-03-01 14:49:23 +01:00
graziang
082f9ec15b Update client scopes in Client Update Request in DCR
Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation.
Add updateClientScopes method to set client scopes in Client Update Request in DCR.

Closes #24361

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-03-01 12:32:45 +01:00
Albrecht Scheidig
cad34cbb04
Restore support for locales with extensions (#27285)
Closes #27284

Signed-off-by: Albrecht Scheidig <albrecht.scheidig@hype.de>
2024-02-29 17:16:44 +00:00
Marek Posolda
ae0a0ea30b
SecureRedirectUrisEnforcerExecutor fixes (#27369)
closes #27344

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-29 17:24:20 +01:00
Steven Hawkins
8d9439913c
fix: removal of resteasy-core (#27032)
* fix: partial removal of resteasy-core

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* fix: fully removing resteasy-core

closes: #26315

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-29 11:43:13 +00:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm
Closes #25823

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-02-28 16:17:51 +01:00
Pedro Igor
788d146bf2 Use the target client when processing scopes for internal exchanges
Closes #19183

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-28 15:18:43 +01:00
graziang
16a854c91b Add option to clients to use lightweight access token
Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute.
The attribute value is used to enable or disable the lightweight access token.
Closes #27238

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-28 10:18:26 +01:00
Pedro Igor
0c91fceaad Allow setting if both 'client_id' and 'id_token_hint' params should be sent in logout requests
Closes #27281

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-27 20:37:27 +09:00
Dmitry Telegin
c18c4bbeb8 Remove setContext() + minor cleanup
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
87c2df0ea4 Fix UMA 2024-02-27 19:11:32 +09:00
Dmitry Telegin
be3d0b6202 Split OAuth2GrantType and OAuth2GrantTypeFactory 2024-02-27 19:11:32 +09:00
Dmitry Telegin
c73516ba5b Revert dynamic grant type resolution 2024-02-27 19:11:32 +09:00
Dmitry Telegin
5f04ce310a simplify OAuth2GrantType.Context creation 2024-02-27 19:11:32 +09:00
Dmitry Telegin
b81bf85a06 rebase 2024-02-27 19:11:32 +09:00
Dmitry Telegin
854ec17fd3 - rework grant type resolution to use supports() in addition to grant type
- replace initialize() with setContext()
- use EnvironmentDependentProviderFactory instead of runtime checks
- move OAuth2GrantTypeManager to server-spi-private
- javadocs, imports, minor fixes

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
cc9c8fe78a Use EnvironmentDependentProviderFactory for DeviceGrantType 2024-02-27 19:11:32 +09:00
Dmitry Telegin
983680ce0e OAuth 2.0 Grant Type SPI
Closes: #26250

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
rmartinc
562decde35 Perform internal introspect for the access token in the account app
Closes #27243

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-27 09:19:20 +01:00
kaustubh-rh
03f6cda85a
Prevent user from removing built-in client scopes (#27134)
Closes #26937

Signed-off-by: Kaustubh B <kbawanka@redhat.com>
2024-02-26 11:16:23 +01:00
Gilvan Filho
83af01c4c0 Add failedLoginNotBefore to AttackDetectionResource
Closes #17574

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
2024-02-26 09:35:51 +01:00
graziang
cecce40aa5 Avoid regenerating the totpSecret on every reload of the OTP configuration page
Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload

Closes #26052

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-22 19:09:09 +01:00
Pedro Igor
604274fb76 Allow setting an attribute as multivalued
Closes #23539

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-02-22 12:56:44 +01:00
Takashi Norimatsu
1e12b15890 Supporting OAuth 2.1 for public clients
closes #25316

Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-22 10:57:29 +01:00
Douglas Palmer
b0ef746f39 Permanently lock users out after X temporary lockouts during a brute force attack
Closes #26172

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-22 09:34:51 +01:00
Takashi Norimatsu
9ea679ff35 Supporting OAuth 2.1 for confidential clients
closes #25314

Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-22 08:34:21 +01:00
Sebastian Schuster
5e34769ee0 27031 ReadOnlyAttributeUnchangedValidator logs validation errors on debug not warning
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
2024-02-22 08:24:08 +09:00
Peter Keuter
01d66a662b
Expose display name and locales when user has ANY admin role (#27160)
* chore: expose display name and locales when user has view-realm

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

* fix: supportedlocales are available as stream

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

* fix: tests

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

* fix: remove unnecessarily added ignore

Signed-off-by: Peter Keuter <github@peterkeuter.nl>

---------

Signed-off-by: Peter Keuter <github@peterkeuter.nl>
2024-02-21 13:30:31 -05:00
graziang
d13dc57a29 Removing duplicate claims in action tokens
Using variables instead of otherClaims map for claims in action tokens to avoid duplicate claims in the jwt payload

Closes #24980

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-21 11:30:49 +01:00
Takashi Norimatsu
1bdbaa2ca5 Client policies: executor for validate and match a redirect URI
closes #25637

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-20 08:37:33 +01:00
Stefan Wiedemann
aa6b102e3d
Support EC Key-Imports for the JavaKeystoreKeyProvider #26936 (#27030)
closes #26936

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-02-19 17:41:40 +01:00
Pedro Hos
6b3fa8b7a7
Invalid redirect uri when identity provider alias has spaces (#22840)
closes #22836


Co-authored-by: Marek Posolda <mposolda@gmail.com>
2024-02-19 14:40:42 +01:00
Takashi Norimatsu
2f35d0e346 Add EdDSA/Ed25519 to WebAuthn Signature algorithms
closes #15000

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-02-19 14:08:04 +01:00
graziang
1f57fc141c UPDATED_PASSWORD required-action triggered only when login using password
`UpdatePassword.evaluateTriggers` adds the required-action to the user by evaluating the expiration password policy. Added a check that skips the evaluation if no password used during auth flow. This check uses the value of an auth note set in the `validatePassword` method of the `AbstractUsernameFormAuthenticator`.
Manually adding UPDATED_PASSWORD required-action to the user continues to trigger the action regardless of the authentication method.

Closes #17155

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-16 18:16:36 +01:00
Marek Posolda
c94f9f5716
Remove random redirect after password reset (#27076)
closes #20867

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
2024-02-16 18:13:27 +01:00
mposolda
eff6c3af78 During password reset, the baseURL is not shown on the info page after browser restart
closes #21127

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-15 18:48:53 +01:00
Michal Hajas
e55ba5dcdc Make sure pagination is used even when first is null for getGroups endpoint
Closes #25731

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-15 19:46:04 +09:00
rmartinc
4ff4c3f897 Increase internal algorithm security using HS512 and 128 byte hmac keys
Closes #13080

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-15 08:16:45 +01:00
Steven Hawkins
df38081fe8
fix: add an info message, and converts info to debug on non-pem files (#26939)
* fix: add an info message, and converts info to debug on non-pem files

closes: #26929

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update services/src/main/java/org/keycloak/truststore/TruststoreBuilder.java

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
2024-02-14 19:55:53 +01:00
rmartinc
bc82929e3a Cors modifications for UserInfo endpoint
Closes #26782

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-14 18:24:06 +01:00
vibrown
161d03efd2 Added SPIs for ClientType and ClientTypeManager
Grabbed the SPIs for ClientType and ClientTypeManager from Marek's Client Type prototype.

Closes #26431

Signed-off-by: vibrown <vibrown@redhat.com>

Cleaned up TODOs

Signed-off-by: vibrown <vibrown@redhat.com>

Added isSupported methods

Signed-off-by: vibrown <vibrown@redhat.com>
2024-02-13 19:26:19 +01:00
rmartinc
bb12f3fb82 Do not require non-builtin attributes for service accounts
Closes #26716

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-13 17:42:59 +01:00
Steven Hawkins
6bbf8358b4
task: addressing build warnings (#26877)
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-13 17:04:43 +01:00
Steven Hawkins
3a04acab51
fix: adds pfx as a recognized extension (#26876)
closes #24661

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-13 15:38:12 +01:00
Pedro Igor
e50642ac32 Allow setting a default user profile configuration
Closes #26489

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-12 11:16:48 +01:00
Réda Housni Alaoui
67718c653a UPDATE_EMAIL action token handling should allow the user to resume its navigation to the redirect uri
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-02-08 18:32:38 -03:00
Michal Hajas
de598577b1 Fix confusing SAML NameId mapper format tooltip
Closes #26051
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
2024-02-08 11:21:11 +01:00
Tero Saarni
ac1780a54f
Added event for temporary lockout for brute force protector (#26630)
This change adds event for brute force protector when user account is
temporarily disabled.

It also lowers the priority of free-text log for failed login attempts.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-02-07 14:13:33 +00:00
Kamontat Chantrachirathumrong
516bfbe896
Support custom common path (#22717)
Signed-off-by: Kamontat Chantrachirathumrong <14089557+kamontat@users.noreply.github.com>
2024-02-06 20:41:39 -05:00
Dmitry Telegin
da69beed4d CORS SPI - code review
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-06 15:27:53 -03:00
Dmitry Telegin
b0403e2268 CORS SPI
Closes #25446

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-06 15:27:53 -03:00
mposolda
f468885fdd Empty error message when validation issue due the PersonNameProhibitedValidator validation
closes #26750

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-06 12:56:50 -03:00
Stian Thorgersen
c4b1fd092a
Use code from RestEasy to create and set cookies (#26558)
Closes #26557

Signed-off-by: stianst <stianst@gmail.com>
2024-02-06 15:14:04 +01:00
rmartinc
720c5c6576 PKCE should return error if code_verifier sent but no code_challenge in the authorization request
Closes #26430

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-06 08:31:56 -03:00
Michal Hajas
00742a62dd
Remove RealmModel from authorization services interfaces (#26708)
Closes #26530
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-02 16:51:32 +01:00
Thomas Darimont
277af021d7 Improve ScheduledTask task-name handling
This PR introduces a String getTaskName() default method to
the ScheduledTask interface and adjusts call sites to use the
implementation derived task name where possible.

Previously, ScheduledTask names were passed around separately, which
lead to unhelpful debug messages.
We now give ScheduledTask implementations control over their task-name
which allows for more flexible naming.

Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database.
Ensure that Realm is already committed before updating sync via UserStorageSyncManager
Align Sync task name generation for cancellation to support SyncFederationTest
Only log a message if sync task was actually canceled.

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-02-02 09:57:03 -03:00
ShefeeqPM
65c7cd6008
removing duplicate open id scope (#26542)
Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-02-02 09:08:18 +00:00
alcalin
59b2dd69e3
Update AuthenticationManager.java (#26586)
Fix typo in log message for unlogged clients

Signed-off-by: alcalin <alexcalin02@gmail.com>
2024-02-01 13:56:26 +00:00
Pedro Igor
3a7ce54266 Allow formating numbers when rendering attributes
Closes keycloak#26320

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-01 08:14:58 -03:00
Stian Thorgersen
64b5f42c4a
Revert new behaviour around setting secure flag for cookies (#26650)
Closes #26649

Signed-off-by: stianst <stianst@gmail.com>
2024-01-31 19:33:56 +01:00
Lex Cao
a43ba73b93 Skip link only when client is not system when logout (#24595)
Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-31 17:50:26 +01:00
rmartinc
01be4032d8 Enable verify-profile required action by default
Closes #25985

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-31 13:32:53 +01:00
Lex Cao
f83756b177 Error handle for the Json request in createErrorPage
Closes #13368

These changes introduce a new error handler for building error based on the media type.
- It should create error form response when it is valid HTML request
- It could create error response with JSON if content type matches

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-31 09:31:30 -03:00
mposolda
10ba70c972 Possibility to email being not required
closes #26552

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-01-31 10:57:10 +01:00
Thomas Darimont
346c2926f6
Fix error type in SAML response on missing destination
We now use INVALID_SAML_RESPONSE insteadof INVALID_LOGOUT_RESPONSE.
Added proposed test case.

Closes #11178

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Chris Dolphy <cdolphy@redhat.com>
2024-01-31 09:32:14 +01:00
Stefan Wiedemann
fa948f37e0
Issue Verifiable Credentials in jwt_vc format #25941 (#26484)
closes #25941 

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-01-30 18:35:20 +01:00
mposolda
1213556eff Fixes for UsernameIDNHomographValidator
closes #26564

Signed-off-by: mposolda <mposolda@gmail.com>
2024-01-30 14:30:28 +01:00
Chris Tanaskoski
5373f3c97a
Don't fail reset credentials action upon first broker login without EXISTING_USER_INFO (#26324)
The ResetCredentialsActionTokenHandler depends upon the `EXISTING_USER_INFO` through `AbstractIdpAuthenticator.getExistingUser` solely to log the username. However, if the first broker login flow does not include a `IdpCreateUserIfUniqueAuthenticator` or `IdpDetectExistingBrokerUserAuthenticator`, the `EXISTING_USER_INFO` is never set.

This commit does not attempt to fetch the existing user if we don't have this info set.

Closes #26323

Signed-off-by: Chris Tanaskoski <chris@devristo.com>
2024-01-30 11:16:52 +00:00
Stian Thorgersen
0fb6bdfcac
Cookie Provider - move remaining cookies (#26531)
Closes #26500

Signed-off-by: stianst <stianst@gmail.com>
2024-01-29 11:06:37 +01:00
Stian Thorgersen
bc3c27909e
Cookie Provider (#26499)
Closes #26500

Signed-off-by: stianst <stianst@gmail.com>
2024-01-26 10:45:00 +01:00